Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science, and is frequently a matter that requires negotiation. It's also more of an exercise in risk management than governance. Often, doing the right thing means doing what's right for the bottom line, not necessarily what's right in terms of regulations or even what's right for the customer. It's about trying to remain profitable while satisfying compliance requirements, and it's a delicate balancing act. When business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible, or to ignore the governing laws and regulations completely. Complying with Sarbanes-Oxley is particularly confusing, and that frequently leads to non-compliance. Complying with privacy laws such as the Gramm-Leach-Bliley Act and HIPAA also are complex, and both leave a lot of room for interpretation. It's critical to document why your organization is approaching compliance with specific laws in specific ways. If you can show that you have read the pertinent regulations, can demonstrate that this is your interpretation of what the regulation says, and can show an intent to protect the data, you are more protected than those who haven't taken those steps. Do your homework so that you know if you're making the right trade-offs.
Read more about compliance:
- read the article at CIO
ALSO:
- read this on the intersection of risk and compliance
- this on flexible compliance
- and this on compliance taking a leap forward
