Regulatory Compliance in Today’s Business

Compliance

Lifting the Fog to See the Reality of Regulatory Compliance- Part 1

 

This series will highlight the most frequently asked questions and misconceptions that circle the world of regulatory compliance needs.  This series will not be focused on a particular industry or sector but, rather agnostic overall.  However, some specific requirements will be called out for various legal and industry expectations.  With that said, let us dive into an overview of compliance.

    • What does it mean to be compliant?
       
      Based on your industry and legal requirements, being compliant does vary.  However, there are some common links across the board.  Regulatory compliance will encompass a few pieces of the business puzzle.
       
      Generally, data security and privacy protection are goals.  These will come in the form of the process– handling paper and tangible resources, workflow, contracts and agreements, education, and physical mechanisms to protect people and data.  Just as important is the technology side which not only sets minimum requirements for protecting data but also creates resiliency and auditable controls to respond to various threats.

      Compliance as a whole is adhering to a standard set to protect your business, your clients, and the data related to these.  Compliance will normally be overseen by a compliance officer within the organization. This person works closely with department heads to ensure everyone shapes business road maps in a safe way.  For smaller organizations, this may mean an office manager with multiple roles working with an IT provider, accountant, and legal advisor.  Because of this, compliance mandates are scalable so that they can be tailored to any size business.

 

    • Who regulates compliance?
       
      Regulatory compliance is delegated and enforced by different entities.  For example, HIPAA is regulated by the Office for Civil Rights, which is a division of the Department of Health and Human Services.  PCI-DSS is maintained by PCI-SSC that was established by major credit card vendors.  CCPA is regulated by the California attorney general.  GDPR is maintained through the European Parliament.
       
      As you can see, some compliance expectations are set by private industry stakeholders while others are set by federal bodies, state bodies, or even multinational government bodies.  It is common for businesses from any market to suddenly find themselves having to be compliant with competencies they never knew existed.

 

    • Who has to be compliant?
       
      This question is hard to answer, but the reality is almost every business.  With privacy laws being established such as CCPA and GDPR businesses with no certain industry standards now have legal standards.  Essentially doing business with anyone in California or the European Union can subject you to being compliant with these due to having information about some of their citizens.  Taking credit card payments? You are expected to be PCI-DSS compliant.  If you work as a healthcare or insurance provider or even with one of these entities as a contractor you are required to be HIPAA compliant.  Publicly traded companies must be SOX compliant.  DoD contractors must abide by NIST 800-171. These are just a few from a long list.
       
      In recent years, many cyber insurance writers have established their own expectations set within the agreements. Failing to meet their requirements or those expected from your business otherwise can result in denied claims.  Nearly all businesses now face some form of the standard they must meet in protecting themselves and their customers.

 

While this article is not all-inclusive it does begin to show that compliance is not just a buzz word or idea, but a complete business alignment.  Nearly all business models now must include alignment to privacy and regulatory needs.  If you are unsure of what is expected from you, or maybe you know but are not certain if you satisfy all of the needs, then reach out.  Because, we will be happy to discuss your circumstances with you and help you shape your business to include privacy needs. As we move forward, you will begin to see why building security along side your business not only makes sense, but is critical for survival. Check out Layering Security, Firewall or UTM?, and Security Awareness Training to gain some clarity of the security puzzle.

Stay tuned for part 2 where we discuss data concerns that lead to compliance needs.

 
NIST Compliance
HIPAA Compliance
GDPR Compliance
PCI-DSS Compliance
SOX Compliance
CCPA Compliance
 

Ryan Stephens 

Senior IT Security Consultant at Upton Technology