Help customers institute IT governance frameworks to achieve regulatory compliance

When the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) and the PCI Data Security Standard first came on the scene, few organizations were willing to invest in being the first to meet regulatory compliance requirements. Most sat back and observed others in an effort to judge the cost of becoming compliant. Now those organizations are being forced to address the details of their respective compliance requirements. But many are making a common mistake. They often refuse to implement fixes to the way they do IT business, or they address the symptoms that result from bad or nonexistent business processes, and continue a cycle of inefficiency. You can prevent your customers from making these common mistakes by building a process around three general questions.

Generally, the major players in decision making for an IT governance framework are:

The Executive Team -- Since policy and procedure decisions often come from the top down in an organization, the executive team must support the IT governance framework plan. They will often be responsible for providing a budget, and articulating and approving business plans.

The IT Department -- The IT department must be capable of deploying the IT governance framework as it applies to them, be able to quantify risks and benefits of the approach they take to meeting the IT governance framework, and participate in accounting for the dynamic nature of tactical security concerns.

Legal -- The legal team is integral in advising the organization on legal and compliance requirements.

HR -- HR sets the tone within the organization in order to support the IT governa

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management Offering cloud computing security services to customers Maintaining your customers' security amid layoffs How to turn the HIPAA compliance changes into opportunities HIPAA privacy regulations get some teeth: Be prepared How to establish decommissioning policies and procedures Top security tips for solutions providers Penetration testing 101: How to offer pen test services Securing configuration management on customer networks Five myths of PCI compliance PCI compliance opportunities for security resellers Regulatory Compliance Services PCI compliance guide: A resource for solution providers PCI DSS pre-assessment services: Prelude to a QSA The impact of PCI compliance on the channel Compliance drives opportunities for security integrators How to turn the HIPAA compliance changes into opportunities Data protection services offer revenue for security solution providers Agiliance and McAfee partner for better governance, risk and compliance services SonicWall announces partnership with Western NRG Building a framework-based compliance program HIPAA privacy regulations get some teeth: Be prepared IT Standards and Controls PCI compliance opportunities for security resellers Global compliance services a competitive advantage for resellers Identity-based security tools give customers control of users, not just ports

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nce framework since HR policies and procedures such as EUAs, background checks, hire and fire policies, and training must be aligned with the IT governance framework policies.

It can be difficult to convince an organization to use IT governance frameworks. Taking a comprehensive IT framework and retrofitting it into an organization can be painful, costly and time consuming, since it needs to be fully implemented every time. In order to meet with success, you and your customer should approach the compliance issue well prepared. Determine what the business drivers are -- whether they are SOX, PCI, or other compliance requirements. Check recent audits and try to understand the root cause of deficiencies. Establish which framework would ensure that the enterprise remains compliant in the future, and then mange the framework implementation as a major project -- with participation and buy-in from all the major stakeholders. Last but not least, budget the appropriate resources to do the job.

About the author
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry. Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.