To protect your business from unnecessary risks and liability, prioritize compliance.
At least in healthcare IT — perhaps the area of industry best able to speak to the importance of compliance — that's the state of mind. In fact, in a recent survey of 1,100 IT professionals, over 100 of whom work in healthcare, 61 percent of healthcare IT managers said compliance was their main priority, compared to just 40 percent that said it was data breach prevention.
That number shouldn't imply it's OK to cast data breach prevention aside, only that prioritizing compliance appears to be a popular choice to avoid risk, and perhaps that's because the risk it represents is so abundant. Or perhaps it's because, for at least 69 percent of health care IT managers surveyed, achieving compliance with EPCS, FDA CFR Title 21, HIPAA and PCI DSS "was an extremely or very effective way to protect data and prevent breaches." Taking care of two priorities at once? That's a great use of resources.
So how can you prioritize compliance within your own organization, whether or not you have the same strict mandates as the health care industry? Always be ready for an audit by knowing when your audits are coming.
How do you know when you're due for a compliance audit?
To determine if you're due for an audit, you'll need to start by making a list of all of the regulations and bylaws by which your organization needs to abide. Understand the requirements, and identify who, exactly, publishes those requirements so you can always stay up to speed on changes.
Identify the schedule for the renewal of the regulations for each body. Identify a schedule owner within your organization. That person can delegate out portions of the mandate to the appropriate owner (i.e. the network engineer must focus on regulations xyz, etc.). Assign a project plan that includes a clear schedule so being "due" is never a surprise.
Recommended Read: What is Compliance Risk and How Does It Affect Your Company?
Being audit ready
Now that you've got your official schedule, split it in half, advises Jennifer Allen, Twinstate's Red Team manager.
"Do a checkup halfway through the quarter if your audit is quarterly. The scramble time is where you tend to miss checkboxes," Allen says.
If you let your audit tasks go until the last minute, "there's just no human way to achieve all the requirements in time," says Allen. "If you're doing a halftime status check, even if you missed something the auditors might be more forgiving if you had started to make (and could demonstrate) remediation efforts."
Doing a halftime check also ensures that you're actually trying to comply. If you are making no efforts, the regulating body will consider you negligent, and that tends to result in higher fines. It benefits you to make a compliance effort not only because you'll avoid risk of fines, but also because you can pass that information on to your customers, letting them know about your compliance program and how you remain a responsible business.
What else do you need to know about your compliance?
Security regulations change often with newly created threats. Maintaining a schedule that takes these evolutions into account is a first step to ensuring compliance. But if you can't do the audit in-house, consider creating a monthly, quarterly or annual (depending on your mandate) partner-directed audit schedule.
With that in hand, you should be on your way to maintaining compliance at all times. Audits don't really have to be as painful as everyone thinks they are; being prepared makes all the difference.
Perhaps the most important thing to remember to motivate you in your compliance efforts is that compliance is a cost of doing business. If you can't meet the minimum requirement, you aren’t allocating enough resources to compliance. Says Allen, "Running a business without knowing your compliance mandate is like strapping into a spacecraft without reading the operating manual: you're really setting yourself up for danger or failure."
Originally published on 10/20/2016