
COMPLIANCE COUNSELOR
Does your organization need a CCO?
Kate Borten 07.28.2005
Rating: --- (out of 5)




|
In an increasingly regulated world where laws cover a widening range of public and private entities, complying with overlapping regulations is a challenge. The good news is that tackling compliance -- particularly when regulations share common goals -- can be made easier by charging a corporate compliance officer (CCO) with oversight responsibility.
The CCO is the focal point for regulatory compliance. It is that person's job to learn what is expected of the organization and ensure that appropriate steps are taken to comply with regulations. This is akin to legal counsel and risk management roles, since the CCO helps the organization avoid legal risks associated with failure to comply.
The CCO may develop a superstructure over discrete programs such as an information security program, a privacy program and a financial controls program. Similar to an internal audit function, the CCO needs to ensure that those programs are effective by establishing compliance oversight processes. Through those processes, the CCO periodically evaluates the effectiveness of the underlying programs.
Compliance is comprised of administrative, physical and technical processes including: policies, procedures, documented roles and responsibilities, training, technical tools and physical controls. The intent of the resulting ongoing processes is to demonstrate compliance with relevant regulations. Typically, someone other than the CCO develops these processes. For example, information security program processes are the domain of the ISO and privacy processes are the domain of the Privacy Officer. It is the CCO's responsibilit
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com

y to ensure that such processes are in place to address each regulatory requirement and ensure that they are functioning adequately. From the perspective of information security, the CCO should be a strong ally for the CISO and bring clout to an organization's security program.
The CCO position should have a sufficiently visible spot on the organization chart so that his or her authority matches the position's responsibility. The CCO's key responsibilities include:
An effective CCO is a great asset to the CISO and the information security program. The CISO can make a case for this position as an added layer of protection for the organization. The CCO brings a fresh perspective to security and other regulatory controls and may spot program opportunities or weaknesses that the CISO is too close to see.
About the author
Kate Borten is president and founder of The Marblehead Group, Inc. She led the first corporate-wide information security program at Massachusetts General Hospital, and she is the former Chief Information Security Officer at CareGroup, a major healthcare system based in Boston. Ms. Borten is a nationally-recognized expert on HIPAA and health information privacy and security, and a frequent speaker on the topic. She is a contributing author to Auerbach Publications' Information Security Management Handbook; author of HIPAA Security Made Simple (HCPro, Inc. 2003) and Guide to HIPAA Security Risk Analysis (HCPro, Inc. 2004); contributor to newsletters on HIPAA privacy and security; and three-year chair of HealthSec, the premier annual conference on information security in healthcare.
 |

|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com. Register now
to start rating these tips. Log in if you are already a member.
|


 |
|
BROWSE BY TAG
Compliance Counselor,
Information Security Threats,
Identity Theft and Data Security Breaches,
Security Audit, Compliance and Standards,
HIPAA,
Data Privacy and Protection,
Sarbanes-Oxley Act,
Compliance leadership,
People & policy,
Compliance,
Enterprise Data Protection,
Identity Theft and Data Security Breaches, VIEW ALL TAGS
|
 |
');
// -->
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
 |
|
|
 |
|
 |