Businesses across industries and continents are now obligated to satisfy various compliance standards, from GDPR to CCPA. But, how do you actually ensure compliance? By securing the information your organization handles.
This – of course – is easier said than done and requires cross-team collaboration. In this article, we’ll explain:
Looking for more information about specific data privacy laws? Visit our compliance content hub.
“Security” is the infrastructure, tools, and policies you put in place to protect your company’s information and equipment.
“Compliance” is the act of meeting a required set of security and regulatory standards.
As you might have guessed, security and compliance are very closely linked, and each should drive the other. Keep reading to learn more about the key concepts you need to consider to ensure your organization’s information systems are up to scratch.
When it comes to information security, organizations have to safeguard every vector that stores and transfers data. In this article, we’ll cover network, device, and employee security.
While every organization is different, most IT leaders are concerned with protecting network security. Why? Because employees access company data via various networks, including:
Importantly, data can be intercepted or exfiltrated across all of the above networks. But, there are several steps you can take to mitigate network security threats:
Looking for advice on how to secure data while employees are working remotely? Check out this article: Ultimate Guide to Staying Secure While Working Remotely.
Your organization is responsible for devices that store and handle vast amounts of data, including the personal information of your customers and the confidential information of your company.
This applies to any devices that process company data — whether they belong to your company or your employees — including:
You can protect these devices in multiple ways, including:
88% of data breaches are caused by human error. That’s why employee training is an essential component of any security strategy and a requirement under compliance standards.
A security training program should teach employees:
You can learn more about the pros (and cons) of security training in this article: Pros and Cons of Phishing Awareness Training.
There are several types of laws, regulations, and certifications that businesses must comply with and they all outline minimum security standards.
So, what happens if your security measures don’t comply with relevant standards?
Your organizations will either be in breach of the law, in danger of being reprimanded by your industry’s regulator (which could include a hefty fine), or unable to obtain or maintain a particular certification.
Some laws apply to every business operating in a given jurisdiction, regardless of sector. Compliance with these laws generally requires the implementation of “reasonable” security measures specific to their industry and proportionate to their size.
Let’s look at two examples.
The EU General Data Protection Regulation (GDPR) applies to every person and organization operating in the EU or targeting EU residents. It sets down minimum requirements for information security and privacy.
In particular, covered organizations must:
You can learn more about the GDPR in this blog: GDPR: 13 Most Asked Questions + Answers
The GDPR offers some flexibility, accounting for the current state of technology, and the costs involved in securing personal information. However, all organizations must implement “appropriate technical and organizational measures.”
The California Consumer Privacy Act (CCPA) applies to certain businesses that collect California residents’ personal information. It requires that businesses take “reasonable security measures” to secure personal information in their control.
For CCPA-covered businesses, implementing a minimum reasonable security level means complying with the 20 Critical Security Controls from the Center for Internet Security (CIS). The controls include:
A business’s security measures may be “appropriate to the nature of the information” that business controls — so highly sensitive personal information will require stronger security measures to protect it.
You can learn more about the CCPA in this blog: CCPA FAQs: Your Guide to California’s New Privacy Law.
Certain industries handle particularly sensitive information, and there are rules that govern how they protect and store that data.
The US Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers and businesses that handle protected health information (PHI).
The HIPAA “security rule” requires covered entities to implement administrative, technical, and physical safeguards over the PHI they control, including:
Organizations may vary in the extent to which they implement such security measures, accounting for:
The Payment Card Industry Data Security Standard (PCI DSS) regulates how organizations handle credit and debit card data. Among other measures, PCI DSS requires organizations to:
The number of annual transactions a card handler processes dictates the level of security measures they must implement.
Businesses wishing to demonstrate their security standards to their customers and business partners can undergo auditing with a certifying body.
The ISO/IEC 27K series provides standards for information security management, with programs covering network security, cybersecurity, and intrusion prevention.
ISO/IEC 27K is not a certification process in itself, but certain bodies are licensed to certify ISO/IEC 27K compliance.
The series consists of a family of different standards that businesses can adopt as appropriate, such as:
GDPR certification is available for organizations that wish to publicize their GDPR compliance. Certification schemes must be approved by the European Data Protection Board or a national Data Protection Authority, such as the UK Information Commissioner’s Office.
GDPR certification schemes can be general, applying to all areas of an organization’s GDPR compliance, or specific to an area of GDPR compliance, such as:
You can see Tessian’s certifications on this page: Tessian Integrations, Compatibility, and Partnerships.
It’s not possible to say whether security is more important than compliance, or vice-versa. Security and compliance go hand-in-hand.
If you neglect compliance, you may find your company is in breach of data security law — even if you take reasonable steps to secure sensitive information. Without understanding your compliance obligations, you can never be sure you’ve got everything covered.
Likewise, suppose you neglect security, and take a mechanical, “bare minimum” approach to compliance. In that case, you’re putting your company at risk of data breaches, reputational damage, and private legal claims from your customers and employees.
Our advice? Take an overarching approach to security and compliance by understanding the risks to your company’s information and your legal and regulatory obligations.