Thursday, October 7, 2010

The Five-Step Compliance Shuffle

If you are in charge of IT and/or Security and you do not have that compliance and/or auditor twinkle in your eye, you might twinge each time someone says PCI, HIPAA, ISO, GLBA, SOX, or any other regulation or evil acronym that might be thrown your way. Depending on your environment and your experience with compliance, the hardest part is knowing what applies within your organization. If faced with an auditor, or even worse, a court room, you will have to show due diligence and due care. As they used to say at the end of every GI Joe cartoon: “Knowing is half the battle!” Due diligence is just that: knowing, researching, and understanding what regulations apply within your organization and how your organization complies with them. Due care is the act of implementation and remediation of issues found and showing that the proper controls are in place and are effective. Please note that this is a high level methodology to compliance. Additional assessment and expertise may be required depending on the size of the organization and what regulations were found to apply to the organization.

Read more!