informa
4 MIN READ
Quick Hits

10 Key Compliance Pitfalls -- And How To Avoid Them

A look at the most common mistakes in compliance initiatives, and what you can learn
[Excerpted from "10 Key Compliance Pitfalls -- and How to Avoid Them," a new report posted this week on Dark Reading's Compliance Tech Center.]

Today, it's the rare business that doesn't have some regulation on its radar, whether it's because the business processes credit cards, handles personal client information, is publicly traded, handles medical information, operates on behalf of a national or regional government, or any other number of considerations.

In fact, not only do most organizations have to comply with some regulatory mandate or another, most of them need to comply with multiple regulations. InformationWeek's 2012 Regulatory Compliance Survey found that 71% of the organizations surveyed had more than one compliance requirement that they must adhere to.

Because regulations are so pervasive, the chances for mistakes are high. Here is a look at some of the most pernicious compliance issues -- those that occur frequently and that have the potential for significant consequences.

While there's no exhaustive list of everything that can or might go wrong (there are quite literally too many possibilities to mention), understanding the most common pitfalls organizations struggle with can help you avoid the same issues.

1. Striving Toward the Bottom
One particularly problematic dynamic is when an organization views minimum compliance as an operational target in and of itself.

This happens more often than you might think. Note that by this we're not saying that organizations should be doing more. While that may be true in some cases, we're talking here about business dynamics -- intentionally created or otherwise -- that actively favor long-term weakening of the organization's compliance posture over time.

As an illustration of how this can happen, consider an organization in which budget requests for security or risk management activities are routinely dismissed unless the request can be tied directly to an audit issue. In this situation, the "bare minimum" is the upper bound.

The risk and security implications of this are obvious, but there's also a compliance impact. Specifically, a sort of entropy occurs within an organization over the long term -- overall compliance will tend to drift from "compliant" to "not compliant" as business processes are added or changed, personnel rotated and new technology brought to bear. So even though "the bare minimum" is the theoretical maximum ceiling, it's one the organization will tend to stay below.

Resolving this situation isn't easy. It's usually caused by cultural factors, so a shift in culture is required to address it. This isn't easy to bring about, and it will probably take more than the efforts of just a handful of individuals.

2. Having Only a 'Little Knowledge'
You've heard that a little knowledge can be dangerous, right? It's true generally but particularly so when it comes to compliance. Sometimes organizations just aren't doing what they need to because they don't understand fully what's required.

An example is the merchant who believes that having a low transaction volume means the organization doesn't have to comply with Payment Card Industry Data Security Standards (PCI DSS), or the hospital that ignores "addressable" implementation specifications in the Health Insurance Portability and Accountability Act (HIPAA).

Fixing the underlying issue (becoming more educated about the regulations) isn't hard, but dealing with the ramifications can be. Organizations must educate themselves fully about their regulatory requirements, but they must also address potential areas of prior misunderstanding.

Start by reading the regulations in their entirety (this sounds like a basic piece of advice, but you'd be surprised how infrequently it's done) as well as any other source material published by the regulator (such as FAQs, interpretive guidance and audit standards).

As your knowledge of the regulatory context expands, you're likely to find areas in which past decisions were made on faulty understanding. If so, it will be important to build a case for remediation with decision-makers -- they might not understand why what was copacetic before represents a problem now.

To read more about these two issues -- and to get details on the other eight most common pitfalls -- download the free report on security and compliance.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.