Does your organization need a CCO?

The CCO is the focal point for regulatory compliance. It is that person's job to learn what is expected of the organization and ensure that appropriate steps are taken to comply with regulations. This is akin to legal counsel and risk management roles, since the CCO helps the organization avoid legal risks associated with failure to comply.

The CCO may develop a superstructure over discrete programs such as an information security program, a privacy program and a financial controls program. Similar to an internal audit function, the CCO needs to ensure that those programs are effective by establishing compliance oversight processes. Through those processes, the CCO periodically evaluates the effectiveness of the underlying programs.

Related Information Find out who's enforcing regulations and penalties for noncompliance Learn how to select the right compliance archiving tool

Compliance is comprised of administrative, physical and technical processes including: policies, procedures, documented roles and responsibilities, training, technical tools and physical controls. The intent of the resulting ongoing processes is to demonstrate compliance with relevant regulations. Typically, someone other than the CCO develops these processes. For example, information security program processes are the domain of the ISO and privacy processes are the domain of the Privacy Officer. It is the CCO's responsibility to ensure that such processes are in place to address each regulatory requirement and ensure that they are functioning adequately. From the perspective of information security, the CCO should be a strong ally for the CISO and bring clout to an organization's security program.

The CCO position should have a sufficiently visible spot on the organization chart so that his or her authority matches the position's responsibility. The CCO's key responsibilities include:

• Staying current with new and updated regulations. These may include state and federal laws, as well as industry-based accreditation requirements.

• Developing and maintaining a repository of regulations and the organization's compliance status. This provides a quick snapshot and a valuable reference document. When new regulations emerge, this tool can identify any overlap with pre-existing regulations.

• Understanding how each regulation affects the organization and explaining the impact of non-compliance to leadership.

• Developing cooperative relationships with those charged with implementation, such as the ISO and the Privacy Officer.

• Developing documented and repeatable evaluation processes to verify that underlying controls are adequate to meet requirements.

• Periodically performing evaluations and reporting outcomes to senior management.

• Developing processes for the workforce to report non-compliance issues to the CCO and how the CCO will respond to those issues.

• Reporting compliance deficits and lapses to senior management and ensuring they are remedied.

About the author
Kate Borten is president and founder of The Marblehead Group, Inc. She led the first corporate-wide information security program at Massachusetts General Hospital, and she is the former Chief Information Security Officer at CareGroup, a major healthcare system based in Boston. Ms. Borten is a nationally-recognized expert on HIPAA and health information privacy and security, and a frequent speaker on the topic. She is a contributing author to Auerbach Publications' Information Security Management Handbook; author of HIPAA Security Made Simple (HCPro, Inc. 2003) and Guide to HIPAA Security Risk Analysis (HCPro, Inc. 2004); contributor to newsletters on HIPAA privacy and security; and three-year chair of HealthSec, the premier annual conference on information security in healthcare.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures Learn from NIST: Best practices in security program management Best practices for application-level firewall selection and deployment The 'security standards dilemma': Network segmentation and PCI Compliance Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps Data Security Breach Laws and Notification Web 2.0 and e-discovery: Risks and countermeasures Data breaches caused by employee errors, process failures RSA attendees see data classification, rights management projects stumble Next version of PCI DSS due in September Hannaford breach illustrates dangerous compliance mentality Worst practices: Recognizing the biggest compliance mistakes Why are there still various independent credit card security standards? TJX offers $40.9 million breach settlement Data breach costs soar With data breach costs soaring, companies should review data sharing policies Data Security Breach Laws and Notification Research HIPAA Walter Reed admits breach of patient information Companies still monitoring email manually, survey finds The road to compliance Hannaford breach illustrates dangerous compliance mentality Is it against HIPAA regulations to permanently store sensitive information? How to conduct an efficient and thorough employee access review. Is it against HIPAA regulations to display client names? Will an off-site employee exit procedure violate HIPAA regulations? Is it a violation of HIPAA to collect consumer Social Security numbers? IBM to boost security spending, push PCI DSS program HIPAA Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.