As if IT departments didn't have enough to worry about these days. They also have to ensure that the organization is in compliance with various industry and federal regulations (PCI, Sarbanes-Oxley, HIPAA) designed to keep sensitive customer data safe. An increasingly difficult task in today's decentralized, mobile, app-filled world. It's enough to give a CIO or CTO a headache.
"Compliance is a hot issue in IT, and for good reason," says Andrew Hodes, director of Technology at INetU, a cloud and managed hosting provider. "Failure to meet rules and guidelines set by compliance standards could mean fines, penalties and loss of trust."
The Biggest IT Compliance Challenges
But keeping the organization in compliance with industry and federal rules can be difficult, especially with more companies allowing workers to bring their own devices (BYOD). So what are some of the biggest challenges to keeping compliant? Dozens of technology pros and compliance experts share their top seven answers.
1. Employees. "Employees play a key role in protecting a company's sensitive data," says Jim Garrett, chief information security officer at 3M. "Low-tech methods like snooping, social-engineering or phishing are common techniques used by hackers against employees to gain unauthorized access to corporate information," he says.
"To overcome this threat, it's important to educate all employees on different ways information can be acquired through very low-tech methods and give them tools they can use, like protecting corporate data displayed on a laptop with a privacy filter while traveling or how to recognize phishing attacks, to help mitigate any risk," Garrett says.
"Having up-to-date security policies that are understandable to employees outside of IT is crucial," adds Scott Peeler, managing director, Stroz Friedberg, which specializes in investigations, intelligence and risk management. "Information security policies should cover the creation, transmission, transport and retention of information; when and how information can be disposed of or removed from corporate servers/storage; remote, wireless, electronic and physical access to the corporate network; and security precautions to use while traveling."
2. Laptops. To avoid the potential theft of data from mobile workers, "provide travel laptops to employees... and create specific information security policies to protect the network from cyber infiltration," says Peeler. "Travel laptops fully capable of executing vital business functions but stripped of proprietary, sensitive or secure information can mitigate risk of infiltration."
3. Mobile Devices. Mobile devices also pose serious security and compliance risks. "Regulated data isn't subject to a lower standard of protection just because it ends up on a mobile device," notes Ryan Kalember, chief product officer at WatchDox, a provider of secure mobile productivity and collaboration solutions.
Yet according to the recent 2013 Ponemon Institute study on The Risk of Regulated Data on Mobile Devices, "most organizations [have] weak controls in place to protect regulated data on mobile devices... and most employees, at one time or another, have circumvented or disabled required security settings on their mobile devices."
Therefore it is critical that "preventive measures should be taken to restrict unauthorized access to corporate data should a mobile device be lost or stolen," says Ray Paganini, CEO, Cornerstone IT, which provides managed IT services and support.
"These measures should be taken whether the device is enterprise-issued or not," he says. "However, it is best for security purposes to have a company mobile standard." His advice:
- Enable devices and provide IT departments with the tools to perform a remote-wipe of sensitive data.
- Configure mobile devices so that only authorized applications can be downloaded and/or accessed on them.
- Invest in storage and data transmission encryption and other endpoint security tools.
- Prevent data storage and transmission to devices that lack adequate security clearance."
4. Third-Party Apps (aka Shadow IT). "The biggest compliance-related issue facing CIOs today is shadow IT -- a threat caused by the use of unseen third-party solutions including devices and apps," says Orlando Scott-Cowley, Messaging, Security & Compliance Evangelist, Mimecast, a provider of email management, compliance and archiving solutions.
"Corporate IT has grown to be complex and cumbersome, so end users have started using their own third-party services to get their jobs done, such as large file sending services," Scott-Cowley says. But oftentimes these apps or solutions are out of the organization's control, causing the IT department a major headache. "The best medicine to cure the headache? Educate end users; give CIOs the controlled power to constantly assess services for suitability; and deploy modern enterprise cloud solutions to solve overall compliance problems."
5. Cloud Service Providers. To ensure that sensitive data is being properly protected in the cloud, "choose a trusted service provider," says George Japak, managing director, ICSA Labs, an independent division of Verizon, and Verizon's HIPAA security officer.
"Cloud services present significant benefits in [terms] of cost savings, scalability, flexibility, etc." However, to ensure that your or your customer's data is properly protected and in compliance with all relevant regulations, "the vendor/service provider should...meet the underlying regulatory requirements, whether the cloud is engineered to be HIPAA-ready or to comply with PCI or FISMA standards, for instance," Japak says. Also check to see if vendors are SSAE 16 certified.
6. PCI. "Not only is it against card brand regulations if you're not Payment Card Industry (PCI) compliant when accepting credit/debit cards, but it's also an absolute must in today's economic climate of increasingly intelligent payment card theft," says Rob Bertke, senior vice president of product management, Sage Payment Solutions. "PCI certification provides assurance that a processor has passed a robust set of best practices for securing information when credit card payments are made."
"As IT professionals, we are often faced with the challenge of creating a secure cardholder data environment that can be proven compliant against multiple tests and PCI assessments," explains Ray Paganini, CEO, Cornerstone IT. To protect sensitive customer data, "use [a] firewall to segment cardholder information from the rest of your corporate network," he suggests. "Network segmentation limits the parts of your network that have contact with sensitive cardholder data and, when configured correctly, can reduce risk and costs, and narrow the scope of a PCI DSS audit."
[ Slideshow: Top Challenges Facing Healthcare CIOs ]
7. HIPAA and HITECH. "Compliance mandates such as HIPAA [the Health Insurance Portability and Accountability Act and HITECH, the Health Information Technology for Economic and Clinical Health ACT] require all data to be digitized [and meet specific security and privacy standards]," says Brian Christian, the CTO of Zettaset, a Big Data management company. "However, as more patient data is captured and data volumes grow, increased complexity will require more sophisticated data management approaches."
"HIPAA has also placed an increased emphasis on the management of vendors, which directly affects healthcare CIOs' compliance obligations," adds Japak. Therefore, it's necessary for IT departments to perform due diligence and make sure they work with HIPAA-compliant cloud service vendors.
Jennifer Lonoff Schiff is a contributor to CIO.com and runs a marketing communications firm focused on helping organizations better interact with their customers, employees, and partners.
Read more about compliance in CIO's Compliance Drilldown.