Compliance is a scary word. Too many of us think compliance is something bureaucratic and overwhelming. It’s true – most of the time compliance frameworks are implemented poorly – making them burdensome beasts with forms that have to be be filled out, in triplicate using only #2 pencil, and processes that simply don’t make sense.
What is Compliance?
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.
Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.
So far so good. Conforming to specific rules or policies. Nothing too scary so far! Harmonized set of compliance controls? Rules provided! Again great! So compliance is simply a matter of applying a set of rules to your business and processes. Simple, right?
This is where many companies (and auditors and consultants) go wrong. Just applying a compliance framework is a great way to create a bureaucratic nightmare. Why?
Compliance frameworks are great tools, designed to make the process of achieving compliance simpler. They range from being very high-level (ISO 27001) to extremely prescriptive (PCI-DSS 2.0).
Some regulatory requirements and compliance frameworks that IT often deals with include:
- Credit Card Processing – PCI-DSS
- Information Security – ISO 27001
- Financial Transparency, Sarbanes Oxley (SOX) – CoBIT
- Protection of Health Care Information – HIPAA
- Service Providers – SAS70
High-level frameworks like ISO 27001 or CoBIT provide a 50,000 foot view of good IT governance. They go into some implementation details (ISO on key processes), but often leave the “hows” to the implementer. Prescriptive frameworks, on the other hand, don’t cover governance at all, and instead focus on detailed controls (often security related) that must be implemented (or compensated for).
Compliance frameworks are great tools to start the compliance process. Sadly, in our zeal to implement such frameworks, many crucial mistakes are often made. A couple very key ones are:
- Not understanding the business goal of compliance
- Not understanding the risks being mitigated
- Improper scoping and scaling
Like any project, it’s key that we understand these three points. Without a firm understanding of them, our compliance solution will be less likely to meet the company’s actual goals and requirements. Result: Unmanageable beast.
Future posts are going to dive into these three points in detail. Tune in next week!