I can hear it already…"Another article on the headaches of compliance? HIPAA, PCI, SOX, haven’t they been done to death?" Maybe so, but the difference between most compliance articles and this one is that instead of just explaining the basic regulatory issues, I will attempt to help you find a valid answer to your compliance concerns, both internal and external, that you can use. Consider this "Compliance 2.0."

As compliance has become a "board level" issue, we've evolved from the early hype cycle of comply at any cost, my job is on the line! to a more reasonable stance today, which can be dubbed "compliance management," leveraging lessons learned and business acumen. This shifting of the pendulum has actually made compliance for many organizations a business enabler, much like ISO:9001 compliance proved to be in the manufacturing segment. This has allowed us to make rational business decisions based on the principles of risk; organizations can now assess the cost/benefit associated with fines vs. increased transactional fees. Extending this rationale further, the benefit of compliance—with any given regulation, standard, or law—can be measured against the cost of remediation.

regulations are passed into laws—both securing and making my job that more interesting on nearly a day-to-day basis. We are a security company, but interestingly enough, a lot of the regulations that seem to be aimed at one particular industry, either based on how they are written, or on the scope of the information they are trying to protect, end up impacting McAfee in one way, shape or form. As a prime example, most of us think of HIPAA, the Health Insurance Portability and Accountability Act, as a "hospital regulation." But this regulation has risk implications against our own HR department, because McAfee manages personally identifiable information specific to employee health benefits.

And HIPAA isn't the only compliance acronym affecting us. As a global company, this also means that we have to comply with various international federal and commercial regulations within each country and/or region in which we operate.

Compliance Alphabet Soup: McAfee Global Regulatory Pressures

Regulation	Reason
Sarbanes-Oxley (SOX)	Publicly traded U.S. company
HIPAA	Access to insurance and health benefits
PCI	Accepts online credit card transactions
PCI Texas – HB 3222	Texas credit card standard
GLBA	Privacy regulation for protecting consumers' financial information
CA SB1386	California-state privacy regulation
EU Data Privacy	European Union privacy regulation
OFAC	Federal regulation based on U.S. foreign policy
Federal Government Section 208	Due to business transactions with federal government agencies

How do you keep from drowning in this alphabet soup?
As we saw with HIPAA and SOX, the original reaction was to "over comply" based on interpretation of the controls that were required. Hospitals that rushed to meet the first wave of compliance later realized that they may have thrown the baby out with the bathwater. More importantly, complying with every aspect of the regulation was prohibitive as a sustainable business model. Further testing of the interpretations, however, have given us a mellowed re-interpretation. This often didn't require a single edit to the legislation. Instead, based on either the noncompliance of participants, the cost of achieving it, or an epiphany by certain auditors, more human interpretations were given to the vague and ambiguous language that was previously understood.

The next awakening that came to compliance was the fact that the same controls were being checked multiple times each year (sometimes the same week). However, due to human language foibles, they were called for in slightly different terms. A lack of compliance lexicon meant that each interpreting entity would assume that its particular regulation was the only one in existence, resulting in a clear waste of resources. f

As compliance models have matured, we can now apply capabilities maturity models to them—such as the Systems Security Engineering Capability Maturity Model (SSE-CMM)—which allow us to measure maturity in process. Further, cross-walking exercises to a foundational standard, such as the ISO 17799, have allowed us to map the similarities of control objectives between multiple regulatory pressures required to achieve compliance.

This exercise has allowed McAfee to yield substantial compliance savings. Now, a single comprehensive policy accounts for all the 43 regulations that we need to address, and makes compliance to our own internal policy the key driver for us. This has an added advantage of making the inclusion of new regulations much simpler. We can first see how these regulations map to our existing policy, and then make minor adjustments that address the specific idiosyncrasies of the new regulation or standard. Anything that is duplicative, we merely review to see if there are enhanced best practices for checking the existing control.