This is the SECOND blog in our series that explains how to leverage Service and Change Management for Compliance by capturing all the information necessary to process change approvals and establish auditable records. In our first blog post, we explain why Business Process Compliance is a key part of the foundation for building a successful organization. In this article, we explain how Regulatory Compliance Across Industries provides important guidance for organizations as they strive to attain their business goals. In our third and final article (posting on June 22, 2021), we explain how Auditing for Compliance is used not only to evaluate whether your company is following external regulations, but also determine whether it is following its own internal procedures and policies.
In this article, we will dive right into the deep end and explore how compliance with various regulations can influence business decision making. Once you gain a clear understanding of why compliance matters to your organization, it becomes much easier to grasp how you can help your organization meet its compliance goals.
Why is Regulatory Compliance Important?
Regulatory compliance refers to an organization’s adherence to laws, regulations, guidelines, and specifications relevant to certain business processes. Examples of regulatory compliance laws and regulations include the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP), Payment Card Industry (PCI) Security Standard, and the list goes on. Violations of regulatory compliance rules will often result in legal ramifications and federal fines.
As the number of laws has dramatically increased over the past twenty years, regulatory compliance management has become more prominent in a variety of organizations. This development has led to the creation of corporate, chief, and regulatory compliance officer and compliance manager positions in many organizations. The primary purpose of these roles is to ensure the company conforms to stringent, complex legal mandates and applicable laws.
Regulatory compliance processes and strategies provide guidance for organizations as they strive to attain their business goals, while audit reports serve to prove compliance and help companies better market themselves to customers. Being transparent about compliance processes helps clients build trust, as well as potentially improve profitability.
How Does Compliance Vary Across Industries?
Some industries are more heavily regulated than others. The financial services industry, for example, is subject to regulatory compliance mandates designed to protect the public and investors from nefarious business practices. Healthcare companies are subject to strict compliance laws because they store large amounts of sensitive and personal patient data. Energy suppliers are subject to regulations for safety and environmental protection purposes. While these are just a few examples of why compliance matters in certain industries, the sections below provide more insight into how organizations in each of these industries can meet their compliance goals.
Energy—Seamlessly Satisfy Your NERC CIP Compliance Requirements
The North American Electric Reliability Corporation (NERC) develops and enforces CIP (Critical Infrastructure Protection) Reliability Standards corresponding to the Bulk Power System (BPS). Users, owners, and operators of the BPS under NERC jurisdiction serve more than 334 million people in the US, Canada, and northern Baja California, Mexico with their electricity. The NERC Security Guideline for the Electricity Sector addresses risks that can arise during “normal” daily operations and helps companies mitigate these risks. Certain entities under NERC jurisdiction are also required to have training and awareness programs to further the mitigation process.
One of the main concerns that companies in the public utility sector have is that sensitive information could be used to damage critical facilities, disrupt operations, or harm individuals if access falls into the wrong hands. This concern turned into harsh reality on May 7, 2021, when a cyberattack on Colonial Pipeline forced the company to shut down 5,500 miles of pipeline, triggering widespread fuel shortages and panic buying throughout the Southeast. Many U.S. presidents strived to achieve energy independence which, in turn, offers us greater resilience in the global oil market. But our resilience is still a question in terms of how our systems—pipelines and electric power—operate under stress. The disruption to the Colonial Pipeline had nothing to do with turmoil in the Middle East or inadequate American energy production. Nevertheless, panic buying quickly produced gas shortages and caused prices at the pump to jump higher in a matter of a few days.
While criminal groups represent a threat to industries beyond the energy sector, energy is of particular concern because pipelines and grids are increasingly vulnerable to cyberattacks and extreme weather. When hurricanes hit, oil refineries in the Gulf of Mexico shut down which causes gasoline and diesel prices to rise along the East Coast. Normally, this is not a huge problem because companies store a lot of fuel close to where it is used, and trucks and barges can usually make up the difference. Unfortunately, the uncertainties surrounding cyberattacks make these types of risks much more complex to manage.
As the amount of sensitive data that is accessible via the Internet continues to increase, it is crucial to have processes in place to identify, classify, label, secure, and properly share sensitive information to protect utility companies and consumers alike. This is where Change Management systems have the power to provide great assistance. ChangeGear Change Manager, for example, helps align utility providers with the security guidelines for NERC CIP compliance by:
- Quickly and efficiently identifying where sensitive data exists relating to the “production, processing, storage, transmission, disposal” and permitted disclosure of information
- Profiling where the greatest risks exist based upon key factors such as the number of people with access to the data and the type of access that they have
- Classifying information under the Guideline’s suggested categories of Public, Company, and Restricted by remediating the data
While Change Management systems cannot solve every problem that criminals create, ChangeGear with Tripwire integration is able to address a particularly difficult set of requirements that even the big Data Loss Prevention (DLP) vendors fall short on fulfilling—early warning of unauthorized changes. Tripwire allows authorized requesters to submit whitelisted change elements, while unauthorized requesters and/or elements are stopped and immediately triggers a condition report to be generated. The CMDB also maintains a mapping of IT resources to business processes. Mapped information can be used by compliance analysis and reporting mechanisms to automatically correlate events to business processes. This permits tracking and reporting of the overall business process, thereby automatically linking multiple IT processes that are involved in the change.
Strict configuration management procedures and documentation are emphasized by NERC-CIP 010 to ensure that changes to system baselines are properly detected, investigated, and reported on. With real-time configuration change detection, alerting, and comprehensive reporting, ChangeGear offers you the ability to not only meet, but exceed NERC CIP-010-2 configuration change management requirements. With Tripwire integration, changes to critical files or configurations can be effectively controlled and/or prevented, thus providing the ultimate in system security.
With ChangeGear’s fully integrated Service Management module, baseline changes can be planned, thus allowing other baseline deviations to quickly be uncovered. This allows fast response to configuration changes that are unintended and potentially malicious. ChangeGear Service Manager also assures compliance with CIP-010-2 Part 1.2, which requires utilities to “authorize and document changes that deviate from the existing baseline configuration,” by giving users the ability to control exactly which changes are promoted and allow those changes to be documented directly in the solution.
Healthcare—Support HIPAA Compliance
Doctors and hospitals are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which is a group of regulations that ensure patient accounts and medical records are handled “properly.” Prior to 1996, there was no generally accepted set of security standards or general requirements for protecting patient information in the healthcare industry. As new technologies began to evolve, the healthcare industry started moving away from paper processes and began relying more on the use of electronic information systems to pay claims, answer eligibility questions, provide medical information, and perform many other functions including telemedicine as we know it today.
Hospitals and other healthcare providers must demonstrate they have taken steps to comply with patient privacy rules, such as providing adequate server security and encryption. HIPAA outlines data privacy and security mandates designed to secure patients’ medical information. The HIPAA Breach Notification Rule requires compliant organizations and their business associates to notify patients whenever a data breach occurs. In addition to healthcare providers, cloud service providers (CSPs) and other business associates of healthcare organizations must also comply with HIPAA privacy, security, and breach notification rules.
ChangeGear Service Manager gives your healthcare staff and users access to the data and services they need through fully customized self-service portals that are accessible from any device and designed with convenience, flexibility, and HIPAA-compliant security built inside. Your team can create a seamless user experience using ChangeGear’s drag-and-drop, low-code/no-code builder to create custom portals and workflows within just a few minutes. With built-in multilingual capabilities, healthcare professionals and patients feel more comfortable knowing they can communicate in over 100 different languages. Patients can address their problems and find answers on their own or engage a chatbot through a natural conversation to get a little extra help whenever they need it.
HIPAA also requires documented proof pertaining to the physical safeguards surrounding a specific workstation or a class of workstations that can access electronic protected health information. So, what happens when a nurse leaves a patient alone in an examination room? Does she always lock the computer before leaving the room? Does it auto-lock after a short period of time? Is there a workflow that tracks who accessed what files and when? ChangeGear Service Manager protects the confidentiality, integrity, and availability of data, including HIPAA-related information.
Finance—Use Asset Management to Improve SOX Compliance
The Sarbanes-Oxley Act of 2002 is a law that the U.S. Congress passed to help protect investors from fraudulent financial reporting by corporations. Also known as the “SOX Act” and the “Corporate Responsibility Act,” it mandates strict reforms to existing securities regulations and imposes stiff penalties on companies that fail to comply. SOX was created in response to the financial scandals of the early 2000s involving publicly traded companies like Enron, Tyco, WorldCom, and others. These high-profile fraud cases shook investor confidence in the trustworthiness of corporate financial statements and led many people to demand an overhaul of outdated regulatory standards.
Although CEOs and CFOs play the main role in compliance with Sarbanes-Oxley, CIOs play an equally important part in the signoff of financial statements. CIOs are not only responsible for ensuring the security and reliability of the systems that manage and report the financial data, but they are also accountable for the implementation and documentation of internal IT controls. Consequently, IT departments need to be run just like any other business. Sarbanes-Oxley has created a level of transparency to the IT organization that used to be hidden by balance sheets and profit and loss statements.
Section 404 of the Sarbanes-Oxley Act requires that the flow of money be documented and readily available to demonstrate which expenditures are related to IT investments and operational costs. This means that IT needs to report on costs associated with its projects, resources, and capital expenditures. As spending increases, IT becomes a greater area of focus for investors. When a change request is accepted, it may be difficult to identify whether the Configuration Item (CI) is in scope for Sarbanes-Oxley requirements or not. If the organization has a CMDB and every CI has an attribute field that flags whether the CI is in scope for Sarbanes-Oxley, then the change process can be streamlined. You can have different workflows for CIs related to regulations like Sarbanes-Oxley that have more stringent change process requirements.
To minimize the risk of non-compliance, corporate executives must collaborate to ensure that all departments understand the compliance requirements and are adequately prepared to handle audits. Asset Management software can help reduce the risk of non-compliance. By deploying some IT Asset Management (ITAM) best practices, you can eliminate at least a few of the red flags that auditors typically look for. A robust ITAM system like ChangeGear Asset Manager focuses on effectively purchasing, deploying, managing, optimizing, and retiring software assets and resources. ChangeGear also helps with the administration, governance, and reconciliation of IT resources used throughout an organization.
Process Compliance is Everyone’s Responsibility
Regardless of the industry, the compliance team is responsible for ensuring that your company’s processes and procedures are designed to comply with internal policies, applicable laws, and regulations—and to ensure that those processes and procedures are followed. Unfortunately, there is always someone who opposes process improvements, predicts failure, or simply does not understand how they (and the company) can benefit from following new or existing processes. For these people, processes are often seen as obstacles to getting their work done or a smokescreen for hiding operational problems or weaknesses. The perception that processes are obstacles or smokescreens is almost always unfounded, but many business leaders fail to measure and convey the effectiveness of their processes and the results they have achieved.