Guide to Understanding Information Security Compliance
Information Security Compliance Is Not Optional
When you look at the real reason the majority of businesses take IT security seriously, it is due to either a law or a contractual obligation that they are bound to be compliant with. This can be a contractual requirement such as the Payment Card Industry Data Security Standard (PCI DSS) or a statutory / regulatory requirement such as an international, Federal or state law.
The term “compliance” is very common in the news and on TV, but many business owners do not know how the issue of compliance affects them in practical terms. It is often viewed as an end-state, such as “we need to become compliant” instead of the view that compliance is an ongoing requirement for the business to adhere to an objective set of standards.
From a dictionary definition, compliance is a state of being in accordance with established guidelines, specifications, or legislation. In a common definition of the term, compliance is merely meeting the minimum standards as required by a law or industry requirement. These standards for compliance can be as mundane as requiring antivirus on all computers or it can be as complex as mandating specific software development standards.
"Cyber Insurance" May Not Be Worth The Paper It Is Written On
A little known fact about compliance is how it affects your insurability. If your business is required to meet certain standards for the security of your network (this can be mandated by a law or it can be a contractual requirement that is found in many industries) and your business fails to meet that known, objective standard, then you can be found professionally negligent. Insurance companies generally have “negligence loopholes” written into business insurance contracts, so that you will not be covered by insurance for any losses, damages, or lawsuits arising from a non-compliant incident. This has the ability to put you out of business. (NOTE - you are highly encouraged to verify this with your business insurance provider, since it is that important to determine your individual situation)
One thing is clear and our experience has proven it - when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our products are based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements.
Why is this? It is simple - in the real world, compliance is penalty-centric. The court systems have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards. Additionally, the Federal Trade Commission (FTC) has prosecuted companies for failing to maintain reasonably-expected levels of security that jeopardize the security of consumer information.
This all may sound overwhelming, but a positive aspect towards modern compliance requirements is that these various standards are generally industry-recognized “best practices.” The bad news is if the standards seem overwhelming and foreign to you, then realistically you are “behind the power curve” and have not kept up with standard procedures to protect your business, your employees, and your clients. The good news is that compliance is achievable by every organization, regardless of its size or resources.
Simple Compliance Measurement Tool
A simple tool to measure your compliance is as yourself if you are compliant with applicable requirements - if you have to think about it or you are not 100% sure you have taken the steps to be compliant, then it is safe to assume your company is non-compliant. That may sound harsh, but it is generally an accurate statement. Compliance isn't necessary hard work, but it takes "care & feeding" to stay compliant so if you are unsure of your status then that is a clear indication that you are not compliant with common concerns, such as the PCI DSS and state ID theft/data protection requirements.
IT Security Compliance Ranges From Legal Contracts To State / Federal / International Laws
In terms of liability for a company, information security does not exist until it is documented - if you cannot prove it, it does not exist! Since ignorance is neither bliss, nor is it an excuse, you need to be able to prove you followed due care & due diligence to protect your business - this is where we can help you with our information security policies.
For US States, 2008 Marked The Start Of A Trend With The Oregon Consumer Identity Theft Protection Act (OCITPA)
The current trend is for states to pass laws that require companies that either do business in their state or have Personally Identifiable Information (PII) of its residents to take formal IT security precautions. These laws are aimed at reducing the risk of identity theft to their citizens. Some states have "encryption exceptions" where lost data is not reportable if it was encrypted, while other require breach notification even if the data is encrypted. This leads to a bit of a minefield of state-level IT security laws that companies should be aware of.
At our prices, you can obtain professionally-developed, customized information security policies and standards for your business and have it ready to start implementing the next business day. Our products are electronically delivered to you in Microsoft Word format (via email delivery), as well as helpful guidance on how to properly implement those programs in your company.
Domestically, 2017 Marked A Shift For Defense Contractors With NIST 800-171
Defense contractors have until the end of 2017 to comply with DFARS regulations to meet the requirements set forth in NIST 800-171. One of the most interesting components of NIST 800-171 is the creation of Non-Federal Organization (NFO) controls that the US Government has identified as "expected" security measures by any private business. This essentially creates a minimum bar of expectations, which could have much wider implications.
Internationally, 2018 Will Be The Year of Privacy & Security By Design With EU GDPR
In May of 2018, the European Union General Data Protection Regulation (EU GDPR) is enforced. This affects any business that stores, processes or transmits Personal Information (PI) of a citizen of the EU. The potential fines associated with non-compliance of the EU GDPR are up to 4% of a company's global revenues, so it has to be taken seriously.