If you are like most people in business today, you are up to your eyeballs with “compliance” requirements. Sarbanes-Oxley, GLBA and HIPAA might not have been too bad, assuming they even affected your organization at all. But now there is PCI DSS, the HITECH Act, FTC Red Flags and breach notification rules, and the dozens of state breach notification laws on top of everything else.
With all this recent government and industry intrusion into the free market, you would think it is next to impossible to get things under control. Well, it is that way for many organizations. But it is not the mere existence of these laws and regulations that are bringing people down — it is typically how people are handling them that is causing the problems.
Being an outside consultant, it is easy for me to make recommendations to clients and be done with it. Not having to get caught up in the day-to-day grunt work and political barriers is indeed an advantage. But I see something related to security and privacy compliance that is consistent in all types of businesses regardless of their industry and size — it is people duplicating efforts trying to address each of the laws and regulations on a case-by-case basis. For instance, they will spend good time and money tackling HIPAA. Once they have gotten it under control, they will start over with GLBA and then on to PCI DSS. Next, they will sort out all the state breach notification laws, and on and on. This approach certainly keeps people busy and may be good for job security, but it is very costly and completely inefficient.
If you feel like your organization is spending too much time on compliance for the sake of compliance, here’s what you can do to truly get your arms around this beast:
Make Compliance a Team Effort
If you are going to get things under control, the first thing you need to do is assemble a team of stakeholders into a security committee (or whatever you want to call it). This will likely be legal, HR, marketing, operations, internal audit, IT and at least one member of executive management. Every business is different. You will have to find out who is going to be able to effect the most change. Obviously, forming such a committee will require the backing of management. None of what I am writing about is sustainable without management’s support. But that is for another discussion.
Be careful with the size of your security committee. Anywhere from five to seven people with one person serving as the leader is plenty enough. Interestingly, I have seen so-called security committees like this with 20-30 people in them. They were not only too big to get anything done, but they rarely addressed security and compliance. Instead, they focused on project management, change management and other tactical issues that did not address the big picture with security.
Use your security committee to not only set and enforce policies, but also to engage your employees. One of the best things any organization can do to minimize information risks is to keep privacy and security on the top of employees’ minds. Rather than pushing “compliance” on everyone, talk about how your business is taking things up a notch and improving its privacy and security efforts all for the greater good of the business.
Know What You Are Up Against
You absolutely have to understand the laws and regulations that affect your business. It sounds trite, but I talk with a lot of people — often the very people in charge of compliance — who are not aware of regulations such as PCI DSS, the state breach notification laws and the recent HITECH Act. You also have to understand business partner and customer requirements and even your own internal policies — it is all related to “compliance.” Once you understand the specific requirements of these laws and regulations, you will see that they are basically all the same. That’s the beauty of this — you can address information security and manage risks at a higher level and, with a few exceptions, end up complying with everything across the board.