Agencies and government contractors are required by law and industry regulations to comply with what seems to be an endless list of IT compliance requirements: FISMA, HIPAA, HITECH, PCI, OMB, IRS 1075, GLB, state privacy laws, SOX, EFTA, Red Flags, COPPA, NERC—the list goes on.
No doubt, it feels overwhelming at times. And as cyber thieves become smarter and an increasing number of data records are stolen, IT compliance management will most likely become more complex and burdensome. Not painting a pretty picture right?
Well, there is a better way to tackle this alphabet soup of resource-consuming regulation. We recommend taking the “thirty-thousand-foot view” and consider your organization as a whole—identify commonalities across all of your reporting requirements and coordinate efforts, thereby reducing redundancy.
Develop a crosswalk that aligns all of your organization’s compliance requirements. This will allow you to identify the common enterprise controls that can be tested once and used many times to satisfy all reporting requirements. Then, on a case-by-case basis, you can tackle the outliers and ‘one-offs’ that associate with a limited number of compliance requirements or specific lines of business. This holistic approach to compliance management will result in fewer hours spent responding to audit requests and should significantly reduce audit findings.
A fragmented approach to compliance management leads to “audit fatigue,” and we all know that when we get tired we tend to get sloppy. Unfortunately, sloppy leads to audit findings and compliance gaps. One of the biggest obstacles to a coordinated ‘test once report many’ strategy is time. And indeed, it takes a significant upfront effort to evaluate each compliance requirement and to coordinate the reporting effort.
Additionally, it requires an individual (or team) that has a high degree of familiarity with multiple compliance requirements. But it’s worth it. Not only will you save money in the long run by increasing the productivity of your staff and reducing the disruptive nature of audits, but you might also even find that you can reduce the direct expenses associated with compliance. Imagine your cost-savings if you could let your IT team focus more on innovation and development instead of spending so much time responding to audits.