Uniform Approach to Information Technology Compliance

For most businesses, compliance means meeting the requirements of multiple regulations and industry standards. With ever shrinking Information Technology (IT) department budgets, companies are looking for ways to meet multiple compliance requirements for multiple regulations while reducing the overall time and cost for IT compliance. This brings forth the idea of unified approach to compliance. Although each of the regulations has specific requirements, they also have a lot of overlapping requirements. With that in mind, by using a unified approach it is possible to design a set of controls that can satisfy multiple compliance requirements concurrently.

We recently assisted a client in implementing a unified compliance approach across SAS70, PCI and HIPAA regulations. Our client provides their customers with Electronic Data Interchange (EDI) solutions. They use a web-based data exchange method that enables companies to send and receive business information electronically. It takes information from one company, translates it to their trading partner’s format, and then delivers that information precisely where it’s needed. As our client is expanding its services to organizations that deal with more sensitive data such as credit card, health care data, etc., they were required to obtain certifications that the software met the regulations for each of these standards.

Here is a brief description of the purpose of these three distinct compliance regulations:

PCI: The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive security standard for companies that process credit card information. Any company processing, storing, or transmitting credit card numbers must comply with PCI DSS requirements or risk losing the ability to process credit card payments. PCI DSS provides a framework of twelve general requirements supported by several hundred detailed requirements for securing cardholder data.

HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to protect patient privacy and data security. The standard emerged to encourage widespread use of Electronic Data Interchange in the Health Care System. In HIPAA, the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, and the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It includes three types of security safeguards required for compliance: administrative, physical, and technical.

SAS70: Statement on Auditing Standards (SAS) No. 70 was developed by the American Institute of Certified Public Accountants (AICPA). SAS70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. Service organizations typically provide outsourced hardware or software capabilities that impact the control environment of their customers. The issuance of an auditor’s report prepared in accordance with SAS70, signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The auditor’s report, which includes an opinion, is issued to the service organization at the conclusion of a SAS70 examination.

Although each of these compliance frameworks has some specific requirements, each relies heavily on having a standard set of IT general controls that addresses the overall security and operation of the infrastructure. In order to review the current controls environment of our client, we chose to use the COBIT (Control Objectives for Information and related Technology) framework developed by ISACA (Information Systems Audit and Control Association). COBIT is an IT governance framework that provides a set of generally accepted measures, indicators, processes and best practices to assist in developing appropriate IT governance and control in a company. COBIT provides 34 processes and 210 control objectives that contain policies, procedures, practices and organizational responsibilities. In addition, the COBIT management guidelines provide a link between IT control and IT governance. Due to its wide acceptance in the industry and thorough guidelines the COBIT framework became a natural choice for the project.

In order to prepare our client for the compliance, we performed a Gap Analysis on their current control environment to identify areas where we need to focus our effort. We used the unified approach to map the COBIT framework to SAS70, PCI and HIPPA regulations and created associated implementation guidance. We identified areas where we can design controls that apply to all the compliance frameworks. This approach allows our client to comply once and satisfy many different requirements. Once the framework is in place, going forward it requires less and less effort to accommodate other controls that may transpire from the ever changing IT environment. After we identify the overlapping control areas, we identify additional “regulation specific” controls.

As we see more and more regulatory compliance issues effecting business environments, implementing a unified approach to compliance would be the most cost effective way to manage compliance costs. In an economy that demands that we get the most “bang for our buck”, the unified approach to compliance is the way to go.