Compliance: it’s complicated, expensive… and absolutely critical.
The practice of compliance refers to adhering to the laws, policies and regulations that apply to how a business collects, shares and secures data. Set by government agencies or industry organizations, they don’t always have the force of law, but failure to comply can lead to legal liability.
And while companies have been complaining of “compliance fatigue” for years now, requirements seem to keep growing — notably the European Union’s General Data Protection Regulation, or GDPR, which took effect last May, and the impending CCPA, or California Consumer Privacy Act, which goes into effect in January 2020.
It’s not really surprising, then, that organizations struggle. Strides have been uneven — and of course, compliance is not security; following the rules is hardly a guarantee of security, as the constant drumbeat of breach news makes clear.
While debates about compliance fatigue and compliance versus security rage on, here are five concrete steps you can take now to keep up and stay compliant.
Plan for proper scoping
Taking the time to understand what electronic information needs to be protected and where it’s stored, transmitted or processed is crucial, but perhaps even more important is determining whether there is a need to store or transmit the information in the first place. Not transmitting, storing, or processing sensitive data can reduce compliance scope.
If that’s not an option, put limits around how data is transmitted, stored or processed, where it can be kept, for how long and who can access it — then document those limits into policy.
Treat non-compliance as a risk. How much could it cost your organization to be deemed non-compliant — or worse, suffer a breach due to non-compliance? Building a budget should take into consideration the people, processes and technology along with the scope of the environment. Watch for scope creep. Many companies transfer risks and compliance functions such as physical, network, and host security to managed security service providers, or MSSPs.
Known as a shared responsibility model, transferring risk can help maximize compliance spend on tasks better achieved at scale. Leveraging MSSPs to operationalize budgets as opposed to purchasing capital expenditures and hiring a team of full–time personnel offers additional benefits.
Create an encryption strategy
“Encrypt sensitive data.” It’s a simple statement. Logical, direct, and makes sense. But from a compliance perspective, many things can go wrong with encryption. That’s why it’s important to have a strategy around encryption of sensitive data, with scenarios that include data transmission, data at rest and data in use (and don’t forget backups!).
Each scenario will likely have multiple options, each with its own security and compliance considerations. These include (but aren’t not limited to): key management procedures, ciphers, key strength, encryption algorithms, protocols, FIPS-140-2 levels and more.
Embrace continuous compliance
As is painfully clear with each new compliance regulation, compliance today does not mean compliance tomorrow. Keeping up is an active effort that requires continuous monitoring and review. Identifying and prioritizing risk through regular assessments is a critical function to support compliance efforts. This could be in the form of vulnerability scanning, configuration monitoring, risk assessments and penetration testing. Compliance should be continuously evaluated to ensure that controls are in place and are effective, not just on the day of the audit.
Prioritize the creation of a security culture
Building a security culture requires everyone to understand that security is everyone’s responsibility. Providing an engaging security awareness program is an absolute must. Raise the awareness of your employees with relevant, appropriate training and education about their role in keeping the organization secure, from upper management to highly technical. This needs to be done more often than once a year. With the ever–diminishing perimeter, a security culture must extend beyond an organizations four walls. Security awareness should extend to wherever your employees work as well as into their personal online habits.
These five tips won’t solve all your compliance challenges, but they’re a great place to start. And if you’re looking for a strategic partner to understand where your business stands against specific compliance standards, including NIST (DFARS), NIST (FISMA), FedRAMP, HIPAA/HITECH, ISO, PCI, SOC2 and more, consider Rackspace: