With most of Corporate America working remotely now and for the foreseeable future, data privacy laws such as the GDPR and the CCPA are now being strictly enforced. If businesses do not abide by these laws, they could face serious and time-consuming audits, as well as hefty financial penalties. Thus, the need for compliance to these provisions is necessary.
What Exactly Is Compliance?
Most of us understand the general meaning of the term “compliance.” However, what does compliance mean as it relates to IT? Here is a helpful technical definition of IT compliance:
“It is the process of meeting a third party’s requirements with the aim of enabling business operations in a particular market or aligning with laws or even with a particular customer.” (Source 1)
In other words, before you can engage in any sort of financial transaction, your IT and Network Infrastructures must have the equivalent (or greater) set of security procedures in place before any sort of business may be conducted. However, this should not be confused with IT Security, which deals primarily with defending your digital assets from any sort of threat variants on a daily basis.
With IT compliance, you are dealing with a set of controls for the long-term, controls that will guarantee the protection of confidential information and data as they are given to you. For example, suppose you are a wealth management organization that gives financial advice to customers, executes trades, or publishes timely content on the financial markets. To do all of this, you will have to go through and clear through an independent party, such as a broker dealer. That entity will have a certain set of protocols and procedures that your firm must have in place to ensure that the Personal Identifiable Information (PII) datasets of your customers is safe from Cyberattackers and data leaks, whether they are intentional or not.
To ensure that you are abiding by these requirements, your firm will be audited from time to time to make sure that you are obeying (or abiding) by them. If you are not, you will be fined for non-compliance.
The Components of a Good IT Compliance Plan
A good IT Compliance Plan consists of the following components:
- A written set of Policies and Standards of Conduct. This can be viewed as your Security Policy. In a general sense, this document outlines how your employees are to handle confidential information/data on a daily basis. It also specifies the consequences of not abiding by them. A typical example is the use of passwords. For instance, employees should not share their work passwords or write them on a Post It Note and tape it to their monitor. If an employee is caught doing this, he or she could then face a verbal warning or formal write-up.
- A dedicated resource. This typically means having what is known as a Chief Compliance Officer. Today, many of these individuals are third party contractors, known as vCCOs. Their primary role is to oversee the maintenance and upkeep of the controls you have in place, and to determine what enhancements are needed to stay compliant in the future. A vCCO will likely have his or her own team that is tasked with the daily oversight of the client’s PII datasets.
- Education and training. You must hold IT Security Awareness training sessions with your employees on a regular basis. Although the material they learn will be security-related in nature, the training will result in a higher level of Cyber Hygiene, which in turn will lead to greater assurances of compliance. For example, if you teach employees about the importance of changing passwords on a prescribed timetable, this will increase the probability that the controls you have in place for your databases will work accordingly.
- Monitoring and auditing. It will also be very important to make sure your employees are abiding by the provisions of your Security Policy, so that you remain in compliance at all times. This can only be accomplished by conducting random checks on a real time basis.
It’s clear that deploying a solid IT Compliance Plan can keep your company compliant with current data privacy laws. Beyond that, however, a good IT Compliance Plan can provide additional benefits to your business, which we will explain in a future article.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.