Written By Bryan Cote, Senior Product Manager, Ecora Software

Regulatory guidelines such as HIPAA and other federal mandates came into effect as a safeguard tied to making certain types of information more accessible or expanding the ability of certain industries to broaden their business offerings to the point where they would potentially be handling a significant amount of privileged consumer or corporate information. In most cases, enforcing the requirements for IT controls were almost an afterthought. However, the frequency of lost customer information is on the rise. Since February 2005, the Privacy Rights Clearinghouse has identified more than 93 million records of U.S. residents whose personal information has been exposed due to security breaches. Now, far greater emphasis is being placed on the sections of these regulations related to IT controls.

Initially, most compliance officers treated preparing for audits against such regulations as one-time events. With each new regulation, compliance teams reacted by developing new security controls to comply with that specific guideline. Each time a new regulation emerged, the organization started the preparation process all over again.

This approach was ineffective and costly. Businesses struggled to enact processes that satisfy these multiple, seemingly ambiguous and often contradictory mandates. Handling each compliance matter as a discrete event, without proactively analyzing overall business risks, has simply led to higher costs, greater time investment, and often inadequate controls.

These costs are said to have jumped 13 percent in the past year alone, according to a survey conducted by Foley & Lardner LLP, an international law firm based in Washington, D.C. Despite a constant evolution of the policies, many businesses continue to address compliance with an event-based mindset, forcing costly manual efforts that are prone to errors and a constant ?fire drill? mentality. Additionally, with auditors gaining greater sophistication in their understand of the more technical aspects of IT environments, it is less likely today that a business would be able to ?slide by? on an audit, compared to several years ago. Auditors have a much better idea of what they want to see and the processes that businesses must implement to meet their expectations.

Compliance officers are now recognizing the true importance of establishing a comprehensive risk-based approach to ensure that compliance demands are met.

This proactive approach begins with organizations first performing an enterprise-wide risk assessment and analyzing the results within the context of regulatory requirements. Comparing where their business stands against current compliance policies is the first step in determining proper expectations. With goals identified, the roadmap can be developed.

he next logical step is to look at the highest probability of risk as well as the impact of that risk. For example, a medical device manufacturer and a health care facility would both be subject to HIPAA regulations, but business continuity would be more of a critical factor to the health care facility.

Using the results of the risk assessment, managers will gain a far greater understanding of the vulnerabilities and can prioritize the relative level of importance of each to the delivery of business services. This is an important step forward, as auditors today are evaluating not only what controls the business has enacted to manage risks, but how proficient IT and other managers are in terms of understanding risks.

To properly evaluate risk, it is important for key stakeholders to communicate regularly with auditors and auditing teams. These critical discussions will give managers a necessary understanding of the scope of impending regulatory analysis as well as testing strategies. Armed with this information, managers are in a far better position to write control activities that are aligned with the auditing team?s expectations.

Today, organizations need to mature away from taking an event-driven approach to compliance and begin to integrate controls into business processes and strategies. Remembering that the overall goal of the auditors is to ensure the protection and appropriate treatment of critical data by businesses is the key to understanding how best to establish a proactive compliance response. Regulations and controls are simply measurement and enforcement rules.

While organizations always have opportunities to further enhance their controls, it is those organizations that embrace a more comprehensive, proactive approach that will ultimately benefit through stronger IT controls, greater operational efficiency, and more predictable audit results, rather than a costly event-driven endeavor.