What does ‘compliance’ mean in terms of cybersecurity?
Much like the commonly-known definition, compliance means: to conform by fulfilling requirements. In cybersecurity, compliance refers to: fulfilling specific requirements, outlined by a governing body. What that means is, a government-organization or a committee or a regulatory board will generate a list of requirements (altogether referred to as a standard) that outline a baseline for cybersecurity protocols. For example, a requirement might be that organizations MUST have password restrictions (length, repetitiveness, level of difficulty, etc.).
What is a Compliance Officer?
A Compliance Officer (or Compliance Manager) is required to monitor all compliance standards that apply to an organization and ensure that their organization complies with of them. Even when some organizations fall into multiple industry standards, they still must comply with each of them. For example, The Canadian Blood Services stores personal information (age, blood type, address, etc.) for each donor. This information is categorized as being a part of the health care industry and must follow PIPEDA (Personal Information Protection and Electronic Documents Act), which is specific to Canadian residents. If some donors are from the U.S., The Canadian Blood Services would also have to adhere to HIPAA (Health Insurance Portability and Accountability Act). On top of those two standards, they also accept credit/debit card payments for donations; which means that they must also follow PCI (Payment Card Industry) standards. Given the extensive requirements for each standard, the Compliance Officer, has their work cut out for them.
What are some compliance standards?
Here are some examples to name a few:
HIPAA - (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
PIPEDA - Personal Information Protection and Electronic Documents Act is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information during commercial activity.
PCI DSS - The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.
OSFI - The Office of the Superintendent of Financial Institutions is an independent agency of the Government of Canada reporting to the Minister of Finance created "to contribute to public confidence in the Canadian financial system"
CSA CCM - The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
GDPR - The EU General Data Protection Regulation was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
How can I manage compliance without a Compliance Officer?
This is a great question. Not all organizations have a Compliance Officer/Manager, whether it’s a sizing constraint or a financial constraint, organizations still have options to help with compliance management. Operations and Compliance Management (OCM) software can be one of your biggest assets. Compliance standards are very complex. With as few as 20 requirements or as many as 450, compliance standards require strict coordination amongst the entire organization, as well as diligent monitoring so as to not overlook specific dates. Auditors look for seamless implementation of all standards on an enterprise-wide level, or if not yet implemented, supporting evidence that demonstrates the organization's effort to meet these standards. Uzado's compliance manager organizes this process, provides the necessary evidence, and shows the progress of becoming compliant. You’ll know when you’re out of compliance long before the auditors; allowing you to be ahead of the game, with the added benefit of uninterrupted business.
We can't talk about compliance, without talking about Operations. Operations plays a fundamental role in IT Management that is often overlooked. Day-to-day operations determine the level of risk that the organization assumes, as well as its level of compliance. Uzado aims to systemize and annotate each step of operations so as to simplify all IT operations. Our tools walk each user through processes from start to finish, ensuring repeatability and reliability amongst all users. We understand the need for efficient processes, which is where our Insights can help. For example, if your firewall is causing a bottleneck for incoming and outgoing communications, our consultants and our Insights can help reduce the bottleneck and increase efficiencies, while maintaining a secure network.
If my organization implements OCM software, are we automatically secure?
Another great question. That answer is ‘NO’. Compliance standards often change, even slightly. For this reason, auditors might deem your organization compliant one day, but not the next day. Not only that, but security is an ongoing process. It’s important to manage security as part of a daily routine. At the end of the day, recovering from a data breach goes beyond a financial burden. It can also ruin reputations and customer faith in the brand.
For more information on compliance, check out our Whitepaper, Compliance DOES NOT Equal Security, below: