|When is the right time to think about|
compliance versus risk?
Christian Anschuetz of UL uses the story of the Titanic to illustrate his point. When it sunk into the North Atlantic 101 years ago losing over 1,500 people, the captain, crew and the White Star Line had complied with regulations at the time by providing the number of life boats required. The regulations were clearly not up to the risk faced by the vessel and its passengers
Non-compliance is another form of risk. Barely a day passes without a story of a hefty fine levied against a firm that violated a HIPAA privacy rule or did not comply with PCI standard for data security. In these cases, compliance is it's own risk category.
CIO Dan Abdul offered nine tasks for avoiding unnecessary risk or overcompensating with too many controls by determining your organization's risks:
- Risk of failing to fully comply with regulations
- Loss of intellectual property and any sensitive information
- Impact of disasters and unplanned events
- Impact of an event which adversely affects the brand image of the organization
- Gaining stakeholder feedback on impact and likelihood of these risks
- Benchmarking existing process for managing the risks identified as concerns by stakeholders
- Identifying the costs required to address the risks
- Performing a cost/risk analysis
- Prioritizing control efforts accordingly
Abdul adds, "More importantly, if you implement every control recommended for any regulation and still have a breach, you are not protected from law suits and fines from the regulating entity."
Improving compliance and reducing risk with Local Management
There is no silver bullet for IT compliance, but Uplogix addresses some areas that are fairly unique. Uplogix extends role based administrative access policies to network devices and by providing detailed auditing and reporting in support of attaining and demonstrating regulatory compliance. All of these capabilities are maintained even in the event of a network outage.
For more on Uplogix and IT policy enforcement capabilities as well as audit and compliance reporting, see the Security and Compliance Management section of Uplogix.com.