25 Nov Compliance Becomes Increasingly Important
By Hiram Machado, CEO adaQuest
Compliance and Regulation are trending issues in this increasingly regulated and complex business and technological world. In recent years, we have seen numerous cases of non-compliance that have cost large organizations millions of dollars even the fall of a corporate empire such as Enron. And daily news brings more and more examples of how non-compliance can hurt an organization. Regulation has become so complicated that large organizations have entire departments entirely dedicated to compliance.
According to the 2018 Cost of Data Breach Study by Ponemon Institute, the cost of non-compliance can be twice the price of compliance if you consider fines, business disruption, and loss of revenue for an incident that otherwise could have been avoided. Compliance has evolved from public initiatives aimed at protecting consumers in the early 1900s, to complex rules imposed on organizations today. According to the International Compliance Association, the term compliance describes the ability to act according to an order, set of rules, or requests. The International Compliance Association further describes the following five functions of a compliance department of a given organization:
1. To identify the risks that an organization faces and advise them (identification)
2. To design and implement controls to protect an organization from those risks (prevention)
3. To monitor and report on the effectiveness of those controls in the management of an organization exposure to risks (monitoring and detection)
4. To resolve compliance difficulties as they occur (resolution)
5. To advise the business on rules and controls (advisory)
Compliance organizations and programs began to protect consumers and set a centralized oversight for public safety concerns in the early 20th century. The FDA is probably the first example of such centralized control having been formed. It’s origin as a federal consumer protection agency began with the passage of the 1906 Pure Food and Drugs Act. Fast forward to the 1950s, the United States experienced tremendous economic growth, and this growth forced companies to mature their business processes. Most of the modern management and organizational cultures we experience today have roots from that era.
In the 1970s, the passage of the Foreign Corrupt Practices Act and the creation of the EPA (Environmental Protection Agency) and DEA (Drug Enforcement Administration) led to a shift of compliance from public initiatives to internal functions within organizations.
In 1991, the U.S. Sentencing Commission created the first federal sentencing guidelines for organizations in response to inconsistent criminal sentencing for non-compliance. Ever since then, the guidelines have been updated several times, the latest version issued in Nov 2018. These guidelines served as the basis for the seven principles most organizations must follow today; they include:
1. Establish Standards, Procedures, and Controls
2. Implement Effective Compliance Measures and Exercise Reasonable Oversight
3. Exercise Reasonable Effort to Avoid Delegation of Authority to Unethical Individuals
4. Communicate and Train Employees on Compliance
5. Conduct Internal Monitoring and Auditing on Compliance Efforts
6. Provide consistent Enforcement and Discipline for Violations
7. Respond Appropriately to Incidents and Take Steps to Prevent Similar Criminal Conduct
In the new era of Digital Transformation, concerns about sensitive and personal data stored in a number of different servers, on-premise and in the cloud have been on the rise. IT professionals must be on top of local, national, and international regulations. Some regulations are broad in scope and apply across the entire industry, and some examples such as the Sarbanes-Oxley Act (SOX), were designed to protect investors of publicly traded organizations. Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements to improve the security of payment customer account data when utilizing a credit card. Children’s Online Privacy Protection Act designed to protect personal information about children under the age of 13.
Other types of regulations are industry-specific guidelines. Some examples are Federal Information Security Management (FISMA), that requires federal agencies to implement a program to provide security for their information systems. The other agencies and contractors that might be processing data for those federal agencies on their behalf must be held to the same level of compliance. Health Insurance Portability and Accountability Act (HIPAA) is another example of industry-specific regulation. HIPPA is intended to improve the efficiency and effectiveness of the health care system as well as provide some level of privacy and protection to health-related personal information.
Other types of regulations are local, such as in the United States, the states of Massachusetts, Nevada, and California that have already enacted new data privacy laws, Despite being local laws, the regulations often apply to any organization that holds personal data from the residents of that state. This is the case of the General Data Protection Regulation (GDPR) as well. GDPR is a European regulation that applies to any organization around the globe that handles sensitive information of European citizens; the regulation is reshaping how the world perceives the importance of data protection, and many countries are following suit– implementing similar regulation. Brazil, for instance, has just enacted a similar law for Data Protection.
Compliance and Regulations are here to stay and won’t get any easier. They force IT Professionals to interact more with other parts of the organization such as legal, HR, and leadership. To build a robust, scalable, and secure IT Infrastructure today, we need to take into consideration the different regulations that an organization may have to obey and identify the right set of technologies that will more easily enable compliance with these regulations.