By Adam Dodge
Lets face it. Regulations place a large burden on companies. Nowhere is this truer then with Information Security. Many of the Information Security regulations (HIPPA, GLB, SOX, etc) passed in the last few years place heavy burdens on companies by requiring the creating of new Info Sec projects and programs, if not entire departments. Worse, many companies have found themselves lacking staff with the appropriate skills and/or knowledge to effectively create and run such programs.
Of course, if a company can figure out a way in which it is no longer subject to these regulations then the problem of regulatory compliance simply vanishes. The problem, then, is how to determine the best course of action for proving the company is not subject to regulation in this matter. The good news is that such proof is only five simple steps away.
1. Make sure the company can avoid complying with federal, state or local regulations
Before embarking on a quest to absolve the company from regulatory compliance, the company needs to make sure that it actually can do this. Many of the newer regulations spell out in no uncertain terms exactly which industries must comply with what the regulation holds. For example, if the company is a financial institution, there is no getting around the Gramm-Leech-Bliley Act of 1999.
All is now lost however, as long as the company is willing to tweak operating environments to avoid a narrow interpretation of the law. For example, say the company provides medical services but wants to avoid HIPAA. Simple, change the operating environment so that the company offers only free medical services and these services are not the primary duty of the organization. After all, itâ€™s not like the company is a hospital or anything like that.
2. Find hard evidence supporting the company’s belief that it is not subject to the regulation
Once the company is certain that there is wiggle room in the language of the regulation, it needs to do a little research to dig up hard evidence backing this belief. Given the large risk that attempting to avoid compliance goals, the company needs to be sure it is relying upon more then simply assumption and conjecture. The company can obtain hard evidence from legal proceedings, scholarly journals, legislative testimonials or any other legislative or judicial source where the overall message is that either (A) the regulation is defective in some way or (B) that the regulation does not apply to industry sector of the company.
3. Get a group of other companies in the same industry to buy into the idea that the regulation does not apply to them
Wiggle room and hard evidence will never be enough to ensure regulatory avoidance if similar companies within the same industry sector are happily complying with the regulation. Any questions raised about the validity of the company’s ability to avoid regulations will be answered by comparisons to what like companies are already doing. To help cement the argument that the company is not subject to regulation, it needs to gather together as many like companies as possible within the same industry and together stand against pressure for compliance.
Each of the companies in this group can each offer to host a meeting. Multiple meetings the companies a chance to better cement the non-compliance viewpoint. Discussion can include problems or success with the current non-compliance viewpoint. A side benefit is that everyone gets a little time out of the office, perhaps with a nice dinner and round of golf thrown in, on another companyâ€™s dime.
4. Constantly monitor the situation for changes that affect any of the first three steps
Even if the company is able to achieve success in the first three steps, it can quickly become a moot point if any of the circumstances change. A change in regulatory wording or the passage of new regulation, a court battle against compliance lost, or even a handful of like companies deciding to comply rather then risk sanction. Any one of these can quickly derail continued attempts to remain independent of regulatory compliance goals. Therefore, the company needs to constantly monitor the regulatory landscape for any sign that changes the circumstance surrounding the first three steps of this process.
5. Decide if all of this is worth it
After all is said and done, the company needs to step back and decided if all of this work is worth it. There are benefits in the form of decreased operating costs and increased operating flexibility. However, there are very significant downsides to this as well. The organization faces serious challenges going against the trend and can risk sanction and possible legal troubles. Worse still, there is the possibility that the public will view the company’s actions in a negative light resulting in bad feelings, bad press and, most likely, bad business.
Hopefully, the answer to â€œIs it worth it?â€ will always be a resounding â€œNO!â€. The fact is that even going to these extreme lengths will not always guarantee a company that its attempts to avoid compliance goals will be successful. Therefore, instead of wasting time and money on avoiding regulations, companies need to devote those resources towards ensuring regulatory compliance and receive a much greater benefit.
The good news is that simply flipping these five steps around reveals five steps to ensuring regulatory compliance, or at least five steps to get a company started toward compliance, and here they are:
1. Review all federal, state and local regulations dealing with Information Security thoroughly to ensure that the company is aware of all of its regulatory obligations. A good place to start would be to check with corporate counsel or the companyâ€™s attorney on retainer. Beyond that, here are a few websites that list out many of the Information Security regulations that exist today:
(Please note: most of these links center around US regulations)
-Â Â Â http://www.rsasecurity.com/node.asp?id=2911 â€“ RSA Security â€“ Regulations
-Â Â Â http://www.securecomputing.com/index.cfm?sKey=1301 â€“ Secure Computing
-Â Â Â http://lp.findlaw.com â€“ FindLaw
2. Research legal and administrative findings and opinions as well as trade journals and scholarly articles to help the company determine exactly what the compliance goals of the regulations are and what steps the company can take to meet these goals. Research of this type can be very difficult depending upon a companies access to Web site such as Lexis-Nexis or InfoTrac. However, here are some good places to start researching compliance issues:
-Â Â Â Local library â€“ Libraries often pay for access to research databases including Lexis-Nexis, WestLaw, InfoTrac and ABI/INFORM
-Â Â Â Major newspapers â€“ Online archives for major newspapers will contain news reports on compliance issues that have come up in the past
3. Network and interface with similar companies with the same industry to help establish what other companies are doing to help meet compliance goals and get a feel for what is considered “best practice”. Local security groups such as ISSA, InfraGuard and Educause are good places to find individuals from like companies in the area. In addition, online security e-mail discussion lists can also help companies build a list of contacts.
4. Constantly monitor the situation and make sure that the company is kept aware of any changes that might affect the company’s current Info Sec programs or compliance programs negatively. A strong network of contacts, established above, is a great way to keep abreast of what is going on within the companyâ€™s industry sector. Monitoring news sources, perhaps through rss feeds and alerts, is another way to make sure the company is not caught unaware by a recent regulatory mess. I personally use http://www.google.com/alerts for this purpose.
5. Take a deep breath and relax, the company is now a lot closer to regulatory compliance then it was five steps ago. However, it is important to understand that these five steps are simply a beginning, just a way to keep current on the changes to the regulatory landscape. Any changes that policy or procedural changes that the company needs to make require a completely different set of steps that will be covered by another post in the near future.