What you will learn from this tip: Five key elements to help you avoid trouble, expend the least amount of effort and ensure your priorities are on target and in order for your regulatory compliance projects.
In all the regulatory compliance
1. Build upper management buy-in
Notice I said build and not get. As illogical as it may seem, obtaining regulatory and information security buy-in will not occur overnight. If you rely on and expect upper management to join the cause from the get-go, you'll only set yourself up for failure. In order to obtain buy-in, you have to get involved, establish your credibility, and show how compliance and security can benefit the organization. Selling to upper management is an art that, if mastered, can help you succeed in your current job and in your career.
2. Work with a regulatory oversight committee
Regulations pertaining to information security and privacy controls are not the sole responsibility of the IT department so don't isolate your initiatives. Upper management buy-in will help, but it will certainly take some assertiveness on your part to make it known that regulations such as SOX 404, the HIPAA Security Rule and the GLBA Safeguards Rule affect all aspects of the business. It's okay for IT to serve a key role, but other key managers and executives (i.e. legal, HR, operations and risk management) need to be involved as well to ensure the integration of all security compliance initiatives with the business decision-making process. Also, make sure this committee keeps upper management informed of all regulatory compliance-related initiatives involving IT and information security. This is one of the best ways to hold their interest.
3. Don't fall into the compliance-in-a-box trap
As much as the IT product vendors would like you to believe otherwise, regulatory compliance does not come in a box. Although we need technology to help implement and enforce many of our security policies, some organizations depend too much on it. IT managers and executives alike are still relying too much on technology to get them through their compliance pains when they should focus on otherwise weak security processes -- something technology rarely fixes. Don't overlook the basics like making existing technology work for you and writing security policies that are so reasonable and realistic that employees actually abide by them.
4. Address your highest payoff risks
It's critical to continually assess your risks so you know what to protect. It's more important to go for the biggest targets -- the low-hanging fruit. That's what the malicious hackers and insiders will do -- a perfect example of why it pays to think like the bad guys. Keep the Parado Principle (a.k.a. 80/20 rule) in mind. Your ability as an information security professional to focus your efforts on the vital few rather than the trivial many will pay off in many ways, especially when it comes to regulatory compliance.
Often, your highest payoff risks are public-facing Web and e-mail servers and wireless networks that can serve as network entry points. There are also those critical internal systems (computers, applications, databases, etc.) that process, store or otherwise control the critical information you're trying to protect. You'll find that by focusing on risks you discover that are both urgent (require immediate attention) and important (have a serious impact on the business) you'll get the most bang for your compliance buck and achieve the greatest long-term success.
5. Focus strongly on documentation
If you develop and maintain sound security policies, plans and procedures, you win two-thirds of the compliance battle. Don't forget information security standards (types of security tests to perform, encryption required, permitted authentication systems, access levels and so on), IT frameworks (ISO 17799, COSO, etc.), and audit parameters (when, by whom, etc.) that are crucial to security management as well. Make it standard operating procedure to periodically check security policies, plans, procedures and standards for omissions, discrepancies, contradictions and overlap.
Also, develop your documentation at the highest level feasible so you can apply as many policies and procedures to as broad a range of regulations as possible. Having separate policies for each regulation is an exercise in futility.
In the words of achievement expert Brian Tracy, "Action without planning is the reason for every failure." This rings loud and clear when it comes to addressing the security requirements of the various regulations you're up against. Get your priorities in order and before you know it, you'll be nice and compliant with the regulation of the month -- and better prepared for the next one coming down the pike.
- Find out how to get a grip on SOX 404
- Learn how to make regulations work for you
- Find out how much compliance is costing your company
About the author
Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC where he specializes in security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach), Hacking For Dummies (Wiley), and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at firstname.lastname@example.org.
This was first published in May 2005