Compliance is defined in the dictionary as “the action or fact of complying with a wish or command.” That is a very simple definition for a complicated topic, especially when you consider all the demands and regulations companies are asked to be compliant with these days. In the business and IT world, I think of compliance more as meeting the requirements of defined regulations, frameworks, or laws. Specifically, compliance covers the steps a company takes to conform to governance (all the laws and prescriptive controls that are needed in a company and for standards).
IT Compliance Standards to Be Aware Of
SOC, HIPAA, SOX, NIST, and PCI are just a few of the most well known regulations/standards that businesses are expected to be compliant with. While there is overlap between some of these regulations, each one of these has a different set of requirements that must be met for businesses to be considered compliant with the standard.
Compliance allows for a common language to be used between regulators and auditors in order to evaluate the effectiveness of controls in place.
For example, a SOC 2 (System and Organization Controls) engagement has five (one that is required and four that are optional) TSCs (Trust Services Criteria) and defined common criteria that are tested by the auditor and concluded on in the issued report at the end of the engagement. This allows the readers of the report to understand if the service organization is “compliant” with the required controls for a SOC 2.
Another example is the HIPAA Security Rule. A covered entity must comply with all of the standards of the Security Rule with respect to the EPHI (electronic private health information) it creates, transmits, or maintains to be compliant with the HIPAA Security Rule. The auditor performing the HIPAA audit will test that the covered entity is compliant with the HIPAA Security Rule and issue a conclusion in the report.
Many companies do not prepare for compliance to a regulation until it is a requirement, and then they are scrambling to get the right policies, processes, and controls in place. This approach can be stressful, costly, and prone to error. Preparing early can help ensure the appropriate amount of time and effort are put into meeting the requirements to be compliant with a regulation, framework, or law.
So how does a company get started on being compliant? If a company is aware of a regulation in the industry, it would be beneficial to learn more about the regulation and understand if it applies to the organization. Starting right away will go a long way. Also, if a client asks a company if they have a certain certification, report, or framework in place, it will most likely not be the last time a company is asked about it, and it would be worth taking the time to understand what is involved. Starting early and understanding what would be required for your company will help in taking the time needed to do things correctly.
How Do I Get Compliant With All the Standards Out There?
Contacting a knowledgeable and experienced provider to help you through the compliance process will go a long way. For example, at Linford & Company, we have helped a number of our clients go through initial SOC, HIPAA, HITRUST, and FedRAMP requirements for the first time. We offer pre-assessments as initial steps in determining where there may be gaps in controls that would preclude a service organization from having a successful or clean conclusion.
Additionally, many of the standards have governing websites that provide information on the standard and compliance, and some even provide information on implementation specifications. The implementation specification is a more detailed description of the method or approach that can be used to meet the requirements of a particular standard. Below is a list with links to some of the common standards in the IT industry.
- SOC (from the AICPA): http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx
- HIPAA: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- HITRUST: https://hitrustalliance.net/
- FedRAMP: https://www.fedramp.gov/
- PCI: https://www.pcisecuritystandards.org/
- NIST: https://www.nist.gov/services-resources/standards-and-measurements
- GLBA: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Can and Should I Advertise That I am Compliant With a Specific Standard?
If you become compliant with a specific standard, there is nothing wrong with using that to your benefit. Putting a statement on your website or in marketing materials stating that you are compliant with a standard and this compliance is audited and verified by a third party can be very positive. Some reports cannot be publicly circulated (posted on your website), but adding a note that the report is available upon request to clients is recommended. If you are not sure if you can share the report, or who you are allowed to share it with, check with the audit firm that completed the examination for guidance.
Who Should be in Charge of Compliance?
Having a designated person or department in charge of compliance is always the best way to ensure that compliance it always being monitored. While this can be an option for large organizations, this is not always feasible for small or medium sized companies. At Linford & Company, we recommend that a person be designated to be the point person for a specific compliance examination.
For example, when completing SOC examinations for our clients, we generally work with a designated person that makes sure they are providing what is needed as part of the examination, but then also monitoring the compliance against the standard throughout the period under review. This person is generally not in a standalone compliance role, but just takes on that responsibility as part of their job function.
Summary – Being Compliant
If you foresee your company needing compliance at some point in the future, whether near or far, we recommend starting as soon as possible. If you have questions about whether compliance is required, please request a consultation with one of our auditors.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.