Compliance Policy Development

Given the scorching pace of new industry and government regulations, even well-prepared IT groups are on the defensive. We all know the best way to stay out of the hot seat is to develop a comprehensive set of policies to address threats, but that's easier said than done.

Reams have been written about how to comply with specific regulations, but there's still widespread FUD. Consultants feed on the FUD, as do manufacturers of policy and procedure application---essentially document-management software with a bent toward policies. Every vendor wants us to believe its product is the magic bullet for keeping on the right side of regulators.

Let's acknowledge up front that no application, consultant, industry group or magazine article can fulfill your compliance policy needs because, simply, no outsider grasps the nuances of your organization. In our Policy Workbooks, we'll get you started with the information you need to set policies in red-hot areas that most firms should address sooner rather than later: Mobile and wireless, data protection, e-mail retention and e-discovery. Here, we explain how to get a policy initiative off the ground.

The ability to take the risk-management approach required to build a comprehensive policy set and use industry frameworks effectively may not come naturally to IT pros, but it can be a lucrative and salable skill: Salary.com pegs the median salary for a U.S. corporate compliance director at $99,088, and a Gartner survey says 75 percent of organizations have at least one IT person dedicated to compliance management. Seventy-six percent have an executive-level compliance office or governance council.

Typical Compliance Governance Structure Click to enlarge in another window

Better Regulate Than Never

HIPAA, GLBA (Graham-Leach Bliley Act), SOX (Sarbanes-Oxley) ... all have been around long enough that IT is finally getting a handle on what it means to be in compliance. And it's not just governments driving this trend; one of the latest policy drivers is the Payment Card Industry's Data Security Standard.

"Most companies are more concerned with PCI than they are the government regulations," says Joe Filer, director of corporate security for RackSpace. "You've got to be able to take credit cards."

Still, if you haven't updated your processes and policies in a while, figuring out where to start is a daunting task--the landscape covered by regulatory drivers is vast and varied. This is where risk management and prioritization come in, assessing which threats pose the greatest risks to your enterprise versus identifying low-hanging fruit that can be quickly realized by appropriately selected, crafted, enacted and enforced policies. (See our Strategic Security guide to Risk Assessment.)

Of course, good policies provide benefits beyond regulatory mandates. A policy specifying that infrastructure upgrades be followed by simulating end-user transactions, for example, contributes to your bottom-line uptime as perceived by users. Shops with sensible and effective processes and policies built into their DNA are likely serving the business well and are in less danger of being marginalized or outsourced; more on how to move the policy from paper to personnel in "What's In It for Me?," below.

Help Is Out There

The best practices frameworks various industry associations have assembled are an excellent way to get broad guidance--maps, if you will, to core functional areas that will let you eat the elephant a bite at a time.

Good examples include ITIL (IT Infrastructure Library), ISO 17799 and COBIT (Control Objectives for Information and Related Technology). None of these is free, but plenty of books for under $100 describe them in enough detail for you to get started.

For example, ITIL breaks IT service delivery and support down into "back room" versus "front room" processes (see "Understanding Best Practices Frameworks"). ITIL defines "service support" as ways IT interacts with users, versus "service delivery," which are ways IT manages infrastructure.

By reviewing each functional area for your department or organization, you can start brainstorming with your team about risk levels, then take a targeted approach to what policies must be built. We recommend giving yourself numerical grades based on framework criteria: Say you do a good job at the service desk category, and in fact, most of your front-room processes are at 80 percent or better, but you know your change management needs help--your infrastructure team is willy-nilly about the way it implements changes to the network, and this sometimes causes downtime or places the organization at risk.

The ISO 17799 security framework has been described as a backbone. "It described where we were deficient, where we needed work," says a security manager at a financial organization. "I think building around that kind of framework really works, because it cuts across every industry, every compliance requirement, but is also customizable to your business."

Ron Muns, founder and CEO of the Help Desk Institute, a vendor-neutral IT service and support group, says basing policy planning on a third-party framework can also reduce the churn that occurs with personnel changes. Every new IT manager wants to put his or her mark on the organization, but it's difficult to communicate when the new CIO calls agreements with vendors "SLAs" while staffers and policies refer to "operational-level agreements."

This common-language issue resonated with the execs with whom we spoke.

"ITIL is becoming more and more useful because it allows us to communicate in the same language," says John Engates, CTO of Rackspace. "Security and compliance can be a foreign language to other employees, and having a common framework really helps everyone align."