This week the GRC Roll-Up tackles IT security compliance, both the mistakes to avoid and the rewards it can reap. There's also some HIPAA thrown in for good measure.

Mistakes of IT Security Compliance

Anyone who works within the realm of IT GRC knows that ambiguities abound. Most regulatory requirements can be approached with a bias and may allow for multiple interpretations. Qualys, provider of on demand IT security risk and compliance management solutions, recently published a guide to Avoiding 7 Common Mistakes of IT Security Compliance, which lays out the seven typical mistakes of IT security compliance and the ways organizations can learn to achieve its compliance goals.

What is on the list isn’t necessarily surprising nor shocking, but does reiterate the points that all organizations know they needn’t do. The seven mistakes outlined, include:

  1. Decentralized Policy Management
  2. Failure to Define Compliance
  3. Tactical Instead of Strategic Response
  4. No Pre-implementation Testing
  5. Treating the Audit as a Nuisance
  6. Lack of Team Buy-in
  7. Ignoring Hidden Costs of the Solution

While Qualys provides reasons as to why these are each mistakes, most of us already know. However, taken individually, companies may think that it’s okay to sacrifice an audit here or costs there, but taken together, these seven mistakes can amount to a heap of trouble.

Rewards of IT Security Compliance

If you can avoid the mistakes outlined above, IT GRC can reap its rewards. A new study suggests that companies who have been working to achieve top performance in enterprise risk management (ERM) and information technology governance, risk management and compliance (IT GRC) have reduced associated operating costs by 6.4%. IT Security: Balancing Enterprise Risk and Reward, published by Aberdeen Group, describes how Best-in-Class companies manage their IT Security investments to balance enterprise risk and reward and found that the top performers:

  • eliminated 10% of redundant risk management processes and activities
  • increased the resources available to work on the organization's strategic, "rewarded risk" initiatives

The totals saved add up to the cost of a half-day of additional productivity per week for every associated full-time equivalent resource. Yet, the process for managing risk is still not perfect -- a majority of all risk management initiatives are still intensely manual, despite the fact that other top performers were four times more likely than all others to have invested in centralized, automated systems for GRC.

Ultimately the study confirms what we already know -- ERM and IT GRC frameworks and technologies are invaluable tools, which can help businesses manage risk and be compliant.

2010 Compliance Conference Tackles Healthcare Billing and Management

Recently we’ve covered HIPAA/RMS, a new web-based 24/7 compliance platform built to meet HIPAA and HITECH Act compliance specifications and safeguard their policies and procedures. Compliance to these policies are not only required, but can help businesses oversee their operations efficiently and ethically.

To help companies better understand policy’s impact and the tools available to help meet compliance, the Healthcare Billing & Management Association (HMBA) hosts the 2010 Compliance Conference. Scheduled for March 9-11, in Alexandria, VA, HBMA’s Compliance Conference hopes to help participants gain a deeper understanding of many issues relating to compliance within the healthcare billing industry.

Participants can expect many lively discussions about critical compliance areas, like

  • HIPAA, HITECH and other federal regulations
  • Billing company policies and procedures
  • Effective monitoring and auditing
  • Coding education and training
  • Risk assessments
  • Billing contracts and negotiation

To learn more or register for the HBMA 2010 Compliance Conference, visit HBMA’s event page.