Chapter 1: Understanding the Real-World Issues Associated with IT Compliance

Compliance is often thought of as a dirty word. Rightly so-businesses are struggling more and more with the compliance requirements being pushed on them from every angle. There are numerous state, federal, and international compliance regulations affecting businesses around the globe:

• Payment Card Industry Data Security Standard (PCI DSS)
• Sarbanes-Oxley Act (SOX)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health (HITECH) Act
• Gramm-Leach Bliley Act (GLBA)
• US state breach notification laws
• Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
• European Union (EU) Data Protection Directive
• Hong Kong's Personal Data (Privacy) Ordinance
• Japan's Personal Information Protection Act (JPIPA)

Much to the chagrin of business leaders, these regulations aren't going away. The good news is that gaining and maintaining control of IT compliance doesn't have to be all that difficult. If done correctly, compliance can actually serve as a business enabler and help minimize information risks long term. The key is to understand what compliance is really about and how its many parts can be managed effectively throughout the business.

Chapter 2: The Costs of Compliance and Why It Doesn't Have to be So Expensive

One of the greatest impediments to compliance is the perceived cost of doing things the right way. Business leaders struggle enough trying to justify the most basic of IT expenditures. Now some government bureaucrat or industry regulator is requiring that they spend even more money to become compliant with their rules. The question becomes: Where's the payoff? How are all of these compliance controls really going to serve the business long‐term? These are legitimate concerns indeed.

Remember
The short‐term goal is to be compliant and close the compliance gaps. The
long‐term goal is to minimize business risks.

Overhauling your IT systems isn't cheap—or free—but it certainly doesn't have to break the bank in the name of compliance. That is, if you approach the issue with the right mindset.

Chapter 3: Simplifying and Automating to Reduce Information Systems Complexity

Simple is better. Indeed it is when you're trying to sort through the IT compliance maze and gain control of your information security program. In fact, the complexity of your information systems environment is a key factor in determining how successful you're going to be with your compliance initiatives and the amount of information risk your business faces. Furthermore, simple network or not, if you don't have some semblance of control and visibility, compliance will be a continual uphill battle-that is, an energy drain and money pit.

Remember
Complexity is the enemy of information security and compliance. Simple is better.

Simplifying your network, applications, and overall IT environment wherever possible and using the proper tools to ensure things are kept in check are essential.

Chapter 4: Establishing a System of Network Visibility and Ongoing Maintenance

Snapshots in time showing reasonable compliance and security are relatively simple to achieve. It's the foresight and effort required to truly make your technologies and processes work together for long-term information risk management that sets the true IT and security leaders apart.

Being in a position where you're continually reacting to the things thrown at you in IT creates unnecessary work, headaches, and business risks. By establishing a solid system of processes and technologies, you'll have what it takes to manage your environment proactively. You'll not only be able to keep things in check but also be prepared to respond in meaningful ways to the incidents that do occur.