Maintaining Compliance is an Ongoing Process
You did it — you passed your PCI (or SOX, HIPAA, GLB, etc) audit! But the work isn’t over. A recent Verizon study found that most companies fall out of PCI compliance after just nine months. And it doesn’t stop with PCI, either. Many companies work hard around audit time to ensure they can report compliance for the audit period and advertise their security, only to falter once the audit is complete.
For PCI, that also means being able to continue doing business with credit card companies. For other standards like HIPAA and SOX, it means avoiding hefty fines and legal consequences.
Unfortunately, simply checking the compliance boxes doesn’t mean you’re safe for the foreseeable future. You need to maintain compliance at all times throughout the year, not just when the auditors are knocking on your door.
Keeping Abreast of Changes
Falling into non-compliance happens not only because of lax controls or staff, but from the ever-shifting nature of the IT world. New business initiatives require new IT systems and applications, and all of them must adhere to compliance standards. Emerging risks come from the associated new processes these systems require as well as multiplying cyberthreats.
Meanwhile, you don’t want to stagnate because of unyielding observance to compliance controls. If you want to remain on the cutting edge, you must adapt your compliance as your IT infrastructure changes. That requires a process for your process, so to speak: clearly defined methods to adjust compliance controls as needed, complete with updated documentation for ease of auditing.
Keep an eye on compliance mandate changes and new legislation however you can: subscribe to compliance newsletters, bookmark government websites, and Google search for the latest news. For example, the HITECH Act and the HIPAA Omnibus Rule both affected how healthcare companies and their business associates handle health data, and how they treated it under previous HIPAA standards specifically.
When you discover a new regulatory standard that applies to your organization, you should:
- examine your controls and infrastructure for risks and gaps via risk assessment
- use that information to inform executives about what IT components are impacted
- determine what business processes are affected and what requirements the organization has for daily operation to continue smoothly
- update compliance controls accordingly, with new technical and business processes
- roll out the changes to the organization as a whole, with clear communication and training
Just like any other IT update, changes to controls and compliance measures that involve your applications or other pieces of your IT stack should go through a testing and review period before rolling out into the production environment. Be sure that changes do not come in the middle of a heavy workload or audit to maximize the effectiveness of new controls and minimize the impact on business operations.
Keep Documentation Updated At All Times
Your compliance officer and IT staff should regularly check and update compliance documentation, including a complete list of all security controls at the physical and digital levels.
Each compliance standard you must meet should be broken down in a point-by-point format for ease of examination. This may end up a lengthy document, but it will make future updates much easier, while also leading to a smoother audit process. Each step should describe the requirement as stated in the compliance standard, with a description of the corresponding control from your organization next to it, and a date of the most recent validation of that control.
Regularly Review Compliance Measures
Use the documents above to check your controls at least quarterly. This should be scheduled alongside other cyclical IT practices like patch/update monitoring, penetration testing, stress testing, or any other regularly performed duties. Ideally, the review process should be performed by someone outside than your lead compliance officer or team. The review process is a great time to check for updated compliance requirements.
Some compliance standards, including HIPAA and PCI, actually mandate a formal risk assessment as part of compliance. This documentation should be readily reachable. You likely will also need to create and maintain a information security plan, with specific items within the document dependent on the compliance standard at hand. You may be able to re-use many portions of these two documents if you have multiple compliance standards, but be sure to carefully check each required security element against the specific standard to avoid missing anything.
Be Sure to Involve Your Entire Staff
PCI specifically requires a policy that addresses information security for all personnel. While some other standards may not call out departments in your organization outside finance, HR, or IT, you should still train your entire staff and maintain IT security across the organization. At Green House Data, we require all staff members to complete a basic HIPAA training at least annually so they preserve strong information security practices.
It takes some serious effort to stay abreast of compliance standards. If you have the resources, it is well worth dedicating an individual or team to compliance and security. If you don't, a partner can help secure your IT systems and prepare you for compliance certifications.