As a vendor in the IT security and compliance space, we often like to think of compliance regulations as an opportunity for organizations to prove they are taking steps to be responsible with consumer data. However, we are under no illusions that many people responsible for providing compliance reports to meet these mandates view it as a box-ticking exercise. Many IT teams see compliance as a hassle instead of an opportunity, and this is an image problem that needs to be corrected in order for more organizations to take it seriously going forward.
A question we often ask ourselves is; why does compliance have such a bad reputation? In theory, compliance mandates exist for very logical and ethically correct reasons. Organizations that handle the personal data of their customers, employees, partners or anyone else, should be able to prove that they are doing so in a responsible and secure way. As many organizations are already doing this, it should be easy to prove it to auditors…right?
Are Compliance Mandates too Vague?
I think part of the problem is that many compliance mandates are too complex and time consuming for IT teams to meet with ease. This is not a fault of the organizations tasked with meeting the compliance, but of the people who created the compliance requirements in the first place. It is not an easy job, by any means, to outline compliance requirements that toe the line between offering simple, explicit advice and being broad enough to apply to any organization. We quite often see compliance mandates using broad and undefined terminology in an attempt to be as broad as possible which, in many cases, makes it difficult to understand what exactly is required.
This is a worldwide problem, not just limited to HIPAA in the USA, for example. The upcoming GDPR sets out very stringent guidelines for organizations in the EU, but still falls into the same pitfalls in vague terminology. Reacting to a breach, for example, involves notifying the Secretary of the breach “without unreasonable delay.” This kind of phrase seems to require a lawyer to make full sense of rather than an IT professional. Another example in the USA is the Gramm-Leach- Bliley Act (GLBA), which often uses the phrase “it’s wise to.” Such a phrase is almost useless, as IT teams can pretty much disregard these passages if they are not compulsory.
How Can We Fix Compliance Audits?
Most organizations are subject to numerous compliance audits, however that doesn’t mean that they have to produce completely individual reports to satisfy them. Many compliance mandates require the same thing, proof you’re acting responsibility with sensitive data, it’s simply the data in question that changes (although there are exceptions to this and it’s probably oversimplified).
The best way to approach compliance mandates, therefore, is by working from the inside out. What I mean by this is dealing first with the data and then with the auditor. If you ensure that you know where your sensitive data is (such as your PII, PHI etc.), who has access to it and if anything changes in relation to it, then you’re pretty much on your way to meeting any compliance audit.
Simply put, know what’s happening in your critical servers and to your sensitive data. Ensure you are able to produce a detailed audit trail of any changes made to files and folders, permissions and more.
You may need to implement a specified auditing and reporting solution, such as LepideAuditor, to help you produce these reports. This solution comes with hundreds of pre-defined compliance reports that automatically pick out and present data relevant to numerous compliance mandates, including GDPR, HIPAA, SOX, GLBA, PCI and more. For more information on how LepideAuditor helps meet compliance, click here.