When you manage an organization, you hear a lot about the need to comply with HIPAA, PCI, ISO, NIST, CMMC, and many other abbreviations. But what does compliance mean? Misconceptions are common, and failure to reach and maintain compliance can lead to fines and penalties.
An article like this cannot tell you what your business needs to do to comply, but we hope to provide you with a look at the overall picture to be in a better position to understand the requirements. Feel free to contact us with questions.
Regulations and Standards
Governmental regulations are not technical documents. They rarely prescribe specific techniques. Legal experts create them for other legal experts, and regulatory boards and courts interpret them. The purpose of privacy and security regulations is to ensure that information is adequately protected and penalize those who fail to guard against misuse.
Regulations of this type are relative. They apply to both large and small organizations to guard important information and ordinary data. The greater the potential consequences of negligence are, the more the regulations demand.
Standards created by industry organizations are often incorporated into regulations. They specify in more detail what is required. Complying with industry standards helps organizations even when they are not legally required. Being certified for a certain compliance standard is a prerequisite to access some critical markets like the Department of Defense (DoD).
Regulations and standards have organizational and technical provisions. The first step toward compliance is a determination of what requirements apply. Location and industry will affect this. A health care provider in the United States needs HIPAA compliance; a payment processor needs PCI compliance, and so on. Businesses may need to comply based on whom they deal with; for example, GDPR affects businesses outside Europe that deal with EU citizens. NIST compliance can mean many things since the agency has issued many standards that apply in different situations.
The next step is to assess the environment with the applicable requirements being used as the standard. The assessment needs to examine physical security, policies, employee awareness, technical safeguards, and anything else that affects potential risks. A properly conducted assessment is likely to reveal areas of concern, some more serious than others. These should rank by priority and the most important ones corrected first.
In some cases, this may be enough. A well-documented set of practices, supported by evidence, may be enough to satisfy business partners and customers of compliance. The information needs to be good enough to meet an audit, so an internal assessment is enough only if people with relevant skills and experience conduct it.
Suppose the requirements are strict or the in-house expertise is limited. In that case, an organization should bring in an independent assessor to evaluate the level of compliance and identify needed remedial actions. An external assessor authorized by a standards body may offer certification if the compliance level is high enough. Many security companies provide this kind of service. It provides more robust assurance to regulators and other businesses and more internal confidence that the organization has overlooked nothing. Small organizations with a limited budget for in-house expertise can significantly benefit from outside assistance.
Being compliant requires more than a single, concerted effort that produces a document showing compliance at a point in time. Organizations are constantly changing their structure, the applications in use, and their overall technology. New risks emerge from inside and outside the firm, and this requires additional layers of security. Regulations and standards change, and you may or may not receive notice from the regulators. People become careless if they are not reminded from time to time. Without regular reviews and updates, an organization will eventually drift out of compliance. We would suggest this is a semi-annual need, but some certifications may require renewal on a more frequent basis.
Scheduled reassessments will help identify any areas where compliance needs boosting. It will make sure that the organization is fully prepared to protect its information and demonstrate up-to-date compliance if an auditor comes calling.
Any organization that deals with sensitive information needs to comply with relevant standards and even regulations. Failure to do this can hurt your business's reputation and lead to penalties. Our staff has decades of experience helping organizations like yours to satisfy regulations and standards. You can request a free consultation for an assessment through the online form or by calling 336.804.8449.