Tasks related to gathering, analysis and storage of data are central to the business of many organizations. Governmental regulations related to security and privacy of such data are propounded in order to cause organizations to demonstrate “due care” in providing appropriate information technology controls that assure security and privacy of information assets and protect those assets from damage or misuse. Such regulations, however, are typically vague with regard to implementation details, which are left to policy-making individuals within the affected organizations.
In order to provide guidance to organizations within particular industries, industry groups may provide best practices frameworks. Typical best practices frameworks provide accepted standards of practice in complying with governmental regulations. Thus, compliance with a best practices framework can be evidence of due care taken by an organization within the associated industry for complying with a regulation. Examples of such best practices frameworks include, for example, ISO 17799 associated with the Health Insurance Portability and Accountability Act (HIPAA) and Control Objectives for Information and Related Technology (COBIT) associated with the Sarbanes-Oxley Act. Best practices frameworks typically provide accepted codes of practice, measures, indicators and processes for the related industry and the related regulations.
Business entities within an industry formulate policies to comply with the various regulations and best practices frameworks affecting that industry. But in order to determine whether a company's policies comply with all related regulations and best practices often requires a complex audit. Such an audit involves a review of all policies in light of each regulation and best practices framework. Such audits can require significant time and resources of a business entity in order to determine compliance, and need to be periodically repeated to ensure continued compliance and compliance with new regulations. Finally, given the targeted nature of regulations and best practices for different areas of concern, there is a high likelihood of duplication of effort in formulating and abiding by policies associated with each individual set of regulations or best practices frameworks.
What is therefore desirable is a mechanism for simplifying association of corporate policies with associated regulations and best practice frameworks. It is further desirable that such a mechanism permit determination of coverage of regulations and best practices by particular policies during an implementation phase of the policies, rather than during an audit phase. It is also desirable to have a mechanism that permits reduction of duplication of effort in formulating and implementing policies by permitting policies to be associated with multiple regulations or best practices.