• Risk assessment
• Assigned responsibility
• Awareness program
• Incident reporting
• audit/3rd party validation
• written guidelines and procedures

Security practitioners can look forward to increasing compliance requirements, as well as audits and enforcement actions.

The first audit failure and fine for a Sarbanes Oxley compliance physical security failure occured in 2004—for a corporation who had just spent several millions of dollars to implement a compliance program.

In March of 2007 the U.S. Department of Health and Human Services initiated its first audit of HIPAA compliance. The scope of the audit—at Atlanta's Piedmont Hospital—included the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, violations of security rules by employees, and logging and recording of system activities. The handling of new hires and terminated workers was also examined.

Given the multitude of compliance requirements, a one-at-a-time approach to compliance means redoing your security program over and over again. This session explains how to develop a compliance program that incorporates multiple laws, regulations and requirements and takes a standards-based compliance approach that is based upon best practices and is aligned with the priorities of the business.

This session builds on the following workshop preparation materials:

• Worksheet: Organizational Compliance
• Leadership Material: Laws, Regulations and Voluntary Compliance Checklist