cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Is Compliance Something I Should Be Thinking About?

Level 8

Over the past 12 months, I've heard the word “compliance” thrown around quite a bit. Only now does compliance depend on what department or industry you are in. From ISO to General Data Protection Regulation (GDPR), compliance is now at the forefront of the requirements. More importantly, compliance is now being recognized by the boards, highlighted in many cases by the consequences (being fined) for not maintaining compliance. 

One thing to remember is that it’s not always an IT problem. I don’t know how many times I have walked into a meeting and been asked by a customer what they need to buy. Take GDPR, for example. Out of 107 actions, only eight can be fixed by a purchasable IT solution. The rest is policy-driven, and this is where it gets complicated. To stay compliant, you need to make sure you have a management suite that can monitor the policies you have in place.

For this article, I am going to focus on one of the hot topics of conversation when it comes to compliance. The new European GDPR regulations. For many, this is a word that either causes confusion or panic. Please don’t panic! Don’t burrow your head in the sand. Talk to the experts! I may not be an expert when it comes to compliance, but over the last twelve months, I have learned a lot from listening and talking to partners and customers about their experiences. One of the big points I hear about over and over again concerns your foundations. Where does your business stand today in line with the new regulation? You must make sure you can clearly define or find the information you need to start. From hardware inventory, current security vulnerabilities, firewall policy and more important classification of your data. It is fine to have all these tools to monitor and protect against security threats and data breaches. However, if you don’t understand your data and how you use it you will struggle to understand and meet the GDPR requirements.

So, let’s take it back a step for anyone reading about GDPR for the first time.

The EU GDPR goes into effect May 25, 2018. It applies to all organizations processing the personal data of EU residents. The regulation will introduce a new way for organizations handle data protection and it will be enforced fairly. The penalties for non-compliance of GDPR can be up to 20 million euros or four percent of company’s annual turnover. In addition, data subjects get a right to claim for compensation against an organization under GDPR.

It is important to remember that a data breach isn’t necessarily black and white. You could have all the security and encryption layers you want, but you may still be breached from either an external intrusion or an internal intrusion. What has become clear to me is that you need to have a clear audit trail of data throughout the business, from tracking user activity to change control activities and everything in between. The reason this is important is that part of the GDPR regulation requires that you declare to the ICO or equivalent any data breaches within 72 hours. Having an audit trail that proves that you have adhered to all policies and procedures may help reduce any penalties imposed on your company.

Let’s stop and think about the IT elements for a moment. It’s all well and good that you can provide the audit trail once you have been breached, but what elements do you need to think about when you’re trying to prevent a breach? It’s not as simple as just encrypting everything. You should make sure you keep your internal system up to date with the latest patch, so make sure you have a good patch manager in place to monitor servers, end-user devices, etc. One of the other elements you need to keep an eye on is your firewall management. Make sure that this correctly patched, and, more importantly, that all policies are adhered to and implemented.

As I said at the beginning, I am not an expert on compliance, but these are thoughts and things I have picked up on over the past year. So, here's my call to action for anyone reading this: Make sure you understand your data, and remember that the hard part isn’t becoming compliant; it’s the challenge of staying there.

9 Comments
Level 11

You are absolutely right. It is one thing to get in compliance, quite a different story staying in compliance. Compliance is driven by policy which is driven by regulations and directives. The bottom line is to be in and remain in compliance as policy will always have to evolve and should be considered as living that needs to be cared for and updated. It drives how IT complies by keeping the servers and workstations properly patched, the network devices updated with the latest patched OS, authentication requirements and how they change and ensuring that your firewall has the latest and greatest with updated ACLs as required and retire/disable and eventually remove rules as necessary.

An often overlooked data breach scenario is those "powerusers" who are apt to store Excel files with that sensitive information on their laptop instead of a protected network share (Because.... you know, the network is "...too slow) and then have said laptop stolen at the airport. All of the policies in the world can't protect you from that but some tools can (disk encryption), but that can be very epensive for large organizations.

MVP
MVP

Nice write up

Level 14

Lots of people running around waving their arms in the air here BUT the Head of IT security and us techies aren't.  I'm guessing the IT side of it is sorted (or maybe we are just hoping Brexit happens before May 25th).

Level 20

Compliance sure is something you should be worried about... almost every industry including defense have new standards which everyone must abide by... for us it's RMF.

Suppose we were asked the inverse?  "Why would you spend any time or resources to meet some compliance standard?"

Some easy answers come to mind:

  • Keeping your job
  • Staying in business
  • Being safe & secure
  • Avoiding losing staff, money, resources

I can think of no useful reasons to NOT work to achieve compliance.  It doesn't matter that doing so may be expensive or time consuming.  The alternatives are all worse.

Level 21

Compliance is definitely important and it's quickly becoming a huge impact on our industry.  It's important to realize that if you are going to go down the compliance road no matter which compliance requirements you are talking about, it's important to get corporate buy-in from the top level.  I say this because it's going to require dedicated resources.  As has already been noted here, this isn't something that can be completely solved with a technology solution and it's not something that you do once and you are done.  Compliance requires constant people resources and that's something management needs to understand before starting down that road.

MVP
MVP

In the end, if you are even asking the question you are in the wrong line of work...most of the time.

Level 8

Adhering to compliance policies is one of the most important parts are making recommendations as an IT professional. As folks have mentioned above policies are constantly changing but stay aware of them and ensuring you do your part to communicated with users can save time and money in the long run.