Compliance Management

First things first: compliance is not security.

If you want to ensure the confidentiality, integrity, and availability of your information systems and your organization’s data, you need to focus on security. That said, organizations like the Payment Card Industry Security Standards Council and the Office for Civil Rights have implemented regulations like PCI and HIPAA because many organizations aren’t aware of the steps they need to take in order to be secure. Compliance with these standards is a great foundation to your security program.

Failure to comply with relevant regulations can be costly to both your business and to your customers, and the challenge faced by many SMB owners is how to attain compliance while still focusing on growing their business. If you have any intention of keeping compliance costs under control, the first step you should take is to identify all relevant compliance requirements.

Here are a few questions to help you with this task:

If you answered yes to only one of these questions, then compliance is a pretty straightforward process. Your next step is to identify controls for all relevant compliance requirements.  Make (or download) a list of requirements and document how you could answer “yes” to how you comply with each requirement. Each “no” in your list equals a control gap that you’ll need to address. You answers need to be clear enough to explain to someone outside of your organization (customers, auditors, business partners, etc.).

If you answered yes to two or more questions, that’s when things start to get messy. You’ll end up with multiple lists of requirements, many of which could be addressed by a single control. (Antivirus is antivirus, regardless of how the requirement is worded.) Wherever possible, you’ll want to map each control to multiple regulations. This compliance mapping process can be tricky, but the time you invest at the beginning of the process can significantly reduce the time (and money) you need to invest in your controls.

Once you understand the controls you need to have in place, the next step is to document your Data Protection and Privacy Policy. This is the policy that outlines the basic data security requirements that you expect all employees to understand and adhere to (protection at rest, protection in motion, etc.). Ultimately, this policy will become a critical reference point for any internal information security budgeting discussions.

With your requirements and controls documented and your policy in place, it’s a good idea to implement a logon banner on all systems. This is that popup window that is presented to users each time they login, clarifying that the system is for authorized (acceptable) use only and reminding users that all activities performed on the system are subject to monitoring.

Meeting compliance requirements is one thing, but remember: you need to sustain compliance on a go-forward basis. Allocating sufficient resources in your annual budget is only part of the equation. Staffing your security and compliance positions is another. The best way to make sure that you’re meeting your goals is to conduct audits on a regular basis to validate compliance.

Diving into compliance initiatives can be overwhelming. If you’re unsure of exactly what steps you need to take, you should work with an organization that understands your business and your compliance requirements in order to help you address your security and compliance requirements. Taking your time and doing it right the first time will help both your customers and your budget.

To recap, every business owner should do the following:

  • Identify all compliance requirements
  • Identify controls for all relevant compliance requirements
  • Document a Data Protection and Privacy Policy
  • Implement logon banners on all systems
  • Conduct audits on a regular basis to validate compliance

Need more information on information security basics for small and medium-sized businesses? Head on over to Infosec Simplified.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s