The spring issue of Hospitality Upgrade proves that regulatory compliance is not just about Sarbanes-Oxley (SOX), Visa CISP or CA 1386.  It is a combination of them all. Almost every organization today � and not just within the hospitality world � falls under multiple regulatory realms.  It is not enough just to have a SOX plan or a Visa CISP plan.

Most of us are realizing that we are moving past the initial regulatory-scramble and have to cre-ate a regulatory posture for the organization. In other words compliance isn�t like Y2K � there isn�t a magical date when it will all go away and we can resume our normal lives. It�s here to stay, and if we are going to become truly compliant within the industry, we are going to have to move past looking at each regulation and standard and move into a compliance mode wherein we adopt an over-arching compliance framework that guides our efforts.

There are both strategic and tactical benefits to guiding our organizations toward a compliance posture on the part of IT leadership and day-to-day management. At the strategic level, stronger oversight of compliance efforts, more consistent measurement and reporting (leading to better long-term insight into the business� objectives), and reduction of redundant and inconsistent development lead the IT benefits.

At a management level, the approach focuses attention on IT oversight and spurs the inclusion of IT managers in higher level organizational planning. At the corporate level, centralized and standardized compliance can leverage resources and processes across multiple initiatives. IT is then able to cut implementation costs and timelines; otherwise unfunded operational efficiencies can be bundled into compliance efforts, freeing up needed (and scant) resources for new business development.

And yes, there are the dollars-saved to be measured. My own research at Network Frontiers, through joint projects with Symantec, have lead us to conclude that some organizations adopting an over-arching compliance posture can cut compliance costs by a 3-to-1 margin, while a recent report by Gartner Inc. anticipates that companies adopting a compliance management posture will spend up to 50 percent less on compliance by 2006 than companies without one. The reason is simple: there is only so much to protect, and all of the regulations and standards have the same goals of ensuring accountability through assuring confidentiality, integrity and availability.

�When it really gets down to it,� said Dr. Stuart Broderick, director of global services development at Symantec, �everything within the world of compliance can be broken down into protecting the input, the process and the output (or data) within the realm of technology.� SOX is about assuring internal controls (input, process and output) for financial reporting, among other things. CA 1386 is about assuring information integrity (input and output) of personal information. And Visa CISP is about protecting the entire transaction from input through process through output.

The Framework Can Make All the Difference

The biggest problems with the regulations per se, is that while they have IT operational implications, they don�t provide for specific IT solutions. Visa CISP�s guidelines are the closest to describing the problem and prescribing the solutions, but even those guidelines are broad and shallow. 

But that doesn�t mean that IT managers have to wonder where to turn for guidance. An abundance of compliance frameworks and specific control objectives are already in place to provide guidance for compliance directions. See the sidebar (pg. 134) for some examples.

Moving Toward a Unified Approach

Many organizations are using a combination of frameworks, such as marrying COSO, ISO 17799 and CobiT together with internally developed best practices. This clearly seems to be the trend for organizations across the board. Likewise, auditing tools like Systems Continuity Plan Pro from Palo Alto Software (http://www.scplans.com) have integrated multiple frameworks and regulations into their audit platform. This provides what Jake Weatherly, Continuity Plan Pro�s product manager at Palo Alto Software, calls a unified approach to regulatory compliance. Weatherly said, �Most companies that use SCPP are already under multiple regulations, so we made sure we asked audit questions that were unified across the board, and referenced regulatory frameworks such as COSO, CobiT, ISF, FFIEC and OECD so that every organization can feel comfortable that they are covered.�

Is Palo Alto headed in the right direction? Liebert Power and Symantec think so � both companies have licensed Continuity Plan Pro as a vehicle for their representatives and consultants to ensure their respective clients� best practices for business continuity and compliance.
 

Editor's note: View this article in PDF