Achieving Compliance: Rules & Tools

Olejnik cautions against approaching your business solely from the standpoint of passing tests. Smart, ethical, and precise business practices will lead to compliance, he says, not the other way around.

“What we try to do is help organizations to develop sound practices around information technology and information security,” he says. “By implementing those best practices, that will result in getting into compliance.”

"There's no such thing as the HIPAA police out there, wielding a big stick to enforce the regulations the same way that the financial institutions do."

With that in mind, Olejnik recommends businesses follow a voluntary quality standard to help them organize their efforts. The one he likes best is ISO-17799: Information technology: Code of practice for information security management. “I like it because it really addresses all of the different areas to insure that information is kept confidential, maintains it’s integrity, and is available,” he says. “It reaches all areas of organizations to make sure that they’ve got best practices in place for information security and technology controls.”

He points out that in some industries, businesses must create their own compliance initiatives. Financial institutions have proactive examinations conducted by the Federal Deposit Insurance Corporation, National Credit Union Administration, and Securities and Exchange Commission, he says, so their efforts are strongly enforced from outside.

On the other hand, regulations such as the health care industry’s HIPAA are enforced upon exception. “If there is a breach in patient data records, someone would have to prove that there was a breach, and they’d have to go through a court of law to enforce the HIPAA requirements,” he says. “There’s no such thing as the HIPAA police out there, wielding a big stick to enforce the regulations the same way that the financial institutions do. So you hope that all of those organizations would, just from a best-practices perspective, implement those standards and procedures to avoid trouble down the line.”

Because these efforts can be extremely complex, Alamri says many companies benefit from bringing in outside consultants. “Security, for example, is a very specialized skill set,” she notes. “A lot of times, midsized or small companies can’t afford to have a lot of people with this skill set as employees. So if they can bring someone in on an as-needed basis, it’s much easier and more affordable.”