Friday, May 3, 2013

Should you worry more about compliance or risk?

When is the right time to think about
compliance versus risk?
A recent article in Network World interviewed the CIOs of Underwriters Laboratories and the Minnesota Department of Veteran Affairs on this topic and generated some interesting comments. Both make the expected argument that you can't pursue one over the other, but in the end they say risk is the key consideration.

Christian Anschuetz of UL uses the story of the Titanic to illustrate his point. When it sunk into the North Atlantic 101 years ago losing over 1,500 people, the captain, crew and the White Star Line had complied with regulations at the time by providing the number of life boats required. The regulations were clearly not up to the risk faced by the vessel and its passengers

Non-compliance is another form of risk. Barely a day passes without a story of a hefty fine levied against a firm that violated a HIPAA privacy rule or did not comply with PCI standard for data security. In these cases, compliance is it's own risk category.

CIO Dan Abdul offered nine tasks for avoiding unnecessary risk or overcompensating with too many controls by determining your organization's risks:
  • Risk of failing to fully comply with regulations
  • Loss of intellectual property and any sensitive information
  • Impact of disasters and unplanned events
  • Impact of an event which adversely affects the brand image of the organization
  • Gaining stakeholder feedback on impact and likelihood of these risks
  • Benchmarking existing process for managing the risks identified as concerns by stakeholders
  • Identifying the costs required to address the risks
  • Performing a cost/risk analysis
  • Prioritizing control efforts accordingly
The challenge with compliance is that the regulations generally are in response to previous incidents. They try to point out the risks, but don't really provide a set of controls to determine if you are absolutely compliant. That comes down an interpretation of the auditor. Another risk.

Abdul adds, "More importantly, if you implement every control recommended for any regulation and still have a breach, you are not protected from law suits and fines from the regulating entity."

Improving compliance and reducing risk with Local Management

There is no silver bullet for IT compliance, but Uplogix addresses some areas that are fairly unique. Uplogix extends role based administrative access policies to network devices and by providing detailed auditing and reporting in support of attaining and demonstrating regulatory compliance. All of these capabilities are maintained even in the event of a network outage.

For more on Uplogix and IT policy enforcement capabilities as well as audit and compliance reporting, see the Security and Compliance Management section of Uplogix.com.