IT Compliance Success Comes Down to Strong Measurement Program

What a company with a strong IT security compliance program has over other companies is the presence of a monitoring program that accurately assesses system operation at least monthly, says Jim Hurley, managing director of the Security Compliance Council at Symantec.

While he's addressing all industries, he notes that this is certainly the case in healthcare, where lack of documentation is a red flag for FDA inspectors. "If FDA inspectors can't find the evidence" that a regulated life sciences company is in compliance, the agency is going to wonder what else is wrong, he told PIR Oct. 17.

Results of a new Symantec survey of 671 IT respondents across industries show frequency of audits, time allocated to IT compliance and spending on IT security are the main drivers that improve overall IT compliance. About 13 percent of the respondents were in the healthcare arena.

Leaders, defined as companies with two or fewer compliance deficiencies, are devoting 10 percent of their IT budgets to IT security.

This is compared with companies that have the most deficiencies, which spend less than 7 percent on IT security. These companies reported 35 "significant and material deficiencies" and make up 20 percent of the survey respondents.

Ten percent of respondents were defined as leaders, while the remaining 70 percent were defined as the "norm" and reported six deficiencies on average.

While the survey noted that being a leader costs money, it said that lagging companies "pay the price" via lower public trust in their products, worry about the accuracy of their data and concern that regulatory issues may impact revenue and profits.

The major drivers for improving performance in regulatory compliance include: identifying repeatable and more efficient methods to demonstrate compliance; using technology to automate IT security, audit and compliance procedures; and improving data and risk management practices.

"The pressure to demonstrate compliance with regulatory mandates continues to increase," the survey report noted. The report found four main pressures pushing firms to advance their IT security compliance programs: an increase in the scope of regulatory audits, an increase in the number of mandated audit reports, public trust and pressure exerted by boards and senior management.

Companies defined as lagging -- or even being the norm -- should investigate taking five key actions as outlined by the report. In addition to conducting monthly or more frequent internal regulatory and IT security audits, the report recommended:

Spending 30 percent of IT staff time on regulatory compliance. Industry leaders are allocating that much time to it, while companies in the norm category devote 26 percent, and other companies give it 20 percent, the survey found. Based on 250 workdays a year, this translates into just over six days per month for leaders, five for the norm and four for the rest; Allocating 10 percent of the IT budget to IT security. "Industry leaders are spending almost 50 percent more on IT security than are the laggards," the report said. But that outlay translates into 1,750 percent fewer "significant and material" deficiencies than the lagging companies; Establishing clear objectives and measuring results at regular intervals. In addition to regular internal audits, leaders have clearly defined roles and responsibilities for compliance; and Automating compliance and IT security controls and procedures with IT tools. "Nearly all IT security controls and procedures are now automated among the organizations performing as leaders in compliance," the report said. It also noted that while most firms are improving IT security policies, standards and documentation with approximately equal emphasis, leaders are "singularly focused" on documenting procedures.

The survey was conducted online from December 2005 through March 2006. For more information, go to www.securitycompliance.com (http://www.securitycompliance.com). -- Michael Causey