Few issues in the last several years have been more bewildering and frustrating for organizations than government rules regarding the security and retention of electronic data.
More than one organization has probably wished there was a way to comply, in one fell swoop, with all the regulations, from the Sarbanes-Oxley Act to the Health Insurance Portability and Accessibility Act (HIPAA) to California’s SB 1386.
Unfortunately, there is no checklist for complying with all the rules around your IT Infrastructure. But there are some basic cybersecurity strategies companies can use that will help keep computer networks in compliance.
Be Conscious of IT Cybersecurity and Privacy
Simply being cybersecurity and privacy-conscious goes a long way toward IT compliance. For example, a company that implements sound user authentication practices is going to do better at protecting personal health information — a major requirement of HIPAA. Strong user-authentication processes, along with other IT cybersecurity policies, may also constitute “internal controls,” which companies are required to have under Sarbanes-Oxley. And implementing a sound IT cybersecurity plan would defend against the consequences of SB 1386. That law, which affects all companies that do business in California, requires them to notify a customer when there’s been a security breach regarding that customer’s personal information.
It’s All in the Planning
Strategically planning for the regulations is often an enlightening process. Preparation makes companies concentrate on areas, such as cybersecurity and privacy, in ways they may not be used to. For example, many federal regulations require an IT risk assessment. A thorough IT risk assessment may show holes that the company didn’t know existed. An IT risk assessment may also help reduce IT costs by identifying programs that are no longer needed.
The IT risk assessment stage is one area in which thinking holistically about compliance can be fruitful. A good strategy is to have one IT risk assessment for all the regulations. Or, if that’s not possible, use the same firm for the IT assessments.
Mark Doll, Ernst & Young’s director of security and technology solutions for the Americas, was once asked by a client to reconcile a HIPAA risk assessment with one for the ISO 17799 standard. “It would have been cheaper for us to have done a new assessment,” he said.
Don’t Be Myopic in Your Approach
Companies sometimes take a myopic approach to compliance. They think of compliance as an issue for specific departments, rather than the entire organization. For example, HIPAA requires that patient data be handled properly. A company may respond by implementing procedures for protecting the servers housing that sensitive data. The problem with this approach is users outside the department housing the servers won’t be sure which data is or is not private and may not know the proper procedures for handling private information.
To avoid such issues, and to provide strategic oversight, organization needs to assemble a group that oversees IT compliance. For example, in larger organizations, a chief compliance officer (CCO) is often appointed. Ideally, the chief information security officer and the chief security officer, who handles physical security, would report to the CCO. The chief security officer should be involved in IT compliance efforts because the regulation of physical security, such as access control, is an important element of both the Gramm- Leach-Bliley Act and HIPAA.
IT compliance can also reach beyond company boundaries. A company that falls under SB 1386, for example, needs to add language to its contracts so that partners know about issues that may be problematic. For example, if you have an offshore outsourcer, you need to add language to their contract that requires them to notify you in the event of a data breach, or if their information systems get compromised. This will allow you to notify your customers and fulfill your obligation under SB 1386.
Given the above and the fact that your IT compliance group also needs to communicate with the rest of the organization on how compliance affects their daily actions, you may want to add legal and department head representatives to your IT compliance over site group.
Please visit www.isaca.org/cobit for the best IT compliance resource we’ve found to date.
If your company is struggling to demonstrate compliance with relevant regulations and fend off the dangerous combination of more frequent attacks, new technologies, and legacy systems, Xantrion can help. Get in touch to find out how our highly trained staff can handle your security needs.