As the threat landscape has become more perilous and complex, regulators have imposed a wide array of mandates designed to protect sensitive personal information. For most organizations, compliance is seen as the cost of doing business. However, if executed strategically it can not only improve a company’s overall security posture but shortens sales cycles and open the business to new markets.
In order to turn compliance from a check-the-box line item into a valued business initiative, businesses need to identify all global, local and industry regulations that apply to their business and, also, strategically implement the processes and technologies that keep them compliant. Whether you’re targeting specific industry verticals or going after international customers, entering new markets requires continuous education about the latest in compliance and regulatory standards as they relate to data privacy and security.
A good way to get started is to put together a roadmap for how you will get, and stay, compliant with the regulations relevant to your business. What follows is an outline of such roadmap.
Start with the Basics
When you’re building a house, a foundation is the key to a safe structure. This holds true for building a compliance roadmap for an IT infrastructure.
The first step is to ensure the infrastructure is configured in accordance with Center for Internet Security (CIS) benchmarks. If operating in Amazon Web Services (AWS), ensure all AWS best practices are met. Setting this foundation will help meet basic security and compliance requirements and will simplify the compliance journey from the very start.
Once the foundation has been set, it’s then time for the compliance, IT and security teams to determine which regulations apply to their business. This is the backbone of the compliance roadmap. The good news is that many of these regulations overlap so businesses can complete requirements for multiple regulations at the same time.
First Stop: SOC 2
As a component of the American Institute of CPAs Service Organization Control reporting platform, SOC 2’s goal is to ensure that internal IT systems are configured for maximum security, emphasizing the privacy of customer data. It’s specifically designed for service providers storing customer data in the cloud, and this means it’s becoming increasingly relevant as companies continue their cloud migrations. SOC 2 goes beyond a simple technical audit though, requiring businesses to establish and follow stringent security policies and procedures that encompass the security, availability, processing integrity and confidentiality of any data stored in the cloud.
In order to achieve SOC 2 compliance, the organization first will need to establish an understanding of what normal looks like in their environment. It’s critical to baseline typical activity in order to be able to monitor for anomalies. This enables detailed audit trails that allow for deep, contextual insight into root cause, allowing organizations to remediate issues and thus keep up with SOC 2 requirements.
The Roadmap Focal Point: GDPR
The General Data Protection Regulation (GDPR) brought compliance into the mainstream. When GDPR passed, it established strict regulations for how organizations with European customers must handle customer data. The regulation is so broad, stringent and complicated that it has motivated many tech companies to create new job titles to ensure compliance.
However, while there have been strict compliance regulations before, it’s the high financial stakes attached to GDPR that set it apart. A business can be fined up to 4% of its global revenue if it’s found to be non-compliant. Very few organizations can afford to take that kind of hit which is why so many make it the centerpiece to their compliance strategy.
The privacy implications of GDPR are extensive but one of the most important and challenging requirements is the data breach notification. Organizations must notify authorities or specific data subjects within 72 hours of a breach. Most organizations are unable to locate sensitive consumer information within their environment, making this requirement near impossible. However, if the organization bakes data controls into its systems and enacts continuous monitoring and real-time intrusion detection, it not only becomes achievable but improves internal processes.
Go Broad with Certification Add-Ons
Once you’ve done the basics, like SOC 2 and GDPR, organizations can then begin looking for compliance regulations that they can actually use as business differentiators. ISO/IEC 27001, for example, is a standard that SaaS organizations often use to demonstrate an aptitude for managing information security risks. The regulation formally specifies an Information Security Management System, a suite of activities concerning the management of information risks and lays out an overarching management framework to identify, analyze and address risks. Certification requires a host of documentation, including a clear information security policy, a risk assessment process and evidence of information security monitoring and measurement. The standard spans industry type, organization size and market, so it applies to just about any company.
Compliance can be a powerful differentiator and business driver that inspires trust and confidence amongst prospects, customers and external partners. Although the above standards and regulations require extensive resources, non-compliance can result in fines and other punishment that can cripple a company. It’s important to remember that these compliance standards and regulations may have to be revisited, but once put into place and assigned to a dedicated compliance team, the once daunting task pays for itself.