Navigating Compliance Regulations
With no shortage of regulations around data security and privacy, it’s no wonder that determining which regulations must be complied with and whether your company has compliance gaps can be a daunting task. Where should you start?
Perform a risk assessment
Risk assessments are valuable tools for determining which information systems an organization has, the type and location of data that the systems house, and which systems require additional safeguards. When an organization understands all the types of data that it possesses, it is easier to identify the regulations that require compliance.
Consider the following examples of commonly stored information and their related security regulations:
- Credit card account information – Payment Card Industry (PCI)
- Electronic patient health information – Health Insurance Portability and Accountability Act (HIPAA)
- Consumers private banking information – Gramm–Leach–Bliley (GLBA)
- Government Information – Federal Information Security Management Act of 2002 (FISMA)
It’s possible that a company could have to comply with at least two of the regulations above. Unfortunately, there is no single generally accepted IT compliance regulation that applies to all IT environments such as the Financial Accounting Standards Board (FASB) within the financial sector. Instead, there are a number of regulations that are required based on the type of work a company does and the type of information that is processed and stored by that company. A thorough risk assessment will identify regulations that require compliance, areas requiring additional safeguards, and estimates of the potential cost of non-compliance.
Identify regulations and determine overlap
There are many similarities between regulations such as HIPAA and PCI. Determining where requirements related to each regulation overlap and ensuring that policies, procedures, and controls address all requirements without duplicating or counteracting any others will simplify the process for all those involved. For example, it doesn’t make sense to have four different access control policies for each regulation requiring compliance. Instead, understanding each regulations requirements around access control and incorporating them into a single access control policy allows employees to be more easily trained and reduces confusion on the requirements outlined within the policy. A document called a crosswalk can be used as a tool to help determine where the overlap is between standards requiring compliance.
Crosswalking Security Requirements
Creating a document that links the requirements associated with each regulation to the policies, procedures, and controls an organization has in place can help determine whether there are compliance gaps relative to each regulation. Gaps identified through the crosswalking process can then be used as roadmaps for remediation. The goal of a successful crosswalking excercise is to identify all compliance gaps and ultimately remediate them to ensure compliance with applicable regulations.
There is no doubt that the differences between regulations around information security can be confusing, but there are ways to minimize confusion and gain assurance that all requirements of applicable regulations are being complied with. By performing a risk assessment to identify applicable regulations and requirements, crosswalking security requirements between each regulation, and remediating any gaps identified, it is possible to ensure that your organization is compliant with all applicable information security regulations.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.