Bonnie Goins: Do You Comply?

By Bonnie Goins

It’s April 20, 2005, and everyone in the organization has gone home for the night; that is, everyone but the HIPAA Security Officer. She is working furiously to complete policies and procedures for her organization, policies which should have been implemented already. There was never enough time, enough dollars or enough resources to help her succeed at finishing the task appropriately. She hopes it will be a long time before the auditors come; she’ll need every minute…

Sadly, this story is all too familiar in the ranks of organizations covered by federal, state and local regulation. Healthcare is not the only industry to adopt sweeping legislation. Publicly traded organizations must now attest to their financial states, according to Sarbanes-Oxley legislation. Visa, and now Mastercard, have adopted a security focus as well; companies wishing to conduct business with these entities must assure their security state in order to continue working with them.

Why would these companies be concerned over compliance? Simple; a company’s failure to comply with legislation can result in lost business and customer confidence, in addition to incurring legal and financial liability. On the positive side, compliance makes good business sense. A CEO might not see the value in “intangible” security activities; however, this same senior executive is certainly aware of the need to protect her business; its people, processes, data, technology and facilities.

This awareness is at the very heart of compliance. How can an organization check its compliance posture? Read on for some suggestions…

  • Keep your business secure; don’t just meet compliance mandates. Senior management plays a significant role in communicating the importance of, and commitment to, security within the organization. If there is a commitment to properly safeguarding the environment and its critical assets, in nearly all cases, legislative burden will be met.
  • Examine and monitor all aspects of your organization, not just those that keep you up at night or that have a technology focus; consider your people, process, data, technologies, and facilities, and safeguard them appropriately. Be certain to continually communicate your expectations to all staff, vendors and external entities, so there are no misunderstandings.
  • If you do not have the security expertise to safeguard the organization globally, hire a firm that employs security consultants with demonstrated expertise in both organizational/strategic security and technology security, including regulatory compliance. Ensure that your organization has plans for continuing business activities in the event of emergency, as well as for responding and reporting security incidents.
  • Involve your technology team in security activities such as host hardening, patching and configuration management, secure network architecture design and review, network monitoring, intrusion detection and forensics. If you do not have a seasoned security staff (many organizations do not), establish a strong relationship with appropriate third parties to assist in these endeavors. If you outsource these activities, you use the consultants to train and cultivate your internal staff. You’re paying for knowledge capital; don’t squander it.
  • Remain proactive and conduct organizational and technical examination of your environment continuously. Regulatory compliance will be required from an organization in perpetuity. A proactive information security program is essential. Obtain guidance from professionals when you need it.
  • Always be consistent in enforcement of security objectives, regardless of rank. It’s worse for an organization to create policy and procedures, and then inadvertently communicate to the staff that executives weren’t really serious about enforcing them. How could staff take any subsequent effort seriously? Senior executive should also expect to be held accountable in the same manner.
  • Document, document, document!

Here’s to your organization achieving its compliance objectives!

— Goins is a senior security strategist at The Isthmus Group, a technology consulting company in Madison.