IT Compliance

If you are like most people in business today, you are up to your eyeballs with “compliance” requirements. Sarbanes-Oxley, GLBA and HIPAA might not have been too bad, assuming they even affected your organization at all. But now there is PCI DSS, the HITECH Act, FTC Red Flags and breach notification rules, and the dozens of state breach notification laws on top of everything else.

With all this recent government and industry intrusion into the free market, you would think it is next to impossible to get things under control. Well, it is that way for many organizations. But it is not the mere existence of these laws and regulations that are bringing people down — it is typically how people are handling them that is causing the problems.

Being an outside consultant, it is easy for me to make recommendations to clients and be done with it. Not having to get caught up in the day-to-day grunt work and political barriers is indeed an advantage. But I see something related to security and privacy compliance that is consistent in all types of businesses regardless of their industry and size — it is people duplicating efforts trying to address each of the laws and regulations on a case-by-case basis. For instance, they will spend good time and money tackling HIPAA. Once they have gotten it under control, they will start over with GLBA and then on to PCI DSS. Next, they will sort out all the state breach notification laws, and on and on. This approach certainly keeps people busy and may be good for job security, but it is very costly and completely inefficient.

If you feel like your organization is spending too much time on compliance for the sake of compliance, here’s what you can do to truly get your arms around this beast:

Make Compliance a Team Effort

If you are going to get things under control, the first thing you need to do is assemble a team of stakeholders into a security committee (or whatever you want to call it). This will likely be legal, HR, marketing, operations, internal audit, IT and at least one member of executive management. Every business is different. You will have to find out who is going to be able to effect the most change. Obviously, forming such a committee will require the backing of management. None of what I am writing about is sustainable without management’s support. But that is for another discussion.

Be careful with the size of your security committee. Anywhere from five to seven people with one person serving as the leader is plenty enough. Interestingly, I have seen so-called security committees like this with 20-30 people in them. They were not only too big to get anything done, but they rarely addressed security and compliance. Instead, they focused on project management, change management and other tactical issues that did not address the big picture with security.

Use your security committee to not only set and enforce policies, but also to engage your employees. One of the best things any organization can do to minimize information risks is to keep privacy and security on the top of employees’ minds. Rather than pushing “compliance” on everyone, talk about how your business is taking things up a notch and improving its privacy and security efforts all for the greater good of the business.

Know What You Are Up Against