Solutionary Minds - Your Information Security Blog Source

Happy New Year from all of us at Solutionary!  

Jon Heimerl put together a few points that should be on your compliance checklist in 2012.  Check it out below and cheers to a safe, secure and Happy New Year!

Important Compliance Considerations Looking into 2012
 
1.    No compliance regulation requires it, but one of the most important things you can do to help improve your compliance is perform a Business Impact Analysis, or an Information Asset Inventory, or whatever it is you want to call it. The goal is to identify all of your organizational information: what information you have, where it is, and exactly what that information is. To understand your compliance requirements you have to fully understand whether or not the information you have is PHI, or private financial information, or covered by some other regulatory requirement.

2.    Assign clear compliance responsibility to a specific authority within your organization. And, along with that responsibility, don't forget to give them the authority to actually meet those goals. Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process. Understand that no one person can truly understand all compliance requirements of a complex organization, but you must identify what your specific compliance requirements are, and ensure that you have appropriate compliance expertise.

3.    Manage your other resources. In these times of limited budgets and shrinking staff, it is more important than ever to effectively manage your resources. Identify and keep your key staff. You are better off keeping good, knowledgeable staff than you are trying to find new staff, unless the people you have just don't cut it.  Make sure they get training and other benefits that help keep them at your organization, keep them engaged, and keep them happy.

4.    Pay attention to need-to-know and privileged user access. If WikiLeaks and the Occupy Movement show us anything, they show us that there are many people who are unsatisfied with the status quo. Regardless of their exact motivation, there will be people who gain unauthorized access. You should be checking your authorized access to make sure they are truly appropriate, and make sure that people do not have excess access. On top of that, you should be monitoring employee access and checking access logs.

5.    Take the results of your BIA and, to the extent possible, isolate your compliance systems. If you can segregate your PHI systems from other systems, do so. If you can segregate your credit card information from other systems, do so. If you can isolate the systems that control your compliance data, it potentially simplifies the scope of your compliance efforts, and consequently, simplifies your compliance.

Read more of Jon's compliance thoughts in a recent Dark Reading article.