There are numerous regulatory statutes enacted by Congress. The acts are usually a response to a social or economic problem and as such are considered “enabling legislation.” The appropriate government agencies are then tasked with creating and enforcing the regulations authorized by the statute. The protections mandated in most have specific regulation and protection of information embedded to guard privacy, prevent fraud, provide security, and protect identities through standardization, mandates, and accountability.
Corporations providing products and services in the US are expected to know and adhere to these regulations. Corporate legal entities and C-Suite executives, including CCOs or CTOs, are responsible for policies to achieve and defend adherence to relevant regulations. In some cases, these executives take on personal responsibility for lawful adherence and reporting and can be held personally liable via stiff penalties or even jail time. There are also other provisions for compliance that include protections against the unlawful destruction of information that could be subject to e-discovery, where information is sought in legal proceedings and subject to processes before providing the data.
In addition to federal policies, many companies must comply with international standards, as well as local, regional, and state restrictions. It can be difficult to identify which laws, regulations, statutes, or mandates are required. Most agree that the legal team and C-Suite executives, under the guidance and recommendations of the compliance officer, are charged with determining the scope of compliance.
Some of the most well-known standards affecting IT compliance include:
The Sarbanes -Oxley Act (SOX) of 2002 is a sweeping statute to regulate financial transparency and reporting. It was enacted by Congress as a direct response to the Enron and WorldCom misconduct. Section 404 is of significance for IT in the area of financial reporting controls.
Gramm-Leach-Bliley Act (GLBA) was signed in 1999 and mandates that financial institutions manage consumer protections (via yearly notices) of their privacy policies. It also requires appropriate internal and external safeguards, even against the threat of pretext (the unlawful gaining of information by fraudulent means, pretense, or guesswork).
The Federal Information Security Management Act (FISMA) passed in 2002, and mandates information security for federal bureaucracy by requiring an annual review of systems.
HIPAA, or Health Insurance Portability and Accountability Act’s Title II section articulates policies and guidelines for regulating information, especially Protected Health Information (PHI) by insurers, medical providers, and employers who provide health care insurance.
The Payment Card Industry Data Security Standard of 2001 (PCI DSS) is an industry deployed recommendation instituted by MasterCard, Visa, and other credit card companies to provide identity protections for members and service providers.
Statement on Standards for Attestation Engagements (SSAE 16) became effective in 2011, replacing SAS 70 as the reporting on controls for service organizations. Data centers, ISPs, and web hosting service providers are common IT-related entities where SSAE 16 applies.
Basel III applies to the banking industry and helps determine the amount of capital they need to reserve in order to recover in the case of a loss. This regulation impacts IT, as it needs software that can perform more advanced calculations.
WHICH COMPLIANCE REGULATIONS APPLY TO YOUR ORGANIZATION?
Dealing with the multitude of regulations across numerous industries is daunting for many organizations. In the US a company may be subject to the authority of one or several regulating bodies, including the Securities and Exchange Commission (SEC), the Federal Communications Commission (CC), and the Federal Trade Commission (FTC). The industries most affected are the financial, retail and e-commerce, health insurance and services, other insurance institutions, banking, defense, utilities, and credit card issuers who have access to sensitive information. But the list also includes any organization that keeps sensitive information – for example, any organization that has social security numbers; this encompasses most employers, government entities, and colleges and universities.
It is difficult to identify enterprises, especially global ones, that are not subject to local, regional, state, federal, or international regulations. HIPAA mandates affect health care insurers and practitioners, but there are also provisions that affect any employer that offers health insurance to its employees. In addition to formal laws and regulations, be aware of industry standards (such as financial accountability standards of Basel III and PCI DSS in the credit card industry). The bottom line is if an IT department is charged with protecting information to ensure confidentiality, integrity, reliability, or availability of information, the chances are there are numerous regulations that demand compliance.
IT COMPLIANCE: GOALS AND CHALLENGES
The overall goal of IT compliance is to build a technical, procedural, and strategic framework that provides the means to attain and prove a company’s legal and ethical integrity. Providing defensible mechanisms, policies, and procedures can help avoid the following:
- Damage to corporate image standing or consumer trust
- Lost revenue, market opportunity, or stock value
- Remediation expenditures (legal costs, fines, and judgments, purchased consumer protections, capital acquisitions, and lost productivity)
However, achieving this goal is met with many challenges. First and foremost, the complexity and scope of new statutes are subject to interpretation. Since the regulations themselves do not come with a concrete roadmap, there are numerous industry-specific guidelines and best practices available that provide clarity and guidance.
Other challenges include:
- Lack of employee education
- Shadow IT issues, such as personal mobile devices that circumvent corporate IT systems.
- Unauthorized applications
- Difficulties with service providers (cloud services and data centers)
- The role of social media
- Number of current regulations, updates, and new laws
IT GOVERNANCE, RISK, AND COMPLIANCE MANAGEMENT AND SOFTWARE SOLUTIONS
To manage the many growing and changing needs of IT compliance, many organizations implement solution strategies. Regardless of the type of solution you choose (a theoretical framework or a software platform), ensure that it will work in today’s business landscape. An IT compliance solution should be adaptable (so you can update it as regulations change), allow for continuous internal investigation, dialogue, and education of those involved, and effectively manage any non-compliance issues.
The term GRC combines the interwoven functions of IT compliance with the overarching responsibilities of corporate governance to enhance the activities of risk management. Gartner Research places additional emphasis on the importance of supporting risk management through their “Hype Cycle” and identifiesseven market segmentsfocused on overall Integrated Risk Management (IRM):
- Operational Risk Management (ORM)
- IT Risk Management
- IT Vendor Risk Management
- Business Continuity Management Planning (BCM)
- Audit Management
- Corporate Compliance and Oversight
- Enterprise Legal Management
Of the seven areas, two are directly related to IT and in Gartner’s 2016Market Guide for Integrated Risk Management Solutions, analyst John A. Wheeler states that “…IT risks have been managed in silos, but are increasingly being recognized as leading indicators for failure in other risk areas, such as fraud, and resiliency.” Gartner has also begun usingIntegrated Risk Managementas a phrase to better define the functions of a strong system for governance, risk management, and compliance.
In adopting an Integrated Risk Management Solution (IRMS) there are numerous frameworks (CobiT and ITIL) and organizations (COSO)available to assist in developing best practices and procedures.
Many organizations also opt to adopt a software solution to manage IT compliance. IT compliance software can support critical functions and provide micro and macro functionality, integrated features and controls, and mobile solutions to assist in both compliance and risk management. Capabilities you may seek when evaluating compliance management software include:
- Identification of vulnerabilities
- Systems controls and application security functions
- Quick recovery functions after failure or incident
- Risk assessment and threat identification
- Document and project management
- Ongoing operations and maintenance management
- Audit logs and authentication
- Root cause analytics and forensics
- Firewalls, network security, and malware detection
- Change management and trouble ticket tracking
- Disaster recovery
- Email archiving
When considering adopting a software solution, you first need a clear plan, assessment, and review of the goals, process, and procedures already in place. For example, identify which compliance issues need to be added or strengthened, and how you will employ the software to assist. To guide this process, there are numerous industry organizations and specialists that can help formulate the questions or glean information as a solution is researched. For example, theGartner Magic Quadrant for IT Risk Management Solutions, covers the corporate compliance segment, listing software vendors and assesses their product’s strengths and appropriate applications.
Before making a final software choice, be sure to:
- Evaluate vendor history and reputation
- Ask the vendor the complex compliance questions to ensure their understanding of your needs and requirements
- Demo the product and involve key personnel
- Work with industry analysts and experts
- Perform an assessment based on specific organization governance, risk, and compliance requirements
Ultimately, a thorough exploration of the available software solutions will lead you to the product that best fits your needs. Remember not to be swayed by fancy add-on functionalities (that you might not even need); let your research results be the deciding factor.
BENEFITS AND BEST PRACTICES OF AN IT COMPLIANCE SOLUTION
As we’ve discussed, failure to adhere to compliance regulations can have great impact on your organization’s bottom line. Therefore, establishing a robust IT compliance strategy along with supporting solutions is critical to your organization’s future success. A strong IT compliance solution can enable you to:
- Stay up to date on current compliance requirements through integrations with GCR data sources
- Standardize processes across all required IT GRC regulations
- Improve effectiveness with automated processes and workflow
- Provide leadership with real-time IT compliance reports
- Maintain accurate records for audits
- Maximize investment in IT compliance services
- Incorporate relevant compliance best practices into processes and workflow
- Manage IT resources and ensure accountability
IT COMPLIANCE MANAGEMENT FOR HEALTHCARE ORGANIZATIONS
Healthcare organizations are required to abide by stringent security measures and remain compliant with the HIPAA guidelines, and any other internal and external rules, regulations, and policies. However, these requirements are extremely fluid, so having a system in place to track and manage the changing government policies, technology security procedures, and insurance requirements is essential for business success and legal obligation.
A comprehensive, transparent IT compliance management system establishes a clear line of communication between all members of an organization, and ensures visibility into regulatory guidelines, and the organization’s adherence to them. Since healthcare companies must always remain compliant and regularly audit their processes and guideline adherence, they need a tool to help them keep track of all policies and procedures, provide critical information for reviews, and ensure that the integrity of their business is not in jeopardy.