Compliance is a pain. Organizations around the world decry the onerous burdens placed upon their IT organizations by the laws and regulations imposed by governments and other regulatory bodies. While many IT compliance obligations are rooted in accepted best practices for privacy and security, others are paperwork exercises designed to prove compliance to others. This leaves many IT managers wondering what their lives would be like...
if, instead of worrying about regulatory compliance, they could dedicate those resources to delivering business value.
Many organizations are making serious efforts to achieve that dream by dramatically reducing the scope of their compliance efforts. Descoping programs seek to minimize compliance responsibilities by reducing an organization's exposure to regulations. These efforts generally rely on two techniques to reduce the systems and business processes subject to regulation: segmentation and outsourcing.
In this tip, we'll detail how segmentation and outsourcing can reduce certain organizations' compliance requirements, and discuss why descoping measures may not be right for every business.
Segmenting regulated environments
While many IT compliance obligations are rooted in accepted best practices for privacy and security, others are paperwork exercises designed to prove compliance to others.
Segmentation relies upon separating the systems and/or processes that handle regulated information from those that do not. Using this approach, areas that do not come into contact with regulated information avoid becoming subject to the regulation and do not need to operate under the compliance regime.
For example, organizations that process credit cards routinely use network segmentation to limit the scope of their cardholder data environment, and thus reduce the burden placed on them by the the Payment Card Industry Data Security Standard (PCI DSS). Credit card merchants might use firewalls to isolate their credit card processing systems from the general productivity workstations used by other employees. Then, when it comes time to assess PCI DSS compliance, the productivity workstations do not require evaluation.
In addition to technical segmentation, organizations may choose to use business processes to segment areas of the organization that engage in regulated activities. Companies that operate on-site health clinics for employees, for example, may find themselves subject to Health Insurance Portability and Accountability Act (HIPAA) compliance obligations. Rather than declaring the entire company a HIPAA-covered entity, such a company can segment the operations of that clinic and declare itself a hybrid entity. As long as protected health information does not pass between the clinic and the rest of the organization, only the clinic's activities are subject to HIPAA.
Outsourcing regulated activities
In some cases, it may be possible to completely outsource regulated activities to a third party, and, handled properly, outsourcing may partially or completely transfer regulatory compliance burdens to the vendor.
In the world of credit card processing, there are several ways that organizations might outsource burdensome activities. For example, the operators of an e-commerce website might be able to shift all responsibilities for credit card processing to a cloud service provider. Under such an arrangement, a customer that completes an order on an organization's website is transferred to the service provider's website to enter payment information. The service provider then merely informs the merchant that the payment was received, but does not provide any cardholder information to the merchant. If the merchant does not sign a credit card processing agreement, it has no obligations under PCI DSS.
An organization's HIPAA obligations may also be shifted through outsourcing. Earlier, I described a business that is subject to HIPAA only because it operates an on-site employee health clinic. If the business outsources responsibility for that clinic to a service provider and that provider does not share any protected health information with the business, only the service provider bears the burden of HIPAA compliance.
Is descoping right for you?
Descoping activities provide tremendous benefits, particularly to organizations that are only tangentially conducting regulated activities. However, they may not be right for every organization.
A hospital that tries to reduce its HIPAA obligations, for example, may find that network segmentation removes only a small handful of systems that don't process health information. In such a case, it is simply more cost-effective to operate the entire network in a HIPAA-compliant fashion. Similarly, organizations that process large volumes of credit card transactions may find outsourcing prohibitively expensive compared to the costs of operating their own PCI DSS-compliant card-processing infrastructure.
Organizations of many types and sizes may find that they can reduce the burden of IT compliance through segmentation and outsourcing activities. Given the large number of regulations facing organizations, many are likely suffering from a heavy compliance burden. Taking the time to critically examine each regulation facing a business can yield valuable insights. In some cases, an organization may find ways to completely remove itself from the scope of the regulation, and in others, may be able to limit the scope of its regulated activities.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.