"Compliance fatigue" seems to be a growing trend with organizations trying to stay on top of multiple security...
compliance standards which could lead to compliance requirements getting tossed aside or deprioritized. What can enterprises do to avoid fatigue and make compliance less burdensome?
Let's face it, compliance is a tedious business. Organizations have a difficult time keeping track of the many overlapping security compliance mandates while maintaining compliance over extended periods of time. The term compliance fatigue is sometimes used to describe this difficulty, and I agree that it is a real trend. Fortunately, there are some ways enterprises can work to avoid compliance fatigue.
First, create a strong compliance management plan to ensure the organization maintains a comprehensive set of security controls that map directly to compliance obligations. Reviewing compliance management plans on an annual basis -- or more frequently -- gives organizations the opportunity to verify the status of those controls against changes in the business, risk and technology landscapes.
Second, organizations should continue to pursue any activities that may reduce the scope of their compliance programs. For example, using tokenization technology to remove payment card numbers from the processing environment can dramatically reduce the burden of PCI DSS compliance. This, in turn, reduces the occurrence of compliance fatigue.
There's not much an organization can do to make compliance management programs more exciting, but taking a few simple steps to reduce the burden of those programs goes a long way toward reducing compliance fatigue.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Take a look at Adobe's Common Controls Framework to help manage compliance controls and check out the compliance management trends of 2015
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.