We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
9
6
2017

Maintaining Compliance is an Ongoing Process

Last updated:
9.16.2020
No items found.
customer support icon
A Lunavian

Your trusted adviser for enterprise IT services: hybrid IT, cloud, digital transformation, data center, & consulting.

periodic compliance review

You did it — you passed your PCI (or SOX, HIPAA, GLB, etc) audit! But the work isn’t over. A recent Verizon study found that most companies fall out of PCI compliance after just nine months. And it doesn’t stop with PCI, either. Many companies work hard around audit time to ensure they can report compliance for the audit period and advertise their security, only to falter once the audit is complete.

For PCI, that also means being able to continue doing business with credit card companies. For other standards like HIPAA and SOX, it means avoiding hefty fines and legal consequences.

Unfortunately, simply checking the compliance boxes doesn’t mean you’re safe for the foreseeable future. You need to maintain compliance at all times throughout the year, not just when the auditors are knocking on your door.
 

Keeping Abreast of Changes

Falling into non-compliance happens not only because of lax controls or staff, but from the ever-shifting nature of the IT world. New business initiatives require new IT systems and applications, and all of them must adhere to compliance standards. Emerging risks come from the associated new processes these systems require as well as multiplying cyberthreats.

Meanwhile, you don’t want to stagnate because of unyielding observance to compliance controls. If you want to remain on the cutting edge, you must adapt your compliance as your IT infrastructure changes. That requires a process for your process, so to speak: clearly defined methods to adjust compliance controls as needed, complete with updated documentation for ease of auditing.

Keep an eye on compliance mandate changes and new legislation however you can: subscribe to compliance newsletters, bookmark government websites, and Google search for the latest news.  For example, the HITECH Act and the HIPAA Omnibus Rule both affected how healthcare companies and their business associates handle health data, and how they treated it under previous HIPAA standards specifically.

When you discover a new regulatory standard that applies to your organization, you should: 

  1. examine your controls and infrastructure for risks and gaps via risk assessment
  2. use that information to inform executives about what IT components are impacted
  3. determine what business processes are affected and what requirements the organization has for daily operation to continue smoothly
  4. update compliance controls accordingly, with new technical and business processes
  5. roll out the changes to the organization as a whole, with clear communication and training

Just like any other IT update, changes to controls and compliance measures that involve your applications or other pieces of your IT stack should go through a testing and review period before rolling out into the production environment. Be sure that changes do not come in the middle of a heavy workload or audit to maximize the effectiveness of new controls and minimize the impact on business operations.

Keep Documentation Updated At All Times

Your compliance officer and IT staff should regularly check and update compliance documentation, including a complete list of all security controls at the physical and digital levels.

Each compliance standard you must meet should be broken down in a point-by-point format for ease of examination. This may end up a lengthy document, but it will make future updates much easier, while also leading to a smoother audit process. Each step should describe the requirement as stated in the compliance standard, with a description of the corresponding control from your organization next to it, and a date of the most recent validation of that control.
 

Regularly Review Compliance Measures

Use the documents above to check your controls at least quarterly. This should be scheduled alongside other cyclical IT practices like patch/update monitoring, penetration testing, stress testing, or any other regularly performed duties. Ideally, the review process should be performed by someone outside than your lead compliance officer or team. The review process is a great time to check for updated compliance requirements.

Some compliance standards, including HIPAA and PCI, actually mandate a formal risk assessment as part of compliance. This documentation should be readily reachable. You likely will also need to create and maintain a information security plan, with specific items within the document dependent on the compliance standard at hand. You may be able to re-use many portions of these two documents if you have multiple compliance standards, but be sure to carefully check each required security element against the specific standard to avoid missing anything.
 

Be Sure to Involve Your Entire Staff

PCI specifically requires a policy that addresses information security for all personnel. While some other standards may not call out departments in your organization outside finance, HR, or IT, you should still train your entire staff and maintain IT security across the organization. At Green House Data, we require all staff members to complete a basic HIPAA training at least annually so they preserve strong information security practices.

 

It takes some serious effort to stay abreast of compliance standards. If you have the resources, it is well worth dedicating an individual or team to compliance and security. If you don't, a partner can help secure your IT systems and prepare you for compliance certifications.

Recent Blog Posts

lunavi logo alternate white and yellow
BLOG
3.13.2025
3
.
12
.
2025
Unlocking the Power of Azure Managed Services with Lunavi

Cloud computing has become the backbone of modern business, offering agility, scalability, and cost efficiency. But managing cloud environments while keeping costs under control and security airtight? That’s a challenge. Azure Managed Services streamline cloud operations, helping businesses optimize spending, enhance security, and future-proof applications. Lunavi provides the expertise and tools to make it happen—so you can focus on growth instead of IT headaches.

Learn more
lunavi logo alternate white and yellow
BLOG
2.11.2025
2
.
7
.
2025
The Future of Test Automation: Key Trends Shaping 2025 and Beyond

Software testing has gone from a chore to a game-changer, thanks to automation. But in 2025, sticking to old methods means falling behind. Stay ahead by embracing the future of test automation—let’s explore the key trends shaping what’s next.

Learn more
lunavi logo alternate white and yellow
BLOG
2.11.2025
1
.
23
.
2025
The Importance of Cross Browser Testing

Making sure users have a smooth experience across all these platforms is crucial for businesses to stay competitive. Cross-browser testing is now a key part of modern development. It helps teams find and fix problems like layout issues, broken features, or slow performance before users are affected. Let’s look at why cross-browser testing matters and explore tools that make it easier to get the job done.

Learn more

How Can We Help You Navigate What's Next?

Let's work together to deliver the services, applications, and solutions that take your organization to the next level.

Get Started
Services
Company
Contact
© 2024 Lunavi, Inc. All Rights Reserved.
Privacy Policy | Acceptable Use