Much of my time spent working is focused on performing technology assessments against some kind of baseline. Most of the time, these are specific government or industry standards like HIPAA, NIST, ISO and PCI. But when some of my clients reach out to me about evaluating their environment in light of these standards, it’s often done out of a feeling of obligation in which they are reacting to some kind of demand from whoever is overseeing their work.
I can tell you from personal experience that undergoing these kinds of reviews is not a lot of fun, so it’s not uncommon that management tends to avoid these kinds of assessments as long as possible. To some who will ultimately be responsible for the fallout in the event of a security or compliance failure, ignorance is bliss.
One of the things I try to do as part of my job is to change the perceptions and worries that are associated with compliance management. It takes real talk about risks and consequences of failure, but it also demands reassurance that while perhaps this will require some effort, proper compliance management is, well… manageable.
The best approach for any organization concerned about a specific standard or perhaps looming standards, or even general security risks where they will be stuck with the negative consequences of a data breach, is to be proactive and not reactive.
This means that when you decide to engage with major technology decisions, such as expanding offices, adding significant line of business applications, implementing new backups, changing your hosting environment, or even just making regular upgrades that improve existing infrastructure, compliance and risk management must be a part of the evaluation and decision-making process.
At the same time, there is no need to make the proactive compliance management process more complicated than it needs to be. When I work with clients who are looking to be proactive, I try to put the regulators and industry concerns aside and just talk about what matters, which is protecting their data.
Think about what kinds of things you need to protect, the risks that are associated with breach or loss of access to those assets, and how much risk you are willing to tolerate. From there, you just need to look at what your organization is currently doing and whether it matches that philosophy of risk management that you just defined with that thought exercise.
But what about the standards? How can we be proactive if we aren’t focusing entirely on potential compliance standards?
The way I look at it is that you never quite know what kinds of specific requirements you will need in the future. Perhaps you know you need to be HIPAA compliant, but that doesn’t necessarily exclude you from a future need to meet PCI standards. A better idea is to focus on implementing controls, practices, and behaviors that limit exposure and risk, and that will speak mostly, if not entirely, to many more specific standards that may come your way in the future.
Even if you aren’t perfectly managing future compliance needs now, it’s better to get a head start. It’s easier to deal with marginal challenges to compliance management for standards that you are close to meeting when asked to prove your compliance than to deal with a situation where you are being audited and have not met many standards at all because management buried their heads in the sand.
The proactive manager has already shown due diligence even if they aren’t perfect, and the reactive manager has not. Even if you never hear from the compliance authorities, good risk management can help save your organization potential costs and stresses that are associated with non-compliant systems that are impacted by a failure.
I hope this article changes the way you think about managing compliance, which in the end is about limiting risks to your organization that could lead to severe consequences.
About the Author: Ben Schmerler is a vCIO Consultant at DP Solutions, one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.