First things first: compliance is not security.
If you want to ensure the confidentiality, integrity, and availability of your information systems and your organization’s data, you need to focus on security. That said, organizations like the Payment Card Industry Security Standards Council and the Office for Civil Rights have implemented regulations like PCI and HIPAA because many organizations aren’t aware of the steps they need to take in order to be secure. Compliance with these standards is a great foundation to your security program.
Failure to comply with relevant regulations can be costly to both your business and to your customers, and the challenge faced by many SMB owners is how to attain compliance while still focusing on growing their business. If you have any intention of keeping compliance costs under control, the first step you should take is to identify all relevant compliance requirements.
Here are a few questions to help you with this task:
- Does your organization process or store customer credit card data? Then you need to comply with PCI.
- Does your organization process or store electronically protected health information (EPHI)? Then you need to comply with HIPAA.
- Is your organization publicly traded? Then you need to comply with the Sarbanes-Oxley Act (SOX).
- Is your organization a financial institution? Then you need to comply with the Gramm-Leach-Bliley Act (GLBA).
- Is your organization a college or university? Then you need to comply with the Federal Educational Rights and Privacy Act (FERPA).
- Does your organization collection information from children under the age of thirteen? Then you need to comply with the Children’s Online Privacy Protection Act (COPPA).
If you answered yes to only one of these questions, then compliance is a pretty straightforward process. Your next step is to identify controls for all relevant compliance requirements. Make (or download) a list of requirements and document how you could answer “yes” to how you comply with each requirement. Each “no” in your list equals a control gap that you’ll need to address. You answers need to be clear enough to explain to someone outside of your organization (customers, auditors, business partners, etc.).
If you answered yes to two or more questions, that’s when things start to get messy. You’ll end up with multiple lists of requirements, many of which could be addressed by a single control. (Antivirus is antivirus, regardless of how the requirement is worded.) Wherever possible, you’ll want to map each control to multiple regulations. This compliance mapping process can be tricky, but the time you invest at the beginning of the process can significantly reduce the time (and money) you need to invest in your controls.
With your requirements and controls documented and your policy in place, it’s a good idea to implement a logon banner on all systems. This is that popup window that is presented to users each time they login, clarifying that the system is for authorized (acceptable) use only and reminding users that all activities performed on the system are subject to monitoring.
Meeting compliance requirements is one thing, but remember: you need to sustain compliance on a go-forward basis. Allocating sufficient resources in your annual budget is only part of the equation. Staffing your security and compliance positions is another. The best way to make sure that you’re meeting your goals is to conduct audits on a regular basis to validate compliance.
Diving into compliance initiatives can be overwhelming. If you’re unsure of exactly what steps you need to take, you should work with an organization that understands your business and your compliance requirements in order to help you address your security and compliance requirements. Taking your time and doing it right the first time will help both your customers and your budget.
To recap, every business owner should do the following:
- Identify all compliance requirements
- Identify controls for all relevant compliance requirements
- Implement logon banners on all systems
- Conduct audits on a regular basis to validate compliance
Need more information on information security basics for small and medium-sized businesses? Head on over to Infosec Simplified.