Guide to Understanding Information Security Compliance
Information Security Compliance Is Not Optional
When you look at the real reason the majority of businesses take IT security seriously, it is due to either a law or a contractual obligation that they are bound to be compliant with. This can be a contractual requirement such as the Payment Card Industry Data Security Standard (PCI DSS) or a statutory / regulatory requirement such as an international, Federal or state law.
The term “compliance” is very common in the news and on TV, but many business owners do not know how the issue of compliance affects them in practical terms. It is often viewed as an end-state, such as “we need to become compliant” instead of the view that compliance is an ongoing requirement for the business to adhere to an objective set of standards.
From a dictionary definition, compliance is a state of being in accordance with established guidelines, specifications, or legislation. In a common definition of the term, compliance is merely meeting the minimum standards as required by a law or industry requirement. These standards for compliance can be as mundane as requiring antivirus on all computers or it can be as complex as mandating specific software development standards.
Written Information Security Program Compliance With PCI DSS and IT Security Laws
A little known fact about compliance is how it affects your insurability. If your business is required to meet certain standards for the security of your network (this can be mandated by a law or it can be a contractual requirement that is found in many industries) and your business fails to meet that known, objective standard, then you can be found professionally negligent. Insurance companies generally have “negligence loopholes” written into business insurance contracts, so that you will not be covered by insurance for any losses, damages, or lawsuits arising from a non-compliant incident. This has the ability to put you out of business. (NOTE - you are highly encouraged to verify this with your business insurance provider, since it is that important to determine your individual situation)
One thing is clear and our experience has proven it - when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Written Information Security Program (WISP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements.
Why is this? It is simple - in the real world, compliance is penalty-centric. The court systems have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards.
This all may sound overwhelming, but a positive aspect towards modern compliance requirements is that these various standards are generally industry-recognized “best practices.” The bad news is if the standards seem overwhelming and foreign to you, then realistically you are “behind the power curve” and have not kept up with standard procedures to protect your business, your employees, and your clients. The good news is that compliance is achievable by every organization, regardless of its size or resources.
Simple Compliance Measurement Tool
A simple tool to measure your compliance is as yourself if you are compliant with applicable requirements - if you have to think about it or you are not 100% sure you have taken the steps to be compliant, then it is safe to assume your company is non-compliant. That may sound harsh, but it is generally an accurate statement. Compliance isn't necessary hard work, but it takes "care & feeding" to stay compliant so if you are unsure of your status then that is a clear indication that you are not compliant with common concerns, such as the PCI DSS and state ID theft/data protection requirements.
IT Security Compliance Ranges From Legal Contracts To State / Federal / International Laws
In terms of liability for a company, information security does not exist until it is documented - if you cannot prove it, it does not exist! Since ignorance is neither bliss, nor is it an excuse, you need to be able to prove you followed due care & due diligence to protect your business - this is where we can help you with our information security policies.
For US States - 2008 Marked The Start Of A Trend With The Oregon Consumer Identity Theft Protection Act (OCITPA)
The current trend is for states to pass laws that require companies that either do business in their state or have Personally Identifiable Information (PII) of its residents to take formal IT security precautions. These laws are aimed at reducing the risk of identity theft to their citizens. Some states have "encryption exceptions" where lost data is not reportable if it was encrypted, while other require breach notification even if the data is encrypted. This leads to a bit of a minefield of state-level IT security laws that companies should be aware of.
At our prices, you can obtain professionally-developed, customized information security policies and standards for your business and have it ready to start implementing the next business day. Our products are electronically delivered to you in Microsoft Word format (via email delivery), as well as helpful guidance on how to properly implement those programs in your company.