Three steps to keep IT policies and procedures regulatory compliant
Corporate compliance and risk management expert Jeffrey Jenkins shares how he ensures IT policies and procedures remain in sync with current compliance regulations.
IT, business and security interests often conflict, making it difficult to keep an organization's IT policies and procedures current with the latest compliance requirements. Constantly changing laws and regulations -- and how they vary between countries -- as well as changes in the types of threats (malware, hacking techniques and targets, etc.) also play a large part in an organization's ability to remain compliant. Ensure IT policies and procedures are compliant, and to a larger extent effective, by developing a well-maintained and focused compliance scope, effective communication across groups directly and indirectly involved in compliance efforts and simplified compliance terminology.
Comply with the intent, not just the letter of the law
One of the biggest challenges to keeping IT policies and procedures compliant is knowing what the business and IT must comply with. Businesses often fall under numerous security regulations, laws and standards depending on the nature of the company's services and products, clients, and the locations of its operations. Just like the success of a project depends on defining a scope and maintaining focus, security programs will suffer from lack of knowledge, including related nuances, of laws, regulations and standards particular to your company.
In the retail industry, for example, PCI compliance is considered critical to maintaining the business. Despite the fact that PCI standards have been around since the late 1990s, those who are familiar with PCI will probably admit that there is a certain level of nuance and historical knowledge associated with how the standards are interpreted. Being familiar with PCI and knowing how auditors want to see the standards implemented will likely have some influence on how easy an organization can become or maintain PCI compliance.
The PCI standard itself is a fairly straightforward read, and one might be tempted to simply throw technology solutions and a few policies into place and call it a day. Most who have dealt with PCI for any considerable length of time are likely to admit that true understanding of and compliance with PCI, however, requires a great deal more time and effort. Attending PCI workshops and conferences, networking with organizations that help drive the standards, and even working closely with audit/assessment firms to understand their interpretation of the standard are all very important components for (a) ensuring that your organization is complying with the "intent" of PCI and not just the "letter of the law" and (b) that you are adequately sizing or scoping compliance for your organization.
Communicate with the policy controllers and the controlled
Communication throughout the organization about compliance efforts is one of the most important elements toward sustaining compliance. Security controls and policies are only as effective as the people that are controlling them and the people being controlled by them.
Engage as many key teams as possible when developing IT policies and procedures to ensure adequate visibility as to why the policy or procedure is needed for compliance purposes. A side benefit of involving a wider range of teams across the company, especially key teams like HR, legal and executive leaders, is that you will likely gain some level of support and backing to help with adoption and enforcement of the policies and procedures. Don't shy away from including various groups for fear of having to deal with opponents of compliance or security. Know who your challengers and proponents are and work with both of them to get the necessary policies and procedures in place. Once, I worked for an organization that traditionally only involved security, HR and legal in policy writing. After noticing that the policies were becoming extremely detailed and complex, we decided to bring in the finance and training departments to assist with revising policies and procedures. Training provided fantastic input on simplifying the language and the finance group helped associate many of our policy and procedure documents with financial goals of the company (i.e., revenues and bonuses) so that employees immediately had a greater understanding and interest in the guidance being given to them. Another practice I have found to be effective is periodically using an outside party such as a training facility or marketing organization to review policies and procedures for reading level, engaging language and so on.
Technology procedures and solutions need to be implemented and documented so that support staff clearly knows which features or configurations are needed for compliance and how changes to those components could harm the company's ability to remain compliant. There is often a correlation between the complexity of a technology solution or procedure and how repeatable or effective it will be in meeting your compliance requirements. Keep technology solutions and procedures as cleanly implemented and efficient as possible so that there is a clear focus on what those solutions and practices must do for compliance versus what they can also do aside from compliance. Not only will you likely find that efficiency breeds success but you may also find favor with other teams in the organization like finance or operations that typically hold efficiency and clarity in high regard.
A few years back, I was involved in a project to implement a log/event management system for compliance purposes. The intent was to install a system that would collect log files from systems and provide alerts based on certain events or actions found in the logs. While the technology was capable of doing much more than just the compliance need at hand, we focused on basic requirements first and foremost. The result was that we implemented a system under budget, on time, and that had sound and repeatable operational procedures (technical folks were comfortable using the system and were not overwhelmed with new features; management immediately started receiving meaningful metrics; and security had very select and actionable alerts to act on). Not only was the project a success from a cost-benefit perspective but it also gave our compliance auditors confidence that we focused on and fully addressed our compliance needs rather than deploying a system with broad capabilities but shallow delivery.
In addition to communicating the efficiency of controls and procedures, it is also critical to keep various teams, particularly IT and support/operations members who have day-to-day interaction with systems and people, informed about the company's compliance requirements and needs. Keep in mind that security and compliance topics often aren't seen as exciting or interesting to most people, and you will need to find ways to communicate in a fashion that will appeal to your audience. One method that has proven to be effective in many organizations is to give very brief, periodic updates stating what your compliance requirements are and highlight the contributions the operational teams are making to help maintain compliance (i.e., give kudos for the "wins").
Keep compliance instructions simple
As you develop IT policies and procedures for compliance, keep in mind that many of the individuals these documents will govern are not security or compliance-minded folks -- and they may not even be technology-minded individuals. Arguably, it is more effective to spend the extra time and effort writing the documents to the simplest reading level possible. Complexity and length are often the Achilles' heel of policies and procedures. As a mentor and teacher of mine once said, "Say what you need to say and be done with it." Simple and clearly stated policies typically translate into simpler and cleaner procedures. Users are more likely to understand and adhere to clear procedures resulting in more consistent, if not higher levels, of compliance.
Compliance isn't only related to security interests, though. Better compliance with, and adherence to, IT policies and procedures can translate directly into more tangible benefits like making better use of technology solutions and investments, improving the efficiency of personnel and the headcount or cycles needed to support a process. Adherence to policies and procedures could also lead to clearer operational requirements for using technology such that it becomes easier to evaluate alternative IT strategies including outsourcing and cloud enablement.
Maintaining IT practices and policies in a way that supports compliance can become a challenging task if not given adequate attention. Measures such as understanding and focusing on your compliance requirements, maintaining regular and clear communications across the organization, and putting a priority on simplicity and efficiency can significantly improve compliance but also reap huge rewards in terms of overall IT success.
About the author:
Jeffrey Jenkins is a regulatory compliance, information security and risk management expert and currently the director of cybersecurity at Travelport. Prior to his role with Travelport, Jeffrey served in security executive/leadership roles for a number of private and public sector organizations including Cbeyond, The First American Corporation, S1, Georgia's Dept. of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.