Staying Abreast of Regulations in a Global Environment

Staying Abreast of Regulations in a Global Environment
September 1, 2009
Caroline Vitse, MSP
TechMedia

Decision makers at most companies probably could not guess exactly how many government regulations exist. They might be surprised that there are more than 400 data-protection regulations, standards and guidelines in place globally. With a number that high, it is no wonder many companies find it difficult to stay on top of the rules. Making it even more confusing, many regulations overlap.

Dorian Cougias, lead analyst and co-founder (along with Marcelo Halpern of the law firm Latham & Watkins) of the Unified Compliance Framework (UCF), a mapping tool that helps companies track all of the regulations, standards and guidelines, said the first step in meeting standards is becoming aware of regulations and tracking authority documents. One of the biggest problems with the multitude of rules coming out these days is that many organizations are not even aware of them, he said. For some reason, lawmakers think that once they get a signature on a bill, everyone automatically knows that the bill exists and everyone is already on the path toward complying with it.

Pleading ignorance will not get companies off the hook if they break the rules. One way for companies to become acquainted with the myriad regulations is to check out the UCF, which, according to its Web site, resents the complex rules, standards, and policies you must follow in a simple spreadsheet format with in-depth links for you to drill down for as much information as you need.

Match Game

To get caught up with regulations, companies are usually advised to first find the similarities among all of the standards. Knowing how the regulations are the same makes it easier to develop strategies or policies to comply. For example, instead of developing a separate policy for each regulation, craft one policy that meets the common requirements between a healthcare regulation such as the Healthcare Insurance Portability and Accountability Act and a financial services act such as the Gramm-Leach-Bliley Act.

This is essentially what Cougias and his team does with the UCF. It's a bit more complex, of course, but the main idea is to gather all of the regulations in a common place and map the overlaps among them.

We've found that most of the new documents we've been mapping into the UCF have over 90-percent overlap with other documents, said Cougias. With a data set like the UCF, organizations can send out awareness bulletins to their users saying, Hey, here's this new rule, and here's where it overlaps our current compliance infrastructure versus what we might need to add.

Having all of this information handy with a click of the mouse has helped about 14,000 clients worldwide. According to Cougias, the UCF helps three sets of clients: end users who are auditors as well as IT staff who must reference multiple regulatory documents simultaneously; corporate users who disseminate information gleaned from UCF throughout the business; and information technology governance, risk management and compliance (IT-GRC) vendors.

Like Clockwork

Playing a major part in assuring companies remain in compliance, IT-GRC tools make it possible to manage the many IT-GRC initiatives in one place. Geoff Webb, senior manager of product marketing at NetIQ, a global leader in systems and security management with offices worldwide, said many large organizations with mature security and compliance operations are now looking to provide unified compliance and risk assessment through IT-GRC technology to their senior stakeholders as part of their drive to focus activity i n critical areas.

Webb said IT-GRC solutions help businesses reduce the effort in meeting the overlapping regulations, which may result in reduced costs of compliance. IT-GRC solutions may also allow senior stakeholders to quickly identify the biggest risk factors. This lets them know where the IT team should focus most of its efforts.

Think of it much like a wristwatch or clock, said Webb. The security and compliance-assessment processes, which are basically the technical cogs and gears of the clock, need to operate smoothly and with as little impact on the security teams as possible. The IT-GRC is very much the face and hands of the clock. It immediately shows the results of all that technical assessment, at a glance, and for consumption by the business stakeholders.

Webb continued the analogy: The closer the integration between all those working parts, and the more automated all that integration is, the more efficient and effective that final display will be, and the more accurate the information it displays.

Knowledge is Power

Ultimately, the tools to manage regulations are available, but companies must be aware of the rules before taking the next steps.

Once you know which authority documents exist, you need to begin with an awareness campaign in order to digest what they are asking you to do before you even think of doing anything, Cougias said. Then it is simply a matter of taking a prioritized approach to compliance. Conquer the big tasks first and the rest will follow.

\| ARTICLES \| WEBINARS \| SIGN UP \| EVENTS \| SPONSORS \| PARTNERS \| EXPERTS \| ABOUT \| CONTACT \| PRIVACY POLICY \| UNSUBSCRIBE \|
Copyright ©2009 The Compliance Authority, Inc.