These days, more and more companies are being required to comply with regulations for security, even if they're not in a regulated industry. Specifications for NIST compliance, to name one, are flowing down the supply chain and in order to continue to do business with your customers, you may be required to prove compliance with their security standards.
It's hard to know who is responsible for what when it comes to compliance. These regulations can be confusing and the fines can be steep, so you want to make sure you’re covered.
Compliance Components
As with any regulation, compliance generally has many administrative, physical, and technical components. Things like: making sure that sensitive files are in a locked filing cabinet, facilitating employee training, or ensuring that data is encrypted.
In many cases, the regulations have more administrative rules than technical ones. That’s why companies typically task a non-technical person with heading up their industry-specific compliance, oftentimes referred to as a Compliance Officer.
Depending on your organization’s requirements, this responsibility can be added on to an employee’s existing job duties, or a new position around compliance can be created. This person studies and understands the regulation(s), and works with different departments to ensure they are compliant in all areas.
IT Security and Technical Compliance
The area we’ll be focusing on is the technical security of your IT systems.
Your IT department or outsourced IT provider will be responsible for keeping your IT systems secure and up-to-date with the latest security updates and policies.
Many regulations don’t get into specifics regarding which technologies need to be in place, but most seem to agree that companies must take reasonable measures to protect any personal information they collect and retain.
The good news is, many of the “reasonable measures” can be relatively simple for your IT team to implement. They can include creating and enforcing password policies, maintaining user access permissions, running software that is supported by the manufacturers, implementing security threat prevention systems, and keeping systems up-to-date with security patches and updates.
Other areas that get can be more complex involve configuration of how data is stored and protected on your servers or cloud services. Oftentimes, the level in which you are required to protect the data is directly proportional to the sensitivity of that data. Some regulations also require strict backup and retention policies.
Once your Compliance Officer determines the internal policies that need to be implemented for your systems, your IT team can put a plan in place to accomplish it.
Where to Start With Technical Compliance
So, where should you start on the technical side? A good first step would be to identify your Compliance Officer. Next, reach out to a qualified IT professional and have them conduct a security assessment. This will unveil any existing vulnerabilities in your system and will give you a road map for how to remediate these issues.
This post should not be considered legal advice. Consult your legal counsel for specific information regarding your organization’s legal requirements.