Managing Compliance in a Multi-Regulatory World

By | March 5, 2007

Federal and state government regulations can be a big problem for today’s organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it’s serious.

The number of regulations that affect IT security can easily exceed a dozen in some regulated industries. The IT divisions of large financial services organizations, for example, have to comply with multiple regulations that include the Sarbanes-Oxley Act (SOX), GLBA, PCI, CA SB 1386, Patriot Act, and BASEL II.

Certain frameworks/specifications have become popular for particular regulations or mandates. CobiT has emerged as a popular framework for Sarbanes-Oxley compliance, FFIEC is used as a de-facto specification for GLBA compliance initiatives, and ISO 17799/27001 is popular among organizations that ensure compliance with HIPAA (Health Insurance Portability and Accountability Act) requirements.

This means that in the context of SOX compliance, you would map CobiT control objectives to technical controls that are implemented as system configuration settings. For HIPAA compliance, you might use ISO 17799/27001 as a reference for mapping security best practices to your organization´s technical controls and policies that address HIPAA-required implementation specifications.

Why Has the Cost of Compliance Gone Up?

In a recent research note, Gartner said that “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if a global bank were to approach each regulatory program individually, it would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings.”

When your organization has to support multiple regulations, the de-facto relationship between a regulation and the corresponding framework or specification can create issues that you must address. You will generally see multiple frameworks and specifications mapped to the same system configuration settings, as well as identity and access controls. Due to the sheer number of many-to-many relationships between a control defined in a specification and related configuration settings, these mappings are managed in spreadsheets and tracked manually. In the ever-evolving world of regulatory compliance, manually managing the mappings via spreadsheets is a challenge. So, most IT organizations simplify the multi-regulatory compliance initiatives by taking a silo-based approach, where each initiative is driven individually. In this way, they only have to deal with one specification or framework at a time while testing the effectiveness of various controls. The problem, of course, is that this approach significantly increases the cost of compliance.

Common Controls Decrease Complexity

As Gartner noted, the only way to create a cost-effective compliance program is by measuring compliance against multiple regulations through one single shared assessment. And a software-based Common Control Framework is a proven solution. It simplifies mapping of controls from multiple frameworks and specifications such as ISO 17799/27001 or CobiT to one common set of IT controls and security policies. Users can add additional controls to the common control library based on the specific environment and map them to the corresponding controls in the respective standards frameworks. All compliance planning and assessment activities are then performed against one common set of controls and policies. Change management is even simplified because the Common Control Framework maintains the relationship between a common control and its corresponding regulation-specific control – as defined by the framework.

When you perform compliance testing against a set of common controls, the Common Control Framework provides reverse translation from common controls to individual control requirements for a specific regulation. It also enables your organization to report on the compliance status of each specific regulation.

A Common Control Framework will not only significantly reduce the cost of compliance by as much as 70 per cent, but will also dramatically decrease the complexity and risk of non-compliance.

Leave a Reply