Last week, we looked back at the top IT compliance management news stories of 2009. From tougher state data protection laws to compliance in the cloud, 2009 held plenty of IT compliance management headaches. We’ll be posting our predictions for 2010 later this week. In the meantime, IT professionals have arrived back in the office and are confronted with the same compliance challenges that existed before the holidays.
What to do?
First, focus on compliance.
1. Build data protection around intrusion detection and access controls.
As contributor John Weathington recommends, begin with a comprehensive data governance and compliance strategy and build data protection practices upon intrusion detection and access controls.
2. Look to the Unified Compliance Framework for common ground.
Compliance professionals and vendors are turning to the Unified Compliance Framework as a common language for overlapping compliance standards.
3. Review our FAQ on mandatory encryption standards and IT operations.
Learn how emerging mandatory encryption standards will affect IT operations.
4. Get a grip on addressing compliance requirements in cloud computing contracts.
As CIOs look to cloud computing for data backup and storage, compliance requirements must be spelled out and met, or the data will be brought back down to earth.
Second, focus on IT security.
The following compliance resources from SearchSecurity.com will be helpful to IT professionals preparing for renewed security challenges this year.
1. Learn how to create an identity theft prevention plan for FTC Red Flags Rules.
Under the FTC’s Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. The FTC may have extended the enforcement deadline for the Red Flags Rule to June 1, 2010, but five months will go by quickly.
2. Review this guide to internal and external network security auditing.
Contributor Stephen Cobb covers the baseline network audit processes that a security professional should absolutely conduct regularly.
3. Consider the benefits of ISO 27001 and ISO 27002 certification for your enterprise.
If your enterprise is considering becoming ISO 27001 and 27002 certified, there are several important questions to ask.
4. Get up to speed on privileged account management.
Sarbanes-Oxley compliance requirements and data security concerns are accelerating growth of the privileged account management market.
5. Weigh the pros and cons of end-to-end encryption and tokenization.
Tokenization and end-to-end encryption have emerged as promising technologies, but both have benefits and drawbacks that organizations must weigh.
6. Learn how frameworks and technology can help your PCI DSS compliance efforts.
This mini-guide offers a variety of tips on how organizations can use several frameworks, technologies and standards to help manage PCI DSS efforts and ease the compliance burden.
Finally, focus on health care
… that is, if health care compliance is your responsibility.
If you work in healthcare, SearchSecurity.com published a helpful HIPAA compliance manual that will be useful for IT professionals entrusted with health care compliance. Included in the guide is a HIPAA compliance training, audit and requirement checklist, including advice on how to prepare for a security audit.
Here are several other useful stories and tips on health care compliance:
The federal government has called for greater use of personal health records as part of electronic health record systems. Advocates say PHRs fall short in data control, privacy and security.
Some health care organizations such as health information exchanges are showing improved efficiency, lower costs and better patient care using EHRs.
When it comes to electronic health records and personal health information, secure storage can have many meanings, but only one that counts: Encrypt data as many ways as you can.
For more on HITECH and HIPAA compliance, also review:
- How to turn the HIPAA compliance changes into opportunities
- New HITRUST certification offered for solution providers
- HHS HIPAA guidance on encryption requirements and data destruction