Acquiring and maintaining compliance for Fortune 500 companies may not be easy, but it can be a lot simpler than you think. The secret is simply focusing on information security. Once you do that, government regulation and industry-driven compliance seemingly fall into place.
With Fortune 500 companies, tens if not hundreds of requirements must be reviewed and incorporated to satisfy a variety of government and industry-imposed regulations. For example, a financial institution may fall under Sarbanes-Oxley (SOX), the Federal Financial Institutions Examination Council standard (FFIEC), the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS) and Red Flags requirements. A healthcare provider may pursue The Health Insurance Portability and Accountability Act (HIPAA)/the Health Information Technology for Economic and Clinical Health (HITECH) Act or Meaningful Use compliance. Regardless of the Fortune 500 business or the industry it’s in, the compliance objective is the same: to protect the organization's collected information from anyone who would exploit that information for personal, professional, social and/or financial gain.
The challenges Fortune 500 companies face begin with understanding which of the regulations, compliance and frameworks must be incorporated into their organizations. Organizations must also understand where critical data resides and which environments within their business must be compliant. While some compliance is targeted to the organization as a whole, information security compliance is typically a smaller environment within the larger organization. For example, the healthcare industry must comply with HIPAA, which addresses in-scope systems that should be protected with physical, technical and/or administrative safeguards. Within the retail industry, PCI DSS-compliance objectives focus on the organization’s cardholder data environment and structure the assessment around the storage, processing and/or transmission of cardholder data.
What Fears Drive Compliance?
The most common question we hear is, “Where do I start?” This is followed by, “What are the latest developments or changes to compliance requirements?” The third, and most sensitive question of all, pertains to the cost for achieving compliance. Finally, organizations want to know, “What are the consequences of non-compliance?” which can include levied fines and breaches.
At the start, it’s especially helpful to have a trusted partner to work through these compliance and security challenges. Organizations also need enough internal resources to conduct remediation activities in a timely manner. Consulting partners typically have seen many environments and can suggest cost-effective solutions to common problems. Going it alone could result in shifting resources away from critical projects for a small and seemingly insignificant gap in compliance when a better solution may be available. Other risks include failing to meet compliance deadlines and customer expectations, and growing costs to remediate gaps.
Today, you can’t earn compliance by simply implementing a technical control or developing a required policy or procedure. In the current regulatory environment, organizations are expected to have a mature information security program with security controls that complement and overlap one another. A documented policy or procedure isn’t good enough. The policies need to be enforced through technical, logical or physical means.
It’s possible that a violation in one area, such as PCI DSS, can automatically lead to a HIPAA violation, bringing double the fines and penalties. For example, losing an unencrypted backup disk containing both personal healthcare and financial data would be catastrophic. On the other side of the coin, when a company fixes a weak spot that affects one regulation, it often fixes it for others as well. This is why it’s important you have one good information security program and compliance will come naturally.
Information security and compliance have the same objectives: to help ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
The best way to go about compliance is by taking a holistic approach. That will help you in the following areas:
• Reduce costs related to governance, risk and compliance initiatives
• Establish a risk-based, decision-making process
• Reduce non-compliance risk and avoid penalties and loss of reputation
• Create further value for the organization through the realization of potential and organizational improvements
• Reduce the possibility of duplicated remedial actions.