Information Technology Reference
In-Depth Information
include management responsibilities and liabilities, due diligence, litigation man-
agement, and responsibility to stakeholders (e.g., shareholders). A compliance man-
agement program consists of:
n
−
n
n
n
n
n
Compliance assessment process
E.g., Health Insurance Portability and Accountability Act (HIPAA)
Security policies
Dissemination
Awareness and understanding tracking
Compliance monitoring
Results reporting
This section provides details for one aspect of business risk management—legis-
lative drivers; note that legislation is only one driver behind a compliance manage-
ment program. The compliance management program establishes policy to guide
business operations and provides for policy dissemination, managing awareness and
understanding, tracking, monitoring, and reporting. The next challenge is to select,
implement, and maintain the appropriate services and mechanisms to execute and
enforce policy.
Legislation like Sarbanes-Oxley and the Health Insurance Portability and
Accountability Act (HIPAA) drive a lot of information assurance activity in public
companies and the health care industry, respectively. Additionally, there is a greater
and increasing need today to justify IA spending as a valid and valuable business
investment. Such a need requires formal alignment of IA with business operations
and business drivers, one aspect of the latter being external compliance require-
ments (e.g., legislation)—hence the need for a compliance management program,
an overview of which Figure 5.8 provides.
Drivers behind a compliance management program (CMP) include manage-
ment responsibilities and liabilities. The CMP includes a compliance assessment
process (CAP); a specific instance of a CAP may be for the Health Insurance Por-
tability and Accountability Act (HIPAA). The CAP addresses a current snapshot of
policy versus compliance requirement. Remediation efforts to close gaps in policy
include the generation or enhancement of security policies. The remainder of this
section provides further details on management responsibilities and liabilities, the
compliance assessment process, and security policies.
5.5.2.1 Compliance Assessment Process
The compliance assessment process provides a formal and quantified method to
discern organizational compliance levels. The assessment is a security service that
aligns with the business driver of managing business risk. The results of the com-
pliance assessment produce results useful for operations managers, system admin-
