Blog Host: Ed Tittel - President, LANWrights, Inc. READ ENTIRE BIO

As you look ahead to what's on your own compliance dance card going forward, make sure to mark it up to meet reporting and filing deadlines. Likewise, you'll want to reserve some time and resources to devote to training on compliance matters, both for new employees to help them get started down the right path, and for old hands, who can always benefit from a refresher/reminder to help keep them on that path. It's generally a good idea to add compliance information and general dates and activity descriptions -- along with warnings, and clearly spelled-out consequences for those who fail to heed this material -- to employee handbooks and policy documents. That way, when combined with training and regular activity, you can make sure everybody is on the same footing and aware of their part in the overall compliance puzzle.

Thanks for your time and attention to these matters over the past couple of weeks. I hope I've been able to provide some useful information, and to share some perspectives that are at least thought-provoking if not downright dazzling. For those with questions that linger after our closing date, please turn them in anyhow: we'll be able to post them at the ExpertAnswerCenter for follow-up in any case.

Take care, especially when it comes to compliance!

--Ed--
Posted by Ed Tittel Dealing with the people who do (and don't) make compliance happen
19 OCT 2006 20:21 EDT (00:21, GMT)
One thing you will find in the opinion and literature surrounding compliance is the realization that the people in an organization are the ultimate hinge around which the whole operation swings. This probably explains why so many experts stress the need to train people about compliance, but also stress the need to state policy regarding those who fail to meet compliance requirements or deadlines, and to enunciate clear and unambiguous consequences for such failure. The old boilerplate phraseology from many an Employee Handbook springs to mind in this context: "Failure to comply with policy, or to engage in any of the following acts , will result in disciplinary action, with penalties ranging from the loss of pay, or deductions from paid leave time, all the way to summary termination."

The same deal applies to adhering to requirements or guidelines related to regulatory or legal compliance matters, as well as to meeting deadlines for filings or reports. Part of the training about compliance should include information about what happens to the company or organization as a result of failures to comply, meet deadlines, and so forth, as well as information about what happens to employees or officers judged responsible for such failures. If everybody understands what the official policy is, and what happens to those who ignore or flout such policy (and some mention of civil or criminal liability for individuals is entirely appropriate where and as it applies, as well as other consequences enacted at the employer's discretion), then nobody can be too hurt or surprised when those consequences hit home from time to time, as they sometimes do.

Most experts make the point of telling employers to publicize cases where individuals held responsible are subjected to various consequences, both as a reminder that everybody really does have skin in the game, and to caution those who might otherwise consider venturing into such forbidden territory. As Lawrence Walsh points out in his story entitled Pink slips motivate policy compliance, "public executions are necessary for ensuring...policy compliance" (this story deals with security policy matters, but the same notion applies equally to regulatory or legal compliance equally well). The ultimate effect is to reinforce proper behavior and to protect the organization from unwanted liability or exposure. In other words: "Be good or be gone!"
Posted by Ed Tittel Perils and positives of outsourcing compliance assistance
18 OCT 2006 22:44 EDT (02:44, GMT)
Given compliance timetables and the need to meet legal or regulatory compliance deadlines, many companies and organizations find themselves pondering the pros and cons of hiring more experienced outside help to get the job done in time. Though this can often be the only way to meet some deadlines -- especially when unforeseen problems crop up on the road to achieving compliance, or when other resource requirements that can't be pushed aside must be handled in tandem with compliance efforts -- putting outsiders to work has its risks and rewards as well.

On the plus side, there's the ability to lay on extra help and get things done. This can (and often does) make the difference in meeting deadlines, or in seeing them slip by. In addition, outsiders who are already trained, and who can bring the benefits of prior experience to bear, can often add crucial elements of expertise or understanding that otherwise might take too long to develop in-house and still stay inside prescribed time frames. That probably explains why compliance consultants remain incredibly busy, and why some must even turn customers away, if they can't stand to sit on a waiting list for a while.

But if you do decide to take advantage of hired guns in achieving compliance, make sure you prevent all the knowledge and expertise they provide from walking out the door when the job is done. If you're going to spend extra money to lay on additional help, it may very well be smarter to allocate additional funds for two elements that some buyers may forget to build into their budgets:

1. Be sure to include some kind of formal hand-off as a final close-out phase as the project winds down. The best thing to do is to get someone in-house to shadow the outsider for a while before they leave (if resources permit). If that's unworkable, buy an extra month or two of consulting time and have the onsite outsider train an insider before he or she hits the road.
2. Remember that compliance is an ongoing effort and that the hurdles you jump one year, you will often have to jump again next year. Understand your recurring compliance requirements (reports, filings, audits, and so forth) and make sure your staff is trained on how to handle these things before the consultants leave. Here again, this may require buying additional time for added training, and on-the-job walkthroughs, dry runs, or practice producing necessary deliverables.

If you do take advantage of outside help as you bring your organization into compliance with some body of law or regulation, make sure you make the fullest and best possible use of their expertise before you let them go. The alternative will be to start over again next year, so it's probably more cost-effective to buy some extra time and plan to use it for knowledge transfer, training, and practice for the future.
Posted by Ed Tittel What follows compliance: Remediation
17 OCT 2006 21:11 EDT (01:11, GMT)
What happens when a company or organization mounts a compliance drive, but fails to meet all guidelines or requirements on the subsequent audit? In many ways, it's like having to repeat a grade in school: the process is called remediation (or fixing what's broke, and remedying what's out of compliance). But before those who must remediate take this too seriously, or feel singled out for cruel and unusual treatment, it's also fair to observe that somewhere around half of most initial compliance efforts require at least some remediation.

For those who are required to go through remediation, the keys to success and survival can be summed up as follows:

• Make sure you understand what must be fixed completely and thoroughly. It's also important that the consequences of remaining out of compliance are clear, and that additional filings to establish that remediation is forthcoming be made where and as required.
• Build a remediation plan, then follow it to the letter.
• Perform an internal audit to check remediation results.
• Hire an external audit to confirm those results.

And of course, if the first try at remediation doesn't result in complete compliance, it will be necessary to rinse and repeat until the process comes to a successful conclusion.

For those to whom the remediation process seems a bit too daunting, especially if it proves difficult or impossible to develop the full understanding specified in the first step, be aware that some consulting firms specialize in providing remediation help. At a minimum, such firms can help you understand what needs to be done, help you plan the execution, and complete any necessary filings that may be required.

That said, most experts recommend that you hire a different firm to do the assessment and to recommend remediation, and another, different firm to do or help with remediation efforts. The idea is to prevent the assessor from "padding the tab" as it were, to keep them from adding items of questionable merit or necessity to a remediation effort as a way of increasing their overall charges. This is pretty good advice, and should probably be heeded.

As with initial compliance work, if you do hire outside help, budget some extra funds for knowledge transfer and insider training before you let the outsider experts ride off into the sunset. Because most regulations or laws for which compliance is required also entail regular maintenance, ongoing audits, and regular reporting or filing, your staff must know how to pick up and carry on when the white knights are no longer at your beck and call.
Posted by Ed Tittel There's no magic bullet for achieving or maintaining compliance
16 OCT 2006 17:51 EDT (21:51, GMT)
One of the interesting things about dipping into the compliance market from time to time comes from observing that, although the focus and the buzzwords change pretty regularly, the perils of hype do not. In other words, when software or solutions vendors tell you that they can solve all of your compliance problems if only you'll purchase and install their products, you'd do well to remain skeptical. Please let me explain further...

At many levels, compliance is about documenting the policies and procedures necessary to meet requirements, assigning specific people or organizations to carry them out, ensuring that people are trained in interpreting and applying those policies and procedures properly, then checking the resulting work to make sure that their interpretations are largely correct and their applications more or less proper. Inevitably, this means one or more iterations through the whole cycle as people learn how to do things right, and get a feel for how the policies and procedures work, how much time they take, when they work most expeditiously, and so forth and so on.

All of this is as much about managing human behavior and checking to make sure that goals and execution line up. Indeed, software tools, checklists, training, and workflow can help with this kind of activity. But automation by itself can't replace (or make up for) the kinds of detailed actions and behavior that reaching compliance will require, and that maintaining compliance will represent as an ongoing form of regular activity. No matter how many e-mail reminders show up in somebody's inbox, how many status reports get generated, how many workflow elements get routed from one person to another (or how many alerts get triggered along the way), somebody still has to do the work and actually make sure they understand how policies, practices, and procedures apply to that work, and make sure that what needs doing gets done and documented.

Though snake oil may indeed have properties to ease arthritic joints, and patent medicines the power to alleviate all kinds of ailments, there's no way that purely automated systems can obviate the need for educated, motivated, and savvy staff members. From planning the compliance process, to documenting its details and requirements, to assigning the tasks that make it up, to performing those tasks, and auditing the results to make sure that compliance has been achieved, people make this process go.

As a side note, I believe this phenomenon also explains why investing in training is such a key ingredient in making compliance work. It also explains why regular "refresh training" is also helpful, to remind old hands that compliance is a process not a "do it once and then it's over" phenomenon, and to help new hands understand what they must do, when they must finish, and why the whole thing is important.
Posted by Ed Tittel About the Information Technology Infrastructure Library (ITIL)
13 OCT 2006 22:51 EDT (02:51, GMT)
The ITIL is as much about a world view or a way of life as it is about IT services management. Though the IT Infrastructure Library is both a Community Trade Mark of the (UK) Office of Government Commerce (OGC) and a Registered Trade Mark, it functions as a de facto standard for services management around the world. The reasons for this popularity are many, varied and attractive, but chief among them is its status as a public domain framework that has proven to be sufficiently scalable to deal with large enterprises as well as smaller businesses and organizations. One of its most attractive characteristics is that ITIL devotes much of its attention and coverage to best practices, with enough analysis and discussion to help companies and organizations of all sizes adapt them to their situations rather than adopting them wholesale in a take-it-or-leave-it fashion.

ITIL was created I the 1980's and refined in the 1990's in the UK through its Central Computer and Telecommunications Agency (CCTA), largely in response to the emerging and increasing importance of and dependence upon information technology in meeting business needs and attaining business goals. The guiding principles behind ITIL are to provide a customizable framework of best practices that aim to deliver quality IT services and to mitigate problems associated with the growth and increasing complexity of IT systems. IT gains the library designation because it's organized into seven topical areas, each with its own set of texts, arranged by related organizational IT functions. These are: IT service support, IT service delivery, IT management, IT software support, IT computer operations, IT security management, and environmental issues. Above and beyond the texts that make up the veritable ITIL library, ITIL products and services also encompass training, qualifications, software tools, and user groups, including the IT Service Management Forum (itSMF) which acts as the primary constituency and interest group behind and for the ITIL, especially in North America. Though the UK CCTA continues to own ITIL, the UK OGA maintains and develops this large and comprehensive body of materials.

As with other large-scale, standard bodies of knowledge, practice, or policy, the ITIL may be approached through all kinds of channels and in many ways. The official channel comes straight from the OGC Web site, where you'll find information about ITIL, links to official publications (these are much more expensive than other non-official versions of the same material), plus pointers to a Get Best Practice Website and a Successful Delivery Toolkit. Another extremely good source of ITIL information comes from ITIL People, where you'll find interesting overviews and descriptions, links to mailing lists, product information, news, standards, training, and more. Yet another good general source of information and pointers may be found at ITILsurvival.com, where you can find checklists, information, a good FAQ, and further links to resources and such. Perhaps surprisingly, the Wikipedia article on ITIL is also surprisingly thorough and informative as well.

Given that expanding ITIL produces the word library, you'd expect there to be countless hundreds of books in this subject area. That said, an Amazon search on ITIL produces only 22 hits, where one on IT Infrastructure Library produces 67 (this is also where you can observe the price differential between OGC official ITIL publications versus trade books on similar topics -- very reminiscent of IEEE publications for those who've bought into their library in the past, in fact). Some noteworthy elements include:

• IT Service Management: An Introduction, by Jan Van Bon, et al, Van Haren Publishing, September 1, 2002, ISBN: 9080671347. This item may occasionally be hard to order in the US, but is readily available from European booksellers.
• ITIL Service Support and Service Delivery Process Model, by Key Skills ILX, December 1, 2005, ISBN: 0954488423. A visual two-sided map that painstakingly and accurately depicts the steps and stages involved in implementing ITIL processes (not really a book, but more of a visual guide, but still helpful).
• The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps, by Kevin Behr, et al, Information Technology Process Institute, June 15, 2005, ISBN: 0975568612. A short, clear, cogent explanation of the ITIL process along with great information about how best to implement sound, rational IT practices.
• Measuring ITIL: Measuring, Reporting and Modeling -- The IT Service Management Metrics that Matter Most to Senior IT Executives, by Randy A. Steinberg, Trafford Publishing, August 2, 2006, ISBN: 1412093929. A practical guide that explains operational metrics to use when monitoring ITIL implementation, and how they may be used to calculate key performance indicators and critical success factors that will appeal to senior managers. For those who believe, "If you can't measure it, you can't monitor it," this book could be the key to a successful ITIL implementation.

Here again, this is just the tip of an extraordinary body of knowledge and best practices, one that many companies and organizations would do well to attend to, and even better to customize and adopt. But hopefully, it presents enough to help people get started, and begin to find their way into this amazing landscape.
Posted by Ed Tittel Information about HIPAA
12 OCT 2006 21:51 EDT (01:51, GMT)
The Health Insurance Portability and Accountability Act (aka HIPAA) of 1996 requires the Department of Health and Human Services of the US Government to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. More important, it also addresses security and privacy issues as they relate to retention and sharing of health data. As a government initiative, the ultimate source of information about these standards and compliance requirements is through the US Department of Health and Human Services (HHS) at the Centers for Medicare and Medicaid Services (CMS). The HIPAA general information pages include links to all the important standards and education materials.

But, as is the case with big movers and shakers on the IT landscape, there's no dearth of HIPAA resources outside the official government umbrella, either. Here are a few that I've found to be helpful and informative (though this is just a smattering of the thousands of potential sources and resources available to those with the gumption to read through hundreds of search engine screens to look for more and better information).

• Atlantic Information Services is a publishing and information company with a focus on the healthcare industry. It runs a well-equipped and frequently updated HIPAA Resource Center online.
• HIPAA Advistory is an online presence operated by Phoenix Health Systems, a company that specializes in healthcare information management. It is also well-equipped and frequently updated, and offers significant discussion and coverage of compliance issues and matters. Check out their Compliance FAQ as a sample of what's available on this site.
• The Feds from CMS have also put together an information only site at HIPAA.org, where you'll find checklists to help get started with HIPAA, plus pointers key documents, legislation, implementation guides, and a whole lot more.
• Finally for the American Medical Association's take on HIPAA, check out their Web pages and related links and information at their Web site.

As with other topics we've looked into this week, there is also no dearth of books on HIPAA (over 500, based on hit counts at Amazon, though many of these are pure-digital documents, at least some of which are high-dollar industry trend and market reports that IT professionals won't want to read). Some of the best of this bunch include the following:

• The Practical Guide to HIPAA Privacy and Security Compliance, by Kevin Beaver and Rebecca Herold, Auerbach, November 24, 2003, ISBN: 0849319536. A comprehensive view of HIPAA privacy and security compliance built around practical, step-by-step methodology and compliance advice, including lots of useful checklists.
• Privacy and Health, by Roy Rada, HIPAA-IT LLC, September 29, 2002, ISBN: 1901857182. Laid out as a detailed privacy compliance guide for HIPAA, this book garners good reviews for providing all the necessary information on this subject matter (other books by Rada are more or less available, but all get good ratings for providing the "right stuff" in helping IT professionals achieve regulatory compliance). His HIPAA @ IT Essentials, 2e, digital download, also gets great reviews.
• Course ILT: HIPAA Academy Certification: Professiona, by Uday Pabrai, Course Technology, October 2, 2002, ISBN: 0619174714. A special course by a well-known purveyor of IT certification program materials and instruction, this one gets good marks for providing all the information that IT professionals need to prepare for and comply with HIPAA requirements.
• HIPAA in Daily Practice, by Charles Dinkins and Allan Gilbreath, Kerlack Enterprises, April 15, 2003, ISBN: 0966074416. A good explanation of HIPAA requirements and their impact on daily life and work in the healthcare industry, but works best as an introduction or overview, not as a step-by-step guide to achieving compliance.
• HIPAA: The Questions You Didn't Know to Ask, by Jason Meyer and Merry Schiff, Prentice Hall, October 22, 2003, ISBN: 03114426X. Another good overview of HIPAA with an emphasis on security and privacy topics so near and dear to IT professionals, this one takes a Q&A approach to stating and addressing the vast majority of common questions and concerns regarding HIPAA. Again, this is no step-by-step guide to compliance, but will be useful for those seeking to get oriented in this topical area.

Those who take the time to dig into these things will come away far less mystified about HIPAA than they were to begin with, with many ideas about how to pursue systematic steps toward attaining compliance, and then maintaining that exalted state once achieved.
Posted by Ed Tittel Information about Sarbanes-Oxley
11 OCT 2006 09:47 EDT (13:47, GMT)
The Sarbanes-Oxley Act of 2002 has been credited with (or blamed for) forever altering financial reporting practices and requirements for finance professionals. In this law, Congress changed lots of requirements for financial reporting, including real-time disclosures, requiring corporate officers to certify the veracity and accuracy of reports, boosted financial transparency in reporting, mandated SEC reviews, and much more. In the same vein, the Securities and Exchange Commission emerged from this transformation with increased powers and oversight, including strengthening of criminal penalties for white collar crime (as evidenced by Bernie Ebbers 25 year sentence for the WorldCom scandal, changes to the statutes of limitations, addition of new forms of oversight, and much more here as well. For a great overview, see the CPEOnline overview of the Sarbanes-Oxley (SOX) legislation. You'll also find pointers to lots of other useful compliance-related overviews and training there, too.

Certainly, the SOX School at SearchSecurity.com is another tremendous resource on the subject matter as well. The coverage is broken up into a sequence of three lessons that help IT professionals and their parent organizations understand the rules and regulations involved in achieving and maintaining SOX compliance. You'll begin by assessing your current score when it comes to meeting COBiT control objectives, then dig into what's involved in designing and implementing necessary changes in practices and procedures. The three topic sequence concludes with a look at several interesting toolsets designed to help IT professionals achieve compliance, and how they may be able to help the process along (though perhaps not to the extent that some vendors would like you to believe).

Given the wide scope and huge audience for SOX education, it should come as no surprise that numerous books address Sarbanes Oxley topics. A quick hop to Amazon (or your favorite online bookstore) will show that literally hundreds of titles are available in this area. Some of the best include a couple of interesting surprises.

• The Joy of SOX: Why Sarbanes-Oxley and Services Oriented Architecture May be the Best Thing That Ever Happened to You, by Hugh Taylor, Wiley, 2006, ISBN: 0471772747. Provides a good overview of the legislation and its requirements, but is slightly less complete and convincing on making the SOA connection, though it does suggest a lot of good options and possibilities. How can you not like its title, anyway?
• Sarbanes-Oxley For Dummies, by Jill Gilbert Welytok, Wiley, 2006, ISBN: 0471768464. As the author of a few ...For Dummies titles myself, I've learned to appreciate their basic, no-nonsense and deliberately amusing take on all kinds of topics. This books does an extraordinarily good job of explaining the legislation and its requirements in plain everyday English, and then goes on to provide good advice and information about an implementation framework for compliance as well as specific actions needed to become compliant.

• Risk Management Solutions for Sarbanes Oxley Section 404 IT Compliance, by John S. Quarterman, Wiley, 2006, ISBN: 0764598392. One of the best books around on IT technology issues and potential impacts on risk management (from an author who's written a lot about the Internet and the UNIX operating system, no less). Though a little short on coverage of SOA, Web Services, Web 2.0 and other hot topics, the book does manage to address most other central themes inherent in understanding and managing information technology and related risks.
• Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools, by Steve Lanza, Syngress, September 1, 2005, ISBN: 1497490369. A clearly written, nicely organized book about SOX and the tools and techniques involved in achieving compliance. The author includes a CD stuffed with Open Source items through which interested readers will work as they dig their way into and through this book.

There's plenty more to learn and know about SOX to be sure, but this should help those not already walking down this road find their way beyond the first couple of rest stops!
Posted by Ed Tittel There's more to compliance than simply doing the mandated thing
10 OCT 2006 09:27 EDT (13:27, GMT)
In my last blog, I sketched out enough of the compliance landscape to remind the initiated about the huge body of rules, regulations and requirements that can pertain to IT activities, while possibly also scaring the uninitiated into a bit of well-earned panic. And indeed, there really is a lot to learn and know, and even more to do, when it comes to tackling compliance issues within any corporate or organizational framework. My intention in this blog is to provide a ray of hope, or to evoke potential benefits, from doing what is necessary, but also from taking the concepts and requirements involved in compliance and running with them beyond the merest letter of the law.

What does this really mean? It means that those organizations and corporations that have treated compliance as an opportunity to improve on their existing policies, practices and procedures have sometimes realized benefits above and beyond those involved in staying out of legal trouble (or at least, of lowering the risk that regulators may find grounds to enforce regulations that aren't being followed, or mandates that aren't met). In fact, companies that take the opportunity to rework their practices and procedures and that institute additional controls and reporting related to governance -- such as cost allocation for consumption of resources, aka chargebacks -- and that seek to determine where unexpected or excess costs originate and how they can be mitigated, often realize gains in productivity and can lower the costs of their overall IT infrastructures.

It's not often that doing the right thing also helps to improve operations, and sometimes even to lower costs, but apparently taking compliance seriously enough to reengineer policies and practices, and instituting formal IT governance, can actually deliver competitive advantages. Some studies show that organizations that adopt formal IT governance models (often driven by compliance timetables or needs) can reduce IT costs by as much as 35%, and reduce needs for additional capital and personnel expenditures as a pleasant side effect. For one example of this genre, see the CFO Research Services report prepared with Oracle entitled "Regulatory Compliance: Finance Executives Call for Optimizing Processes and Systems."
Posted by Ed Tittel What is compliance all about?
09 OCT 2006 11:14 EDT (15:14, GMT)
In the simplest of explanations, compliance meets going along with the rules and regulations that govern specific forms of business, activity or behavior. As TechTarget's own SearchSecurity.com itself can show you -- if you check out their All-in-One-Guides: "Compliance" -- you'll find an incredible wealth of information on compliance subjects.

To take a more sophisticated view of compliance, it might be smarter to say that it means knowing about and understanding what rules and regulations apply to your company or organization, understanding the risks involved in ignoring them, and weighing those risks against the costs involved in complying with them. Beyond well-known regulations for which compliance is an issue -- such as Sarbanes Oxley (SOX) for publicly traded companies, or the Health Insurance Portability and Accountability Act (HIPAA) for companies involved in healthcare -- there are plenty of other topics to which some IT professionals must pay attention, including such things as:

• California SB-1386 (the California Security Breach Information Act), mandates certain reporting and behaviors for companies or organizations that learn that customer records privacy has been compromised, or which suffer other breaches of security that may expose sensitive data to unauthorized third parties)
• FISMA (Federal Information Security Management Act), outlines a set of guidelines for US Government agencies to follow in improving their own information security, but which also applies to government contractors and other organizations that handle federal data, including various arms of local, county and state government)
• FFIEC (Federal Financial Institutions Examination Council), a body that has mandated federal institutions to deploy two-factor authentication, aka 2FA, for online banking -- which makes life interesting, because the definition of what constitutes proper 2FA remains somewhat open to interpretation)
• PCI (Payment Card Industry), a standard set of customer and credit data privacy and confidentiality requirements designed to protect cardholder information from unauthorized and unwanted access and disclosure)
• GLBA (the Graham Leach Bliley Act), requires financial institutions to design, implement, and maintain safeguards to protect customer or client information)

In addition, there are all kinds of standards frameworks that have been designed (at least in part) to provide advice, information and guidelines on how best to meet regulatory demands and requirements. These include such items as the following:

• ISO 17799: An international standard that covers the complete requirements of setting up a total coverage security program. ISO 17799 not only calls for appropriate corporate and IT governance, it also includes guidelines on how to develop and implement all kinds of security structures, countermeasures, audits and risk assessments.
• COBiT: (Control Objectives for information and related Technology) Developed by the Information Systems Audit and Control Association (the same organization behind the well-known CISA and CISM certifications) and the IT Governance Institute, and defines a framework that sets goals for controls to be used to properly manage IT, and to map IT actions, policies and procedures to business needs. This makes COBiT a formal model for IT governance, a model that was in fact derived from the COSO model that appears next in this list.
• COSO: (Committee of Sponsoring Organizations of the Treadway Commission) Developed in the mid-1980s to prevent fraudulent financial activities and reporting. It includes a control environment designed to structure company culture, especially with regard to ethics and fraud, formal risk assessment and change management tools, plus the use of formal policies, procedures and practices enacted to mitigate risk, along with prescribed forms of delivery for information and communication, with ongoing monitoring and audits to make sure what's enacted meets legal and ethical requirements.

These items also have a strong relationship with the IT Infrastructure Library (also known as ITIL) which also concerns itself with IT governance, but which goes well beyond security, privacy, confidentiality, ethics and financial integrity to cover the whole gamut of IT activities and concerns. Thus, though compliance may itself seem like a small bump in the road that masks a huge body of information and requirements, there's even more to doing compliance right than most people first imagine!
Posted by Ed Tittel