Those responsible for compliance may feel pulled in several different directions: by state and federal agencies, employees and the public at large. A practical approach should at least include these steps.

The challenges of compliance in the past could often be tamed by taking steps dictated by common sense. Yet compliance today involves much more than ever before.

“The cost of compliance is rising, and ad-hoc efforts to address compliance haven’t really succeeded,” Chris Bradley, marketing chief for MessageGate, recently told InformationWeek.

“Businesses must think about the integrity of financial information and intellectual property, insider abuse, industrial espionage and how to protect and secure business relationships,” notes a LogLogic white paper entitled Ten Steps to Continuous Compliance.

A realistic strategy calls for ensuring the most compliance you can from every dollar invested. The following are some practical steps.

Understanding Requirements and Information Controls
Policies must cover “collecting, alerting, reporting on, storing, searching and sharing data from all systems, applications and network elements,” according to the LogLogic paper mentioned above.

For instance, requirement 10 within the payment card industry (PCI) standard states that companies must log and track user activities, automate and secure audit trails, review logs daily and retain the audit trail for at least a year.

Define Compliance Processes and Identify All In-Scope IT Components
Organizations must identify all components subject to a given regulation. Then information technologists can define goals and key tasks for successful compliance.

Components for monitoring extend beyond hardware. “Network elements, servers, applications and homegrown systems should also be monitored,” the LogLogic paper states. Auditors expect user activity such as “failed log-on attempts, security breaches, file uploads and downloads, information leaks, user and system activity privileges assigned and changed, runaway applications, customer transactions and e-mail.”

Store Logs Centrally and Perform Regular Tasks
Store all information, even if widely distributed geographically, and place it in a central archive. Most regulations specify storing data from one to seven years. Moreover, companies should back-up this information.

While user activity must be monitored daily, other storage may take place weekly, monthly or as needed, says LogLogic. For these repeat activities, a smart approach to compliance might be to view this as an opportunity for automation.

Compliance must be cost-effective, which means “you’ll reduce the cost of compliance over time by automating testing activities and automating work flows,” John Hagerty, vice president of research AMR Research Inc., told BusinessWeek.com.

“So repeatable, sustainable and cost-effective are the things people absolutely have to have on their agendas,” Hagerty continued.

Implement and Verify Continuous Monitoring
Before an auditor starts asking questions, organizations should know in advance what those questions would be.

LogLogic recommends the following questions that organizations, specifically compliance teams, should ask themselves ahead of time:

• What active alerts are set to monitor these controls?
• What was the actual alert we received?
• Where is the evidence that we acknowledged the alert?
• Where is the evidence that we investigated the incident?
• Where is the evidence that we are periodically reviewing user logs?
• Where is the evidence that we have removed terminated employee accounts?

Demonstrate Compliance Status
If an organization’s compliance software enables the creation of reports from templates that map to common IT controls, the company’s compliance reporting will be simplified.

With the U.S. dollar’s devaluation, your business may have more foreign customers and partners. If a business operates globally and uses payment cards to speed transactions, data-security standards compliance becomes much more complicated. Protegrity, for one, suggests the compliance achievements should include the following: adapting policies and procedures to embrace global privacy and security laws and regulations; consistently writing and enforcing policies and procedures; and complying globally with comprehensive policies and procedures.

No one ever said succeeding at compliance was easy. It’s challenging. Those who control the purse strings may hesitate in providing adequate funds toward compliance initiatives, but failing to meet compliance responsibilities — whether 30 regulations or hundreds — spells big trouble in the eyes of government, employees and consumers.

Earlier: Is SOX Compliance Undermining Your Edge?

Resources

Ten Steps to Continuous Compliance: Putting in Place an Enterprise-Wide Compliance Strategy
by Jian Zhen
LogLogic, Inc., 2006

In Post-Enron Era, E-Mail Governance Still a Challenge
by George Dearing
InoformationWeek.com, March 6, 2008

Sarbanes-Oxley Compliance Strategies that Work
by Cheryl Krivda
BusinessWeek.com, 2005

Compliance Year in Review: PCI DSS Progress, Yet Confusion Abounds
by Mike Rothman
SearchSecurity.com, Dec. 18, 2007