When we take a look at executive information security concerns, it is safe to say that compliance is a top list item. Not only are CEOs and CIOs concerned because they must comply with these regulations to pass audits and avoid fines, but being compliant is also one way for organizations to start securing their organization.
Some of the existing regulatory requirements businesses must comply with include:
- HIPAA – Health Insurance Portability and Accountability Act of 1996
- HITECH Act – Health Information Technology for Economic and Clinical Health Act
- GLBA – Gramm-Leach-Bliley Act of 1999
- FISMA – Federal Information Security Management Act of 2002
- PCI DSS – Payment Card Industry Data Security Standards
- SOX – Sarbanes-Oxley Act of 2002
- FERPA – Family Educational Rights and Privacy Act of 1974
- CA SB 1386 – California SB 1386 Security Breach Notification Act of 2003
Compliance regulations govern different industries such as financial institutions and healthcare organizations. They require enterprises to assess risks, manage and control risks, oversee service providers, ensure business associates are compliant and even adjust security programs as needed (based on changing risks).
For some industries compliance may be daunting due to having to formulate and adopt security standards comprehensive enough to comply with all regulations applicable to their business. Furthermore, if executives want to avoid scenarios such as the recent Target breach, they need to realize that they must maintain an ongoing security program (one that goes beyond the basic compliance mandates); because although federal and state regulations provide a fundamental component of information security, they by no means include all the requirements necessary to protect data.
In addition to compliance you want to make sure your enterprise implements things like:
- Continuous monitoring, penetration testing, and physical security assessments.
- A security commission and company culture that would cater to the people part of security.
- Have a good incident response plan since it is crucial that first responders don’t “walk” all over data and destroy evidence, which may eventually be used in court to prosecute.
A proactive security approach is one way you can keep your organization’s defense up to par with changing risks and threats; as well as ensuring you have the resources and expertise you need to ensure you always meet updating compliance regulations.
When it comes to meeting compliance, what aspects do you find most challenging? Are you able to stay up to date with the continuous changes to your security requirements?
Photo Courtesy of purpleslog