Lifting the Fog to See the Reality of Compliance- Part 2
In part 1 we highlighted compliance as a whole. In this continuation we will be discussing regulatory compliance by data. Or, more explicitly, what data is expected to be protected.
When we say data, we mean the documents, databases, and other files within systems. This information varies wildly between businesses. To some this may mean nothing more than simple purchases and inventory. To others maybe it is more private information for clients such as financial records including credit information and banking data. Patient records, financials, schematics, private information for clients, even personnel records all deserve respect.
Now, take a step back and consider the information that is within you network. Do HR or Accounting store employee information such as social security numbers or banking information for direct deposit? Do you have sensitive data that could potentially harm your clients if it was stolen? Maybe this would come in the form of identity theft to individuals or trade secrets, operational leaks, and reputation hits for businesses. Now, imagine if you were handing someone the data on your network knowing it could hurt your business or even your personal life. Would you expect them to protect it in a way that is considered to be the accepted minimum? Maybe a little above that even? But, would anything below the “accepted minimum” leave you feeling safe?
Being compliant to a standard means that you provide at least the accepted minimum level of security. Going above and beyond is encouraged if it makes business sense. Regulatory compliance standards are scalable based on business needs, size, and budget. But each expectation does define acceptable levels.
- Insurance and Medical
The Health Insurance Portability and Accountability Act aims to protect private health records. This is required for health care providers, pharmacies, health insurance providers, and others within the health sector. This extends also in the form of Business Associates to those acting on the covered entities behalf and have access to such protected information. This may come as accountants, legal, or even IT providers just to name a few.
PCI-DSS is expected by the credit card industry to be practiced if your business accepts credit cards. This helps protect the credit card companies as complying with the expectations greatly reduces the risk of card theft.
Financial institutions are required to follow the Gramm-Leach-Bliley Act, GLBA, which lays privacy rules to protect customers. These may come from account numbers, or general personally identifiable information used for financial purposes.
- Federal Contractors
The International Organization for Standardization, or ISO develops several methodologies and frameworks for various sectors and industries. Several government and state agencies must abide by some of these frameworks and they extend this requirement to contractors working on their behalf. Part of the requirement requires subcontractors also be compliant.
- Energy and Utility Infrastructure
Certain critical infrastructure areas have unique requirements and compliance needs. Energy distributors, grid operators, those working around oil and gas, nuclear, and others all have guidelines the facilities and their infrastructure must follow.
While this article is not all inclusive it does showcase some types of data that are expected to be protected in different use cases. Some companies may operate with the same information, but used on behalf of a non-mandated entity. While those business cases are not directly required to be compliant, the information used should still be treated as though it was required. We will be happy to discuss your circumstances with you and help you shape your business to include privacy needs.
Stay tuned for part 3 where we discuss regulatory compliance in the form of goals by business and industry.
Senior IT Security Consultant at Upton Technology