If you are in charge of IT and/or Security and you do not have that compliance and/or auditor twinkle in your eye, you might twinge each time someone says PCI, HIPAA, ISO, GLBA, SOX, or any other regulation or evil acronym that might be thrown your way. Depending on your environment and your experience with compliance, the hardest part is knowing what applies within your organization. If faced with an auditor, or even worse, a court room, you will have to show due diligence and due care. As they used to say at the end of every GI Joe cartoon: “Knowing is half the battle!” Due diligence is just that: knowing, researching, and understanding what regulations apply within your organization and how your organization complies with them. Due care is the act of implementation and remediation of issues found and showing that the proper controls are in place and are effective. Please note that this is a high level methodology to compliance. Additional assessment and expertise may be required depending on the size of the organization and what regulations were found to apply to the organization.
1. Know Who Is in Charge in Your Organization
Who within the organization is normally in charge of compliance? Within more mature organizations, someone within the legal department generally holds the title Chief Compliance Officer. This person would be in charge of researching and identifying what compliance frameworks and regulations that would be required. Internal auditors would be responsible for ensuring that the controls identified within the organization are effective and running. Even if you are a seasoned Compliance Officer, rarely is it advisable to do it alone. Reliance on others within the organization, third parties, and management approval may need to be called upon to ensure you are headed down the right path.
2. Know Your Organization and Industry
The second step to compliance is understanding what your organization does and what industry (ies) your organization fits into? In many ways knowing this information can help in the first stage of gathering the different regulations or frameworks. When working through the other steps, additional regulations and control frameworks may be uncovered so don’t panic if you do not find everything in the first stage. Many online industry websites have a list of known regulations and possibly can provide some guidance on how they would apply within each organization. Some additional factors that may play into this include where your organization does business. There are many Local, State, Federal, and possibly Internal Regulations that an organization would have to follow. Another factor is how your organization receives revenue. Does the organization work on cash only, take credit cards, or have an ecommerce site? Maybe your organization is a publicly traded company or a non-for-profit organization. What type of contracts does your organization currently have with its customers, service providers, and other third-parties? At this stage, it is essential to interview upper management to gather as much information and detail about the organization as possible.
3. Know Your Business Processes
The third step and the first step may seem redundant; however, it is in the third step where we dig even deeper and perform business process mapping to understand each process within each department. This helps to shed light on what systems and information are being used every day within the organization. This can be of the utmost importance in that it potentially can bring out even more regulations and compliance frameworks that maybe could not have been determined within the second step. The business process mapping itself entails interviewing each line of business or department. The objective is to understand what type of information is collected, stored, transmitted, and processed within the environments. This is accomplished by following the flow of information from creation to destruction. Not only must there be tracking of electronic information, but also of paper and other forms of media.
4. Perform a Gap Assessment
After all of the previous steps have been completed, it is then time to analyze and determine what compliance and regulation requirements truly apply within the organization. This is where additional expertise and research would be needed to understand what specific data applies or needs to be protected by each regulation or compliance framework. What processes and systems would potentially need additional requirements and controls in place to become compliant? This is where a detailed gap assessment for each regulation and control framework would take place. This is to ensure that each regulation applies within the organization, and to identify what additional controls would need to be put in place within the organization.
5. Create a Remediation Plan, Remediate, Assess, and Repeat
After performing the gap assessment and understanding what controls apply and are missing, the due care portion of compliance has been completed. There is now a clear understanding of what is expected of the organization. The organization must create and implement a plan of remediation to start becoming fully compliant. This is the start of the due diligence portion of the process, and it should be an ongoing process. The plan may include implementing technical controls such as encryption technologies or policies and procedures to ensure controls are defined, followed, and enforced. More assessments may need to be done as well, such as a vulnerability assessment, penetration testing, and policy reviews. Additionally, a risk management program may need to be developed to ensure that different risks are identified, addressed, and remediated on a continual basis.
Compliance is not a one-time assessment. It is a continual cycle that requires maintenance on a regular basis. Just as regulations and compliance frameworks can change, so can the organization. Acquisitions, mergers, and new services or products may introduce new regulations within the organization. As with any regulation or compliance framework, if it is not maintained it can fluctuate from compliance to non compliance even within a given day. So the question is…Is your organization doing the Five Step Compliance Shuffle?
By David Sopata, Consultant at SecureState for the Audit and Compliance group