Maintaining Compliance is an Ongoing Process

You did it — you passed your PCI (or SOX, HIPAA, GLB, etc) audit! But the work isn’t over. A recent Verizon study found that most companies fall out of PCI compliance after just nine months. And it doesn’t stop with PCI, either. Many companies work hard around audit time to ensure they can report compliance for the audit period and advertise their security, only to falter once the audit is complete.

For PCI, that also means being able to continue doing business with credit card companies. For other standards like HIPAA and SOX, it means avoiding hefty fines and legal consequences.

Unfortunately, simply checking the compliance boxes doesn’t mean you’re safe for the foreseeable future. You need to maintain compliance at all times throughout the year, not just when the auditors are knocking on your door.
 

Keeping Abreast of Changes

Falling into non-compliance happens not only because of lax controls or staff, but from the ever-shifting nature of the IT world. New business initiatives require new IT systems and applications, and all of them must adhere to compliance standards. Emerging risks come from the associated new processes these systems require as well as multiplying cyberthreats.

Meanwhile, you don’t want to stagnate because of unyielding observance to compliance controls. If you want to remain on the cutting edge, you must adapt your compliance as your IT infrastructure changes. That requires a process for your process, so to speak: clearly defined methods to adjust compliance controls as needed, complete with updated documentation for ease of auditing.

Keep an eye on compliance mandate changes and new legislation however you can: subscribe to compliance newsletters, bookmark government websites, and Google search for the latest news.  For example, the HITECH Act and the HIPAA Omnibus Rule both affected how healthcare companies and their business associates handle health data, and how they treated it under previous HIPAA standards specifically.

When you discover a new regulatory standard that applies to your organization, you should: 

1. examine your controls and infrastructure for risks and gaps via risk assessment
2. use that information to inform executives about what IT components are impacted
3. determine what business processes are affected and what requirements the organization has for daily operation to continue smoothly
4. update compliance controls accordingly, with new technical and business processes
5. roll out the changes to the organization as a whole, with clear communication and training

Just like any other IT update, changes to controls and compliance measures that involve your applications or other pieces of your IT stack should go through a testing and review period before rolling out into the production environment. Be sure that changes do not come in the middle of a heavy workload or audit to maximize the effectiveness of new controls and minimize the impact on business operations.