TIPSFOR BEINGCOMPLIANCEREADY

IntroRegulatory rules and requirements are constantly changing, making

compliance a moving target. This is particularly true in terms of those that

impact information security and, increasingly, data security in the cloud.

At the same time, regulators are asking for greater transparency and

more detailed documentation, stepping up enforcement of the various

rules and requirements and raising penalties for noncompliance.

In this document, we look at some of the elements of a “framework”

that can be used to help your organization stay on top of the changing

regulatory landscape and be “compliance ready.”

pg. 1

Gather Information and Insights

Use multiple information sources,

including RSS feeds from regulators,

industry publications, newsletters and

alerts, to keep pace with new rules and

regulations and regulatory updates

impacting your industry. These same

sources can also help you assess

the implications of new and existing

regulations on your organization and

its compliance requirements.

Seek out advice from compliance

experts and consultants, if needed.

They make their living knowing what’s

going on in the regulatory arena.

If you are considering moving data

to the cloud, talk to cloud services

providers (CSPs) with on-staff

compliance experts. Work with CSPs

that regularly undergo independent

audits to meet a variety of regulatory

demands, such as those associated

with HIPAA/HITECH, PCI-DSS and

Safe Harbor. They will have first-hand

knowledge of what is required, at least

from the “cloud” side.

NO. 1pg. 2

Benchmark CurrentCompliance Efforts

Assess your current efforts at

meeting and reporting compliance

requirements. Do you have solid

compliance objectives in place? Are

they aligned with business goals?

Do you have a compliance budget?

Do you have a designated person or

team responsible for compliance?

If you have a team, is it cross-

organizational? Meeting compliance

requirements typically requires input

from various departments through

an organization, including finance,

human resources, legal and IT. Are

you currently undergoing internal

audits or independent audits? Is

your organization currently meeting

specific compliance requirements?

What reporting methods do you

currently use? Are you using software

to measure any compliance efforts?

What kind of risk management and

governance programs do you have

in place? Determine where your

organization stands so you can

measure its success in improving.

NO. 2pg. 3

Facilitate Efficient Reporting

Create templates and other tools to

help streamline reporting, to keep

track of compliance requirements

and reporting deadlines and for use

in responding to ad hoc information

requests. You can’t anticipate every

question or issue that will come up in

an audit. You won’t always know

when an information request will

come in. However, you can have

resources in place to help keep you

organized and ready to respond.

Expect the same from any CSP you

work with as well.

NO. 3

“However, you can have resources in place to help keep you organized and ready to respond.”

pg. 4

Manage and Track Remediation

Make sure you have a system in place

to identify and manage risks. It should

include well-defined processes for

identifying weaknesses, deficiencies

or gaps in compliance, as well as for

assigning and tracking remediation

of any issues.

A number of applications are available

for managing the remediation process,

but you can also use something as simple

as spreadsheets. Just make sure control

and process owners have the necessary

guidelines to complete and document

any remediation tasks efficiently.

NO. 4

“...you can also use something as simple as spreadsheets.”

pg. 5

Create a Compliance-friendly Environment

NO. 5

Set expectations of responsible behavior

among employees at all levels. Explain and

continue to reinforce what compliance is

and how it is important to both individual

and company performance. Encourage

company leaders to integrate compliance

and risk management messaging into

their staff communications. Establish

confidential channels for employees who

want to report questionable behavior.

Implement training and awareness

testing. Social media channels can be

effective tools for communicating with

employees and encouraging dialogue.

Include your CSP and any other partners

in your “compliance culture,” but make

sure your expectations are also part

of your contractual arrangements

with them.

pg. 6

ARE YOUCOMPLIANT?WE CAN HELP.

866.473.2510 | www.peak10.com