Compliance has increasingly become a challenge for organizations as regulations continue to adjust in response to government legislation and changing industry standards. This piece is the first of a four-part series on the facets of regulatory compliance that regularly affect our clients.
How might compliance impact your business?
Most government regulation regarding compliance is intended to protect the public, the consumer, investor or the industry as a whole from some type of abuse, fraud or malfeasance. Compliance with regulatory oversight has become a requirement and in some cases it represents the fastest growing portion of IT budgets. This is due to the fact that it heavily overlaps with security. Organizations that fail to adhere to regulatory compliance can lose their license to accept payments or even operate, and they risk having their doors shut.
Compliance should be an ongoing process that you integrate into the culture of your organization rather than a one-time event.
There are good reasons to maintain secure IT environments beyond satisfying auditors. Regulatory guidelines can be a good framework to lead an organization to manage their risk profile. Ignorance of best practices can lead to vulnerability and security incidents. Though the various forms of compliance apply equally to most organizations, the size or volume of business usually dictates obligations. Organizations can be caught off guard when they discover that they are subject to new requirements after growth or acquisitions.
An Overview of the Major Types of Compliance:
PCI Compliance – Do you accept credit cards?
The purpose is to prevent fraud (i.e. security breaches, theft, loss of data). Validation of PCI compliance is performed annually, preferably by an external Qualified Security Assessor (QSA) to create an objective Report on Compliance (ROC). The PCI Data Security Standard outlines 12 requirements or 6 groups of related control objectives.
SoX Compliance (Sarbanes–Oxley Act) – Are you part of a publicly traded company?
Goal is to set standards for all U.S. public companies to protect the public from corporate and accounting scandals. It addresses oversight of accountants, the need for independent auditors, corporate governance, analysts’ conflict of interests (disclosure provisions), and funding for the Securities and Exchange Commission so they can define how public corporations are to comply.
GLBA Compliance (Gramm–Leach–Bliley Act) – Are you a bank or in the finance business?
Compliance is mandatory and meant to govern the collection, disclosure, and protection of consumers’ personal information in the banking/finance industries. Companies must provide a notice that explains what information the company gathers about clients, where this information is shared, and how the company safeguards that information. Companies must develop a written information security plan that describes how the company is prepared for and plans to protect clients’ personal information. To prevent phishing companies should implement safeguards to recognize and deflect inquiries made under pretext.
HIPAA (Health Insurance Portability & Accountability Act) – Do you handle or store medical records?
Compliance is intended to protect health insurance coverage for workers and their families when they change or lose their jobs. It requires the establishment of national standards to protect the privacy and security of individuals’ electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The Compliance Audit Cycle
1. Schedule audit with independent 3rd party
2. Review audit requirements (technical)
3. Prepare for audit
4. Carry out audit
5. Review discoveries
6. Create action plan to achieve compliance on next audit
7. Document progress
Audits have been known to surprise businesses, consume a significant amount of resources and take time to carry out. Stay ahead of the game and engage IT professionals with decades of experience to lead you in the optimal direction with technology and compliance. Contact us or call (602) 336-3450 to set up a meeting with Phreedom.