The CCO is the focal point for regulatory
The CCO may develop a superstructure over discrete programs such as an information security program, a privacy program and a financial controls program. Similar to an internal audit function, the CCO needs to ensure that those programs are effective by establishing compliance oversight processes. Through those processes, the CCO periodically evaluates the effectiveness of the underlying programs.
Compliance is comprised of administrative, physical and technical processes including: policies, procedures, documented roles and responsibilities, training, technical tools and physical controls. The intent of the resulting ongoing processes is to demonstrate compliance with relevant regulations. Typically, someone other than the CCO develops these processes. For example, information security program processes are the domain of the ISO and privacy processes are the domain of the Privacy Officer. It is the CCO's responsibility to ensure that such processes are in place to address each regulatory requirement and ensure that they are functioning adequately. From the perspective of information security, the CCO should be a strong ally for the CISO and bring clout to an organization's security program.
The CCO position should have a sufficiently visible spot on the organization chart so that his or her authority matches the position's responsibility. The CCO's key responsibilities include:
- Staying current with new and updated regulations. These may include state and federal laws, as well as industry-based accreditation requirements.
- Developing and maintaining a repository of regulations and the organization's compliance status. This provides a quick snapshot and a valuable reference document. When new regulations emerge, this tool can identify any overlap with pre-existing regulations.
- Understanding how each regulation affects the organization and explaining the impact of non-compliance to leadership.
- Developing cooperative relationships with those charged with implementation, such as the ISO and the Privacy Officer.
- Developing documented and repeatable evaluation processes to verify that underlying controls are adequate to meet requirements.
- Periodically performing evaluations and reporting outcomes to senior management.
- Developing processes for the workforce to report non-compliance issues to the CCO and how the CCO will respond to those issues.
- Reporting compliance deficits and lapses to senior management and ensuring they are remedied.
About the author
Kate Borten is president and founder of The Marblehead Group, Inc. She led the first corporate-wide information security program at Massachusetts General Hospital, and she is the former Chief Information Security Officer at CareGroup, a major healthcare system based in Boston. Ms. Borten is a nationally-recognized expert on HIPAA and health information privacy and security, and a frequent speaker on the topic. She is a contributing author to Auerbach Publications' Information Security Management Handbook; author of HIPAA Security Made Simple (HCPro, Inc. 2003) and Guide to HIPAA Security Risk Analysis (HCPro, Inc. 2004); contributor to newsletters on HIPAA privacy and security; and three-year chair of HealthSec, the premier annual conference on information security in healthcare.
This was first published in August 2005