There are so many news stories about breaches at major companies. Compounded with the stories about major fines (think Facebook), it's important to go back and examine the fundamentals of compliance. Compliance standards are the basic steps organizations are required to follow to be deemed 'secure' by auditors; however, don't fall into the trap of thinking that being compliant means that you're secure - you're not. Follow the steps, below, to improve your operations and compliance practices!
Separating Fact from Fiction
The biggest problem surrounding compliance is often the misconceptions attached to the idea. Many people mistakenly assume that they can simply go through a checklist, implement a few changes, and become compliant. Once they’ve hit the bottom of the checklist, their job is done: The business is both compliant and secure.
This approach couldn’t be further from the truth. Although it’s very tempting to think that the checklist encompasses all that ever needs to be done, the fact is that getting an auditor to sign off on your certificate does not mean your business is secure. In many cases, it may not even mean an organization is compliant! The auditor might just be giving your firm points for your efforts to become compliant. Clearly, you can’t simply assume that your job is done simply because you receive a pass.
The Unending Circle
The first step to undoing the damage of these misconceptions is to put the idea that compliance is ever “finished” to bed. Unlike some tasks, there really is no endpoint, as being compliant is an ongoing process. It does not stop once you’ve received certification from an auditor. It doesn’t end when you’ve implemented all the recommendations in a standard, or checked off all the required items in a new piece of legislation.
But what more can you do? The answer should be obvious. Compliance is never truly complete even if you receive a pass on an audit; chances are that your firm still has work to do in implementing new measures, updating procedures, or ensuring that you stay up-to-date with revisions to the standards you’re required to follow. Even if your business is compliant with every aspect of a standard, it’s likely that there will be changes to that same standard, often before the date of your next audit. For example, substantial revisions to the NERC CIP standards came into effect in July 2016, replacing older versions. Businesses that were once compliant with NERC’s recommendations must review the revised standard to determine what new measures they need to implement to ensure they remain compliant.
A New Approach
Given that being compliant is an ongoing process, it’s clear that organizations need to follow a different approach.
Instead of assuming being declared compliant is enough, businesses need to implement compliance management. That means reviewing standards and requirements on an ongoing basis, continuing to implement new processes and procedures, and monitoring the environment for changes to standards and legislation. Compliance management software can help you manage this formidable task.
Just as organizations must implement security measures that go above and beyond the idea of being compliant, they also need to move beyond the mistaken idea that there is an endpoint to the process. Businesses that do so have a distinct advantage. Not only are they continually improving both compliance and security, they’re also better prepared for and aware of changes to standards.
The Bottom Line
Many businesses simply stop monitoring their compliance after they’ve received certification. They work with the faulty assumption that, by having an auditor declare them compliant, they’ve reached the end of the process.
But businesses that believe their duty ends with certification can find themselves in awkward legal positions when they’re caught unaware by regulation changes. At the end of the day, approaching compliance as an ongoing process is a much safer bet for your business.
Want to learn more?