Comply (And/Or) Die: Conforming With Multiple Regulations - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
02:20 PM

Comply (And/Or) Die: Conforming With Multiple Regulations

HIPAA, PCI, SOX, GLBA, FISMA ... the acronyms alone inspire fear and loathing. Yet compliance with one--or increasingly, several--state or federal regs is a fact of life for most companies. In this report, we discuss how to work smarter, not harder, with a focus on delivering solid bang for the corporate buck.

InformationWeek Green - January 25, 2010 InformationWeek Green
Download the entire January 25, 2010 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

Once upon a time, CIOs considering a new project or purchase weighed whether it helped IT support the core mission of the business. Now, for most of us, the decision process is laced with the additional complexity of asking, "Will this also help us with compliance?" Moreover, the days when we had to worry about only one regulation are mostly gone--when we asked the 379 respondents to our InformationWeek Analytics survey on regulatory compliance how many requirement sets their organizations are addressing, the No. 1 answer was four or more, at 35%. Add to that ongoing budgetary pressure and a political climate that seems to favor more, not less, regulation, and who can blame IT groups for feeling stretched to the limit?

Fortunately, there are ways to work smarter and cover multiple compliance mandates with careful planning. In our full report, we help IT come to grips with the daunting task of addressing the myriad controls involved when you must comply with two or more regulations. By focusing on similarities and overarching concepts and requirements, IT can target high-value areas and add efficiency. The key is to focus resources and structure the strategic process to ensure applicability across multiple regulatory standards.

Sounds like good advice for everyone, right? In fact, we take the fairly uncommon standpoint that our increased focus on regulatory compliance has had many positive effects for IT, in particular around information integrity and protection. But it has raised troublesome issues as well. Regulatory compliance tends to encompass some of the most disliked facets of technology and process--particularly, a prescriptive set of requirements backed by the threat of dire consequences if rules aren't adequately met. Yet, IT controls in many regulations are qualified with squishy terms, such as "appropriate security" or "reasonable protection."

There Is A Path

With the "audit-proof security program on a shoestring budget" ideal in mind, let's explore the scope of the problem. A minority of the 379 respondents to our survey are wrestling with just one standard, compared with the almost 80% who are dealing with at least two regulatory requirement sets simultaneously. And single-compliance organizations shouldn't get too comfortable. Generally speaking, the past decade brought a marked increase in regulatory oversight of sensitive information, and this trend is increasing at both the state and federal levels.

"Infosec pros have long complained that FISMA is not a threat reduction or risk mitigation framework--it's a giant exercise in covering one's posterior," says Michael A. Davis, CEO of security consultancy Savid Technologies and an InformationWeek contributor. Davis recently spoke with Dr. Ron Ross, a senior computer scientist with NIST and lead on the agency’s FISMA implementation project, about plans to make the regulation more effective. Ross says that, instead of providing more control guidelines, NIST is going to become more prescriptive, similar to PCI. It plans to provide more methods and processes that can be quickly implemented and that generate measurable outputs. Furthermore, Ross says, the agency wants these prescriptive controls to be more targeted to the threats that organizations are seeing in the real world.

To read the rest of the article,
Download the January 25, 2010 issue of InformationWeek

Multi-Compliance Report
We outline a comprehensive strategy for aligning security efforts with regs to save time and money. Download this report for 41 pages of action-oriented analysis, packed with 26 charts.

What you'll find:
  • Seven key areas of overlap for HIPAA and PCI DSS
  • A rundown of the Top 5 standard security frameworks
  • The three must-have security policies and the top four technical control areas that auditors will look for
Download this Analytics Report

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll