The following is a guest post by Shaun Fothergill, the EMEA Practice Manager for VeriSign’s Global Security Consulting group.

The tidal wave of regulatory compliance issues has intimidated the brave and petrified the frail, those who once played lip service to these issues are now looking for very serious answers from very serious questions. How do I comply? What do I need to do? What will it cost me? How do I keep compliant?

The problem is that there are so many regulatory issues we need to consider and each of these seemingly having their own security nuance that needs to be addressed.

Listed below are just some of the compliance issues businesses need to take into account:

Fairy DNA, by kyz

Fairy DNA, by kyz

  • Data Protection Act?
  • Human Rights Act?
  • Access to Health Records Act?
  • Sarbanes Oxley?
  • International Accounting Standards?
  • Proceeds of Crime Act?
  • Patriot Act?
  • Financial Modernisation Act (GLB)
  • Money Laundering Regulations?
  • RIP Act?
  • Electronic Communications Act?
  • Electronic Signatures Regulations?
  • Electronic Commerce Regulations?
  • EU Privacy directives?
  • HIPAA?
  • Companies Acts?
  • Basel I and II?
  • Freedom Of Information Act?
  • Disability Discrimination Act?
  • EU 8th Directive?
  • Mork and Mindy common alien law?

The PCI imperative is just one compliance issue that is gathering even more momentum, in the US many institutions are now deploying compliance solutions based on many days and months of gap assessment and remediation planning. Similar initiatives are appearing in Europe and no doubt will impact Asia Pacific in the months and years to come.

But what is really at stake? What should a business really consider? What makes compliance an opportunity and not a problem? How can the pain be used positively?

Solid common sense compliance is fundamentally part of IT Governance, and IT Governance is part of business governance that is fundamentally part of sound efficient business practices.

If sound and effective business practices lead to an IT infrastructure that is more closely aligned and effective then perhaps there is another view that places regulation at the heart of making positive and effective change for business. Whilst governance and compliance are very real and serious needs there is a bigger opportunity for business and IT to collaborate and be more cost efficient. IT alignment within a business is crucial if the overall business is to be “compliant.” If we consider that, then the wave of regulation is going to “hit” the organisation no matter what we think or do, would it not be better then to consider the IT/Business efficiency possibilities of regulation?

Compliance is NOT just a security issue, compliance issues reside across the entire IT stack and requires the ability to “translate” the business and compliance requirements into real solutions across the entire IT supported business. IT should where possible support a business as it addresses the regulatory landscape appropriate for its industry. Keeping in mind the “business” owns the requirement to comply.

In my view, businesses requires a framework to address the compliance stack, a baseline of IT controls and an enterprise wide management structure to keep it that way.

Many businesses have not taken the advantages of common control requirements across a range of IT compliance issues. Does your organisation have a baseline set of controls that can be managed thus providing you the ability to manage your IT infrastructure effectively? Do you have a baseline? Common industry frameworks exist, ISO270001(BS7799), ITIL, COBIT and risk processes such as COSO. All these can be leveraged to support the development of a common control construct.

For countless years IT has generally been so pressured to implement rather than have the time to design effectiveness into the systems they support for business. Perhaps now is a perfect time to work with industry frameworks ones that drives cost effectiveness and business/compliance alignment.

Its my belief that a solid compliance framework (DNA) can be used to exploit the overlap across a range of compliance issues and build in a set of common control requirements–a compliance framework and baseline. Regulation can therefore be used to crystallize focus and add significant momentum to the business.

The “opportunity” or “catalyst” should be to build a common operational control framework that could support a myriad of regulations, then demonstrate control effectiveness and exploit the common requirements thus leading to tighter effective alignment between IT and business.

IT can manage and be measured against these common elements, automate costly processes thus providing a cost effective and flexible secure IT structure tighter aligned to IT.

Compliance and regulation issues will always be with us so there is a real opportunity to build in greater business and IT effectiveness, by exploiting and building a common compliance DNA. If we build into our architectures a common set of controls, we will gain much greater business advantages. Those with insight and drive have already began this process.

These types of initiatives may just provide the opportunity to do something outstanding – construct a secure IT and Business Compliance DNA.

This post originally appeared on

Possibly Related Posts: