Meeting the Challenges of Regulatory Compliance
Every organization, large and small, public or private, including utilities and non-profits are under increasing pressure to routinely demonstrate
compliance to applicable regulations. Compliance activities incur huge costs. Naturally, the larger the organization, the larger the incurred costs.
Many larger organizations spend millions of dollars annually on compliance activities alone! These labour intensive tasks can consume countless hours
preparing for audits and responding to findings. As a result, these hours are not spent contributing to the organizationâs strategic business goals.
The overall goal of these regulations is to provide and demonstrate consistent and continued assurances that the policies, processes and procedures
used within an organization provide the following: best in class security and reliability of the IT infrastructure; uncompromising data protection;
highest quality malware and virus prevention; strong and efficient risk management; the best possible protection and privacy of all non-public information;
and, complete integrity of financial and business reporting.
Most of these regulations are more than mere suggestions and guidelines, they are laws and compliance with them must
be considered equivalent to any other law which incurs strict penalties if not adhered to. Accordingly, it is best to start compliance activities as
early as possible in a business’s start-up period.
So the big questions are:
- What regulations are applicable?
- How do I assess compliance?
The task of weeding through the vast assortment of regulations and trying to understand what they mean can itself be very costly and time consuming.
More still, a significant portion of many regulations, such as PCI DSS, SOX, HIPAA, the ISO 27000 standards, and the EU Data Protection Directive,
rely heavily on File Integrity Monitoring (FIM) technologies, which support routine reporting of compliance information and Intrusion Detection System (IDS)
technologies to generate alerts about an undesirable event after it has already happened. FIM and IDS are the minimum a business can
do when trying to demonstrate compliance with these regulations.
However, the better options in the long term are File Integrity Enforcement (FIE) and Intrusion Prevention System (IPS) technologies. These technologies
are able to prevent the undesirable event before it happens. When it comes to true, real-time data protection and virus prevention, these technologies are an absolute must.
Based on my type of business, how do I determine if I need to achieve and maintain PCI compliance?
Maybe SOX compliance?
What about HIPAA?
Are there others?
What are the primary differences between the File Integrity Monitoring (FIM) and File Integrity Enforcement (FIE) technologies?
Do I need an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS)?
Is managing it difficult?
What options are there to help my business in achieving and maintaining regulatory compliance?
Can I do it myself?
Do I need help?
Where can I get help?