The auditors are coming! The auditors are coming! If you work in an industry that is under frequent regulatory scrutiny, especially one in a multi-regulatory industry such as healthcare or banking, you are very familiar with this phrase. Sometimes you know they are coming, sometimes you don’t. Regardless, the company, a.k.a. you as the IT representative, must always be prepared. If you’re not, the repercussions could be felt by many and you could find yourself posting resumes on Dice.
Clean up your room, your mother probably told you as a child. You did it to comply with her order, but you probably kept it clean begrudgingly. You kept it clean because there would be a consequence if you didn’t. The same story holds true for corporations and regulatory compliance. They maintain compliance because they have to, not because they wish to be better corporate citizens. It’s a shame that it takes the threat of punitive fines or legal action to coerce a company to adhere to a standard set of best practices.
Notice in my analogy that I used the word child. You were instructed to do certain chores as a child because you were not mature enough to realize that completing them taught valuable lessons for use later in life. This example is analogous to corporations not being mature enough to do the right thing on their own accord. Most corporations know what to do, however, but must be given strong persuasion to make responsible decisions, especially if the decisions somehow affect the bottom line or delay highly visible projects. Companies are essentially displaying immature and irresponsible behavior.
But they should know better. They should know that backing up and protecting someone’s personal and private data is important. They should know that maintaining a secure network is important. They should know that being lackadaisical with the public’s sensitive information is unacceptable. But a company’s actions often prove otherwise, which is the real reason behind government regulations such as HIPAA and Sarbanes-Oxley. If corporations and industries properly governed themselves, they wouldn’t need outside governance.
Okay, enough ranting. What does government mandated regulatory compliance laws mean to an IT pro, anyway? It means that you should always be prepared to answer questions related to the design of your network and be able to retrieve requested data within a reasonable timeframe. Compliancy burdens fall heaviest on the IT department because we are the ones responsible for the infrastructure for which the data resides as well as the security of the data itself. IT controls must be in place to convey adherence to policies and standards, and to prove compliance throughout the entire organization.
The audit process is often a test of perseverance. Documentation is essential, and could be the single most important task you complete before the auditors arrive. Many times, companies will conduct an internal audit to patch compliance and security holes prior to an external auditor arriving to perform the real thing. This is the perfect time to review your procedures and documentation. You must be able to answer questions about archiving and disaster recovery procedures for company records. You must also be able to explain internal mechanisms for ensuring only appropriate personnel have access to sensitive information. How do you routinely self-audit access to certain applications? What are the restrictions and procedures for third-parties who access your network? How do you hold them accountable? How secure is your wireless network? Do you employ data encryption techniques? How do you backup your email system and how do regulate what information is transmitted?
These are examples of questions that you must be able to answer during a routine audit. Efforts to reach and maintain compliance have been one of the biggest sources of increased workload to IT departments in years. In a way, it’s a boon for IT pros because it creates a reliance on us from corporate executives. Sufficient IT staff is needed to ensure corporate compliance. Think of it as a stressful form of job security. Just be sure you don’t turn into a scapegoat for having insufficient documentation.