Building a culture of compliance.In an Ernst & Young survey of 1,300 organizations worldwide released in November 2005, nearly two-thirds of respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. said regulatory compliance is the primary driver of information security at their businesses, ranking ahead of security threats and meeting business objectives. In an already heightened cyber-threat environment where IT resources are constrained con·strain tr.v. con·strained, con·strain·ing, con·strains 1. To compel by physical, moral, or circumstantial force; oblige: felt constrained to object. See Synonyms at force. 2. , organizations face intense pressure to maintain compliance with a variety of complex regulations-from Sarbanes-Oxley to HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , the Gramm-Leach Bliley Act, FISMA FISMA Federal Information Security Management Act of 2002 FISMA Federal Information System Management Act , California's SB 1386, and more. After all, even the smallest non-compliant business decision can become the weak link leading to a data breach that might ultimately impact a company's brand integrity and consumer confidence. Consider the consequences of a data breach. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Privacy Rights Clearinghouse Privacy Rights Clearinghouse (PRC) is a project of the Utility Consumers' Action Network (UCAN), an American 501(c)(3) non-profit consumer advocacy organization. The Privacy Rights Clearinghouse is devoted to upholding the right to privacy and protecting consumers against identity , there have been more than 210 publicized pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. Adj. 1. publicized - made known; especially made widely known publicised breaches affecting more than 55 million customers since February 2005. Cost of notification is projected to run between $10 and $35 per customer. Some studies show shareholder confidence experiencing a five percent market cap decline following a breach, while consumer confidence declines on average between 10 and 12 percent. To mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. these risks and meet regulatory demands, organizations
must build a culture of compliance. The most effective compliance
maintenance equation combines people, processes, and technology to
provide an operating framework that is effective, measurable, and
repeatable and delivers long-term results.
Strategic Involvement One of the most common missteps companies make when evaluating their regulatory compliance strategy occurs right at the outset of their efforts. Too often businesses view and treat regulatory compliance as a separate activity rather than understand how to incorporate compliance into their day to day business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets . This requires commitment and cooperation among several areas of the organization including business owners, finance, IT, HR, senior management, and the board. The problem is compounded when compliance reviews are restricted to small groups such as the board of directors, auditors, and select senior management. This limited involvement often translates to limited effectiveness. Regulatory compliance-based measurements and controls can also be used to identify and improve inefficient internal business and technology controls-on a continuous basis. By combining regulatory compliance activities with business process improvement programs, organizations can maximize the return on their efforts. This marks a shift in viewing regulatory compliance not as an end in and of itself, but as the means to an end-that is, as a strategic component that helps deliver on the organization's overall mission of seeing improved business operations, enhanced profit margins, and increased market share. Identifying and rectifying deficiencies in such critical areas as customer service, sales, invoicing, and inventory controls as well as access, archive and retention policies, and other processes and supporting technologies brings organizations closer to reaching business-critical corporate objectives. Having an expanded view of the role of regulatory compliance signals the need for more inclusive participation in compliance projects. By involving multidisciplinary mul·ti·dis·ci·pli·nar·y adj. Of, relating to, or making use of several disciplines at once: a multidisciplinary approach to teaching. teams of individuals from key departments-from finance to IT, legal, HR, and more-businesses can create a compliance committee that is better able to represent the interests and abilities of the entire organization and work effectively within their own departments to drive change. Automating Improvement One of the most taxing aspects of regulatory compliance is finding and documenting gaps and exposures-especially when most organizations must satisfy three or more regulatory mandates each year. The proximate proximate /prox·i·mate/ (prok´si-mit) immediate or nearest. prox·i·mate adj. Closely related in space, time, or order; very near; proximal. proximate immediate; nearest. and pressing nature of demonstrating compliance has prompted some businesses to try to leverage homegrown home·grown adj. 1. Raised or grown at home. 2. Originating in or characteristic of a locality: "Rock is homegrown music in the United States, evolved from blues and country and Tin Pan Alley" , manual methods such as spreadsheets. While the low cost of implementation of this approach is initially appealing, its limitations become clear as organizations struggle with scalability and reliability over time. According to recent research conducted by the Security Compliance Council, compliance leaders-those who perform at least one audit per month-have an astounding a·stound tr.v. a·stound·ed, a·stound·ing, a·stounds To astonish and bewilder. See Synonyms at surprise. [From Middle English astoned, past participle of astonen, 15 times fewer deficiencies than the industry laggards, who perform audits an average of once every eight months. However, the leaders have doubled their IT budget on compliance and nearly tripled their budget towards security. because they lack automation. With manual methods proving unwieldy and cumbersome cum·ber·some adj. 1. Difficult to handle because of weight or bulk. See Synonyms at heavy. 2. Troublesome or onerous. cum , many organizations are accelerating the use of automation in IT and IT-enabled business functions to help demonstrate compliance more cost-effectively and efficiently. Implementing an automated au·to·mate v. au·to·mat·ed, au·to·mat·ing, au·to·mates v.tr. 1. To convert to automatic operation: automate a factory. 2. , consistent, and repeatable process for testing, measuring, remediating, and reporting on the state of IT-related security controls can result in continual performance improvement. In fact, it is virtually impossible to efficiently correlate business requirements with regulations and policies without an automated toolset along with analysis and remediation, auditable processes, and ongoing management and monitoring. The framework for ensuring compliance and long-term performance improvements follows an iterative it·er·a·tive adj. 1. Characterized by or involving repetition, recurrence, reiteration, or repetitiousness. 2. Grammar Frequentative. Noun 1. process of defining and documenting policies, controlling deficiencies, and going beyond simply fixing symptoms of a deficiency to actually creating the policies and practices that help eliminate the cause. Automated policy management tools are available to enable organizations to define, create, and disseminate dis·sem·i·nate v. dis·sem·i·nat·ed, dis·sem·i·nat·ing, dis·sem·i·nates v.tr. 1. To scatter widely, as in sowing seed. 2. policies and track user acceptance or waivers. Because many companies are impacted by more than one mandate, a growing number of these tools map policies to multiple frameworks, standards, and regulations. Identifying IT security and risk is made easier through technology that evaluates mission-critical applications and operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and intelligently assesses and reports deviations in areas such as password strength The term password strength is a security measure of passwords. The necessary quality of the password depends on how well the password system limits attempts to guess a user's password, whether by a person who knows the user well, or a computer trying millions of possibilities. , default accounts, user rights and permissions, and vulnerability and patch status. Security threats that affect business-critical applications are automatically identified and prioritized. Establishing, testing, measuring, and remediating control deficiencies can also be automated using technology tools. The assessment and management of IT technical controls is eased through tools that establish baseline configurations for all major operating systems and identify exceptions to configuration standards. A growing number of these tools also leverage global networks of Internet activity sensors as well as security personnel to enable proactive response to fast-moving and sophisticated threats. Finally, governing a compliance and performance improvement environment is also streamlined through the use of automated tools. Some tools include compliance assessment and reporting capabilities that integrate data from a variety of sources through a single interface to enable organizations to demonstrate due care towards achieving IT policy compliance. Others report gaps in coverage of key regulations and frameworks automatically, while other tools capture and report on user acceptance and waivers to policies. These automated toolsets help make efficient work of meeting the complex requirements of regulatory compliance and drive repeated performance gains across the organization. Perpetuating Progress The value of user awareness and education in meeting regulatory compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). is critical. After all, unless users are aware of corporate policies, they cannot be expected to follow them. Also, if users are not held accountable for their adherence to policies, they are unlikely to heed them. Any lack of adherence can, in turn, lead to a potentially costly data breach. One of the most compelling components of a number of today's policy compliance toolsets is the ability to actually automate To turn a set of manual steps into an operation that goes by itself. See automation. the development, distribution, and deployment of IT policies across the enterprise. These tools deliver a customizable policy framework based on risk management objectives that can be traced back to specific business requirements. The cumulative impact of increased user awareness through automation is often a significant parallel decrease in the likelihood of deficiencies in complying with policies. Just as business performance improvement is an ongoing objective that requires continual attention and effort, regulatory compliance is an unending business process-but one that becomes noticeably easier and more cost-effective through automation. By involving a cross-section of key personnel in the organization's policy compliance committee, implementing automated and repeatable processes, and ensuring adherence to policy, organizations can meet regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. while improving operating results and ensuring continuous business improvements. The State of Regulatory Compliance Performance What are organizations with low compliance deficiencies doing right? The Security Compliance Council--comprised of Symantec Corporation, The Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in (The IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ), and the Computer Security Institute (CSI CSI Crime Scene Investigator CSI CompuServe, Inc. CSI Commodity Systems, Inc. CSI Commodity Systems Inc. (Boca Raton, FL) CSI Crime Scene Investigation (CBS TV show) CSI Christian Schools International )--has all the answers after conducting a recent survey to better understand the state of regulatory compliance performance. The benchmark report quantified performance results across 671 organizations--measuring the number of overall deficiencies and the significant and material deficiencies experienced by these organizations, as well as the actions these organizations took to improve results. Key findings include: * The most pressing regulatory mandates, those governing data privacy and protection, are impacting 60 percent of organizations. * Regulatory compliance leaders--those with the least number of deficiencies--are spending nearly 13 percent of the IT budget on IT security. In contrast, organizations with the highest number of regulatory deficiencies are performing as regulatory compliance laggards, spending less than five percent of the IT budget on IT security. * Only 11 percent of organizations are achieving stellar performance results when measured by the number of overall deficiencies being incurred and the number of these that are rated as significant and material. * The actions responsible for reducing compliance deficiencies, based on the practices among the industry leaders, are: - Conducting internal audits and security monitoring at least monthly - Spending at least 30 percent of the time in IT on regulatory compliance - Spending more than 10 percent of the IT budget on IT security Suzanne Dickson is director of Compliance and Security Management Solutions, Symantec Corp. www.symantec.com 
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion