The roles of IT and information security departments are making compliance a sustainable process, rather than a painful project to dread each year
As compliance approaches mature, organizations' attitudes about the role and meaning of compliance are changing. The roles of IT and information security departments are shifting as well, helping to reshape the meaning of compliance and make it a sustainable process, rather than a painful project to dread each year. Whereas in the past IT and information security departments were frequently brought to the compliance party late in the game, only to find that many of the processes directly in scope for compliance were highly dependent on IT applications and systems, now there is greater recognition of the compliance roles IT and information security departments have.
Reactive Compliance
In many organizations, "compliance" has meant reacting to external requirements to secure data, keep information private or, in the case of the Sarbanes-Oxley Act, to ensure the validity of information processed by systems. Generally, input as to what would be required for the organization to be in compliance came from outside regulators and auditors who probably knew less about IT, and certainly knew less about the business, than the organization itself did. A somewhat natural response was to push back on these requirements, deny that they had validity, and hope that they would go away. By the time many organizations finally got around to doing something, the time was running short. So they did the minimum needed to comply, or more pragmatically, to pass an audit. But passing a compliance audit is getting more difficult as auditors get more sophisticated and requirements for compliance increase. The long-term goal for organizations should be to try and stay ahead of compliance.
See full Article.
Posts
