This article is part twelve in a twelve-part series on information security fundamentals for small and medium-sized businesses.
First things first: compliance is not security.
If you want to ensure the confidentiality, integrity, and availability of your information systems and your organization’s data, you need to focus on security.
That said, organizations like the Payment Card Industry Security Standards Council and the Office for Civil Rights have implemented regulations like PCI and HIPAA because many organizations aren’t aware of the steps they need to take to be secure. Compliance with these standards is a great foundation to your security program.
Failure to comply with relevant regulations can be costly to both your business and your customers, and the challenge faced by many SMB owners is how to attain compliance while focusing on growing their business. If you have any intention of keeping compliance costs under control, the first step you should take is to identify all relevant compliance requirements.
Here are a few questions to help you with this task:
- • Does your organization process or store customer credit card data? Then you need to comply with PCI.
- • Does your organization process or store electronically protected health information? Then you need to comply with HIPAA.
- • Is your organization publically traded? Then you need to comply with the Sarbanes-Oxley Act (SOX).
- • Is your organization a financial institution? Then you need to comply with the Gramm-Leach-Bliley Act (GLBA).
- • Is your organization a college or university? Then you need to comply with the Federal Educational Rights and Privacy Act (FERPA).
- • Does your organization collection information from children under the age of thirteen? Then you need to comply with the Children’s Online Privacy Protection Act (COPPA).
If you answered “yes” to only one of these questions, then compliance is a pretty straightforward process. Your next step is to identify controls for all relevant compliance requirements.
Make (or download) a list of requirements and document how you could answer “yes” to how you comply with each requirement. Each “no” on your list equals a control gap that you’ll need to address. You answers need to be clear enough to explain to someone outside your organization (customers, auditors, business partners, etc.).
If you answered “yes” to two or more questions, that’s when things start to get messy. You’ll end up with multiple lists of requirements, many of which could be addressed by a single control. (Antivirus is antivirus, regardless of how the requirement is worded.)
Wherever possible, you’ll want to map each control to multiple regulations. This compliance mapping process can be tricky, but the time you invest at the beginning of the process can significantly reduce the time (and money) you need to invest in your controls.
Once you understand the controls you need to have in place, the next step is to document your Data Protection and Privacy Policy. This is the policy that outlines the basic data security requirements that you expect all employees to understand and adhere to (protection at rest, protection in motion, etc.). Ultimately, this policy will become a critical reference point for any internal information security budgeting discussions.
With your requirements and controls documented and your policy in place, it’s a good idea to implement a logon banner on all systems. This is that popup window that is presented to users each time they login, clarifying that the system is for authorized (acceptable) use only and reminding users that all activities performed on the system are subject to monitoring.
Meeting compliance requirements is one thing, but remember: you need to sustain compliance on a go-forward basis. Allocating sufficient resources in your annual budget is only part of the equation. Staffing your security and compliance positions is another. The best way to make sure that you’re meeting your goals is to conduct audits on a regular basis to validate compliance.
Diving into compliance initiatives can be overwhelming. If you’re unsure of exactly what steps you need to take, you should work with an organization that understands your business and your compliance requirements to help you address your security and compliance requirements. Taking your time and doing it right the first time will help both your customers and your budget.
To recap, every business owner should do the following:
- • Identify all compliance requirements
- • Identify controls for all relevant compliance requirements
- • Document a Data Protection and Privacy Policy
- • Implement logon banners on all systems
- • Conduct audits on a regular basis to validate compliance
