White Papers for Health Insurance Portability and Accountability Act (HIPAA)

Compliance module - Importance and applicability

Modulo Risk Management

Compliance module - Importance and applicability
The scene has changed radically. Ten years ago, security professionals had no literature on which to base their work. Today, there is a profusion of security requirements (laws, regulations and guides) that must be followed
by organizations (Figure 2). Some of these are mandatory, like the Federal Laws, while others are conditional
and should be implemented according to the organization's location and sector (government, financial,
telecommunications, and others). And there are also optional frameworks, representing international security
standards organized into codes of practice.
Security managers are responsible for understanding
and complying with the frameworks, identifying the
requirements to be implemented and providing the
necessary means to ensure compliance. The main
challenge in this work lies in the complexity generated
by independently treating each framework, since each
one uses a different type of language, organizes
requirements in a different way, requires evidence to
be registered differently, and uses different audit
processes to prove compliance. And all of these
processes take place at different moments and
document results in different ways!
However, in spite of the diversity, security controls are
often the same (Figure 3). The security manager
therefore needs to apply a larger cycle to compliance
management, since he or she needs to understand the
laws, find out which are the most compliant
frameworks, implement the corresponding controls,
and record evidence of each control demonstrating
compliance with each law applied (Figure 4). All this
by Geraldo Ferreira - May 23, 2007

View the White Paper

Share or bookmarklet this web page at: