Compliance 101

governance, risk and compliance

Compliance management is a complicated process for IT.

While everyone agrees compliance is crucial to protect customer data, there isn’t a single all-encompassing standard that everyone can follow.

The patchwork of state laws governing personally identifiable information, industry-specific compliance regulations and broad information security standards combine to make this difficult task even more challenging. Enterprise executives who cannot wrap their heads around compliance run the risk of making a mistake, and those mistakes can be costly.

There are many compliance requirements, and which ones the organization has to follow can vary depending on industry and nature of the business. If you are struggling to understand which regulations apply to your organization and how you can become compliant, here is a quick primer on what you need to be thinking about.

The most well-known information security standard may be Payment Card Industry Data Security Standard (PCI-DSS), which covers payment card data, including credit and debit card numbers, expiration date and the cardholder name, among others. PCI-DSS applies to all financial institutions, merchants, and online retailers — anyone who may have access to the data. Even if you outsource payments to a third party, you still need to be compliant.

In general, merchants should never store payment card data unless there is an urgent business need. Certain data, such as the security code on the back of the card and data written on the magnetic stripe, should never be stored. All saved data needs to be protected. Acceptable methods include strong one-way hash functions, truncating or masking the information so that only a segment of the information is visible or relying on strong cryptographic schemes to encrypt the data.

Another well-known standard is healthcare-specific. Most, if not all, healthcare organizations have to comply with the Health Insurance Portability and Accessibility Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH). These two laws require organizations to establish formal processes and procedures to ensure PII and health records are protected.

Even if you aren’t in the healthcare space, it is a good idea to become familiar with HIPAA and HITECH requirements, as their emphasis on formalized procedures is good information security practice.

HIPAA/HITECH requires organizations to have:

  • physical security policies in place that specify who can enter the facilities or use equipment;
  • user access control policies to identify which users are allowed to access to which applications and systems; and
  • processes to ensure data is properly removed from computers, peripherals and other equipment before they are disposed of.

Administrators need to monitor workstation usage to ensure users are following password policies, no one is sharing account credentials and all security software is installed and kept up-to-date. HIPAA/HITECH also emphasizes regular security awareness training and frequent reminders to ensure employees are aware of the policies and how to recognize threats.

A complete governance, risk and compliance strategy

A complete governance, risk and compliance strategy also includes disaster recovery and business continuity policies and procedures in the event of emergencies and disruptions. The important thing about compliance is to have a clear audit trail so that everything can be verified. This is why having formal procedures in place is so important.

Organizations need to run regular risk assessments to understand the risks, find existing controls, and identify gaps that need to be addressed. Security experts frequently recommend following information security best-practices, instead of focusing on a single compliance checklist.

Many of the frameworks offer self-assessment tools to get started. The National Institute of Standards and Technology also offers information on how to identify risks and executing action plans in response.

The easiest way to be compliant, regardless of the standard, is to work with a third-party provider that is compliant with the regulations you need to follow. However, that doesn’t absolve you of all responsibility, as you need to make sure the contractor or provider is actually following the regulations.

Here is to being —and staying — compliant!


Fahmida Y. Rashid
Fahmida Y. Rashid is an analyst for networking and security at PCMag.com. She focuses on ways businesses can keep their data and networks secure without going bankrupt chasing after the wrong kinds of protection. Prior to landing at PCMag, she was a senior writer covering security, core Internet infrastructure, and open source at eWEEK. She was also a senior technical editor at CRN Test Center reviewing open source, storage, and networking products from 2007 to 2008. Before setting out her journalism shingle, she was a technology consultant, first at PricewaterhouseCoopers, and later with the Business Consulting Services group in IBM Global Services. She has worked in the trenches as help-desk, QA tester, software and Web developer, and network administrator.
Fahmida Y. Rashid
Fahmida Y. Rashid
Fahmida Y. Rashid
Tags: IT Security,Technology