Compliance Challenges for organizations contracting with the Federal Government Robert Klotz, VP of Technology at Akibia

Statistics  Today  200 Mandates and Regulatory laws  80 in the states and territories alone  119 federal  1 corporate  controls  85% overlap  Most have monetary fines ALL have disclosure requirements  Tomorrow  Growing at a rate of 10% per year  Mandates and regulations often change

What is the Goal of Compliance?  To Protect the rights of the individual  To protect and secure PII (Personally Identifiable information)  To instill confidence in the consumer  To educate the market on the need for controls

Most applicable to this group  FISMA  Federal information security management act

Most applicable to this group  The state and territorial mandates where we are doing business (49)  Alaska  Arizona  Alabama  Arkansas  California  Colorado  Connecticut  Delaware  Virgin Islands  District of Columbia  Florida  Georgia  Hawaii  Idaho  Illinois  Indiana  Iowa  Kansas  Washington  Kentucky  Louisiana  Maine  Maryland  Massachusetts  Michigan  Minnesota  Missouri  Montana  West Virginia  Nebraska  Nevada  New Hampshire  New Jersey  New York  North Carolina  Ohio  Oklahoma  Oregon  Wisconsin  Pennsylvania  Puerto Rico  Rhode Island  South Carolina  Tennessee  Texas  Utah  Vermont  Virginia  Wyoming

Most applicable to this group  PCI Dss  Corporate requirement for those accepting credit cards as payment regardless of outsourcing or not  SOX for publically traded companies  HIPAA if you are providing employees medical insurance or working with Hospitals

Why is it not Working?  Companies focus on the check box rather than the foundation  Companies manage compliance as a project rather than a process  Companies are knee jerk in how they approach compliance  Compliance is often driven at the wrong levels within the organization  Compliance has become a hindrance to doing business

What does this mean?  It all boils down to risk  For the business  For the consumer  For the Government  It really is straight forward  Protect the assets of the business and by default we will find ourselves in compliance

How do we do that?  Number one priority: manage compliance as a process and not a project  It is a cost of doing business which will not go away and will continue to grow in complexity  Incorporate it into the day to day running of the organization

How do we do that?  Discover where we are weak  Where does the data reside?  What are we doing today?  Start with what you have  Our employees are doing something document and leverage this  Document the scope of access to PII  Identify the overlap in the controls

How do we do that?  Next Steps  Identify the risk of NOT doing things to satisfy compliance  Create a GAP of where you are and where you need to be to satisfy cross compliance  Monitor and document where you are throughout the year  At a bare minimum assign an individual within the company to stay on top of this process  Educate  Enforce  Utilize a 3 rd party where possible

 Ongoing  Identify change  Regulatory  Business  Assess the GAPS  Simplify process  Identify overlap  Deliver on going training  Repeat How do we do that?

A Model of success RISKRISK TIME DiscoverMonitorEducateEnforce Sensitive Data User ActivityEnd Users Policy and Security Understand Risk Reduce Risk Governance, Risk, and Compliance Methodology

In Summary  Start with what you are doing today  Compliance seems daunting but its not if you incorporate as a process  Compliance mandates continue to grow and change  Compliance was designed to make sure companies are taking care of PII  Compliance boils down to risk for the business  Create a sustainable, repeatable process across compliance mandates which becomes a part of doing business  Follow: DISCOVER, MONITOR, EDUCATE, ENFORCE