Compliance Is Made Easier With Certain Steps

In many ways, states and municipalities have a harder job securing their data than private companies or even federal agencies. That’s because they often have to manage and protect increasingly different types of data, stored in increasingly disparate locations. State and local agencies must also determine which regulations they need to meet for specific data sets at the federal, state, local, commercial, and even global level. This daunting task is often made more challenging by insufficient human and financial resources. According to a letter to the National Institutes of Standards and Technology (NIST) and the Office of Management and Budget (OMB), states are finding the amount of human resources needed to remain compliant is unacceptably high. The letter, sent in August 2017 by the National Governors’ Association and NASCIO, cites several examples. Complying with HIPAA requirements, for example, takes at least six full time employees working more than 800 hours.

The time required to ensure compliance is just one aspect of the problem. Others include determining which regulations are applicable and finding efficient ways to ensure compliance. However, there are several steps agencies can take to ease the burden of compliance. One of the most important is to identify one high-level decision-maker within the organization to take charge of compliance matters. It can be a Chief Privacy Officer, Chief Compliance Officer, or Chief (Information) Security Officer. This executive’s job is to determine which regulations are applicable and ensure they are being met. Another way to make sense of everything is to take the time to fully understand two important NIST publications. NIST 800-53 is a comprehensive set of security best practices and the basis for many other security standards, such as FISMA. NIST 800-171 focuses on how non-federal organizations handling federal data must protect unclassified information.

Read more