A strategic approach to regulatory compliance (page 2 of 2)

This includes testing existing IT controls and remediating control gaps through change management activities such as software provisioning or patch deployment. The goal here is to implement automated and standardized IT controls utilizing common best practices and technologies. Once new IT controls and processes are in place, it is important to document and communicate them to all internal stakeholders. General IT control categories include records retention, protection, and retrieval; threat detection; vulnerability detection; security infrastructure remediation; and business continuity/disaster recovery.

• Sustain IT compliance. Of course, an IT control and process is only good as its ability to be managed and audited to demonstrate compliance. Once the proper IT controls are implemented and documented, an automated and standardized process should be established for the continual measuring and testing of IT controls, remediating IT controls that fall out of compliance, recording the process, and reporting it to internal and external auditors to demonstrate that compliant processes are in place.

The need for a 'system of record'

Increasingly, enterprises that focus on strategic compliance, while mindful of meeting individual compliance requirements, are beginning to implement what some observers call a "system of record" for their business. Such a system precludes chasing after regulations by ensuring that the right people, processes, and technology are in place to focus on assessing risks and deploying protection. One of the objectives of strategic compliance is to incorporate standard processes and a level of awareness into employee behavior. To gauge progress in this area, a security awareness audit can be conducted, the results of which can then be used as a basis for training and communications programs. To achieve the best results, such cultural changes must be driven by executive management.

Conclusion

Today's enterprises need to evolve their compliance efforts from ad hoc projects to cost-effective and efficient processes that can be applied across various compliance initiatives involving the security and availability of information. Or as researchers from Gartner Inc. put it in a report earlier this year:

"Compliance imposes a discipline and a structure that ensures documented decisions about how the business is run. It provides a mechanism for implementing best practices throughout the business, which will lead to improved business performance. Companies are realizing only now that the 'tough love' regimen imposed by compliance does lead to long-term benefits in terms of improved business performance."

("Compliance Management Solutions Can Create Improved Business Performance," February 2005)
Enterprises stand to gain the most by approaching compliance as a strategic initiative. A strategic approach helps enterprises better understand and mitigate compliance risks, improve the IT control structure, and increase efficiencies across the organization.