Tuesday, April 24, 2007

Scalability in Compliance

Compliance is generally either towards internal requirements or to external regulations. And ideally, since there is no single way to interpret external regulations, corporates create internal interpretations of external regulations. So, in essence, you are complying with a set of internal requirements. That said, the universe of your requirements will be unique to your business. Lot of times you hear corporates whining about too many regulations that they have to comply with. However what one does not realize is the upshot that the ridiculous vagueness presetned by the regulations. That is, it allows you the wiggle room to interpret the regulations in multiple ways. SOX 404 interpretation in corporate A may very well be different from SOX 404 interpretation in corporate B. You can establish compliance to multiple regulations if you can establish a link between them and a singular industry standard (eg: ISO 17799 or BS 7799) that you want your corporate to follow. Most times, all of the regulations have a common denominator of security requirements that can be addressed by one industry standard. And if you align with the chosen standards, you can easily prove your alignment with the regulatory requirements as long as you have a clear mapping on the regulation to the industry standard and its applicability in your business. In summary, a) if your internal audit and security teams can distill the regulations into a universe of compliance requirements, b) map those requirements into an industry standard such as ISO17799 and c) implement processes in alignment to the established mapping, it would make your life easier, implementation more streamlined and compliance readily scalable to multiple regulations.

4/24/2007 01:32:00 PM