Regulatory compliance isn’t exactly the most exciting topic, but if you’re in any way, shape or form involved in the security of your data center, it is, however, one of the most important. After all, failing to meet compliance requirements can result in harsh penalties, including fines. Not to mention, compliance standards, such as PCI DSS and HIPAA, are designed to help ensure the security of your data center and the potentially sensitive information it holds.
With that in mind, here are three key things you should remember when it comes to regulatory compliance:
Compliant doesn’t equal secure
Being compliant is one thing, but being secure is something else entirely. Think of all the high profile data breaches we have seen over the past few years. How many of those companies were “compliant?” Well, quite frankly, all of them had to meet regulations and many did so successfully. Yet, they still made data breach headlines.
Thus, it is important to not fall into the trap of thinking that if one adheres to compliance requirements, security is guaranteed. In fact, many regulatory bodies are now making a point to educate organizations that the compliance standards they oversee will not always ensure their company data is secure. You should think of regulatory compliance as a starting point.
Forget about breach shaming, have a sense of breach sympathy
Due to nationwide data breach disclosure laws now in place, the news seems filled with reports of new (and sometimes old) breaches, not often lost in the coverage is commentary on compliance and if the affected companies were indeed compliant and what issues with compliance they’ve had in the past.
These reports traditionally question the competency of the affected organizations, thereby essentially breach shaming the companies. Collectively, we need to get to a point where we have more breach sympathy instead —“If it can happen to company XYZ, which was compliant, it could happen to us.”
Doing so will help you ensure that you’re constantly on your toes, seeking to improve your own security posture, and it will also promote better collaboration across the industry. IT professionals have traditionally excelled at sharing information and expertise on a personal level, but we have to begin sharing information at the organizational level to develop collective strength against shared threats. Regulatory bodies will also hopefully step up to participate more fully in this free exchange, which will affect both what it takes to be compliant and what it means to be compliant.
Continuous compliance results in increasing complexity, but it can be worth it
To aid in closing the gap between being compliant and actually being secure, many organizations are moving towards a continuous compliance model to help reduce and limit exposure to compliance and security risks.
Continuous compliance involves constantly reviewing processes and quickly making any necessary updates as a result of deviations from their intended performance. However, despite the fact that continuous compliance is effective at eliminating the gaps between compliance and security, it also greatly increases the complexity of managing compliance. Tools — such as security information and event management (SIEM) — and processes to help manage compliance complexity are more important than ever.
In addition, here are several specific best practices that can help you on your compliance journey:
- Thoroughly document processes, policies and procedures: Documentation is a crucial component of compliance, but it is often the most neglected aspect. Creating comprehensive, in-depth documentation will be beneficial beyond an audit. Compliance is an ongoing process, so it’s important to always keep documents and information current by scheduling time to review and revise documentation throughout the year.
- Clearly understand compliance requirements for your industry: Every regulated industry is different. Regardless of which flavor of compliance your organization follows — PCI DSS, HIPAA, or custom corporate policies — it’s imperative to understand what exactly is required. Remember, some compliance requirements are clearly defined while others provide only vague guidelines.
- Monitor devices and systems for compliance: Once proper documentation and a clear understanding of your industry’s requirements is achieved, the next step is to identify which devices, systems, applications, and data must be monitored for compliance.
- Continuously review policies and procedures: Reviewing policies and procedures on an ongoing basis and then comparing them with the most updated requirements helps overcome the fear and stress that often accompany audits.
- Automate processes wherever possible: When dealing with an immense amount of data, reviewing audit trails can be a long and challenging task. By automating wherever possible, workloads will be decreased and processes simplified. SIEM and other log solutions can play an important role in automating many compliance-related tasks and processes, along with providing important alerting functionality.
Being mindful of these three things and following these several best practices will greatly aid in easing the burden of compliance, but more importantly it will help you ensure that your data center and the potentially sensitive information it holds are secure.