Over the past week we have been discussing an overview of IT Governance, Risk, and Compliance as well as diving into each of the components that make up this program. Today we are going to talk about the final piece of the IT GRC puzzle: Compliance.
There can be many definitions of the word Compliance. There is regulatory compliance, organizational compliance, and commercial compliance to name a few. For the purposes of this post, we are going to use the Gartner IT Glossary to get their definition of compliance in its most basic form. According to Gartner, Compliance is "the process of adhering to policies and decisions" (Gartner, 2012). That is a pretty basic definition but it makes perfect sense. The process of adhering to policies and decisions. Simple. Effective. Accurate.
When we think about Compliance in the world of IT Security, Regulatory Compliance is usually the first thing that comes to most people’s mind. In the field of IT Security, there is no shortage of different Federal, State, and Industry regulations in which a company must achieve and maintain compliance. Some of these include:
The key to Compliance begins with policies. We know that policies are the least favorite subject of most IT Departments or organizations, but it is right there in Gartner’s definition of Compliance-the process of adhering to policies. Without policies mapped to these various regulations, how can we comply or ask that our employees comply? There is an old saying that goes "you can't measure what you don't know." While many would argue against that point depending on the nature of the business, in this case it is 100% accurate. What is the first thing that an investigator or examiner looks at when they come in to investigate a breach? Policies. In fact, if you do a quick Google search of HIPAA breaches, most of them identify in the remediation and determination of penalty a lack of policies in place to prevent these events from happening. For example, here is a quick write up on the recent $2.7 million dollar fine levied against the University of Mississippi Medical Center for a laptop theft. If you read the first paragraph, you will see that one of the main factors identified in the investigation was a lack of policies and procedures.
Today, Compliance is a requirement for most organizations, no matter what business or vertical market they are in.