Should your IT staff "speak" HIPAA, PCI, SOC, ITAR, EAR, GDPR and the other standards and regulations that may apply to your industry?
Yes, it should. It should be familiar with the US regulations applying to the healthcare and military industries and to companies doing business internationally.
It should also know how to comply with the laws and standards regulating the transmission and storage of tax, payment, and other personal information.
Your CIO should adapt IT processes to regulatory requirements and ensure that the systems you use or select facilitate and enable adherence and reporting.
He should turn this know-how into simple and articulate instructions or training sessions that your staff can understand, apply and remember (using pre-existing material whenever possible).
While some administrative rules are technical in nature (paperwork, data retention, traceability), others are principles that regulations insists must be followed in a manner commensurate with the size and means of the business.
With 20+ years of experience in a broad range of industries, we do IT compliance efficaciously and cost-effectively.