Compliance is one of those things that, like it or not, organizations must face.
In general, compliance is conforming to a rule, policy, standard or law that has been put in place by an industry’s governing body. Some common examples of compliance standards are HIPAA, PCI-DSS, SOC 2, SOX, GDPR, etc.
Compliance standards exist to protect your business. Not only that, but insurance companies are beginning to require businesses to pass compliance audits in order to purchase cybersecurity insurance.
They’ll be looking to make sure your organization is addressing all areas of compliance before issuing a policy. For more information about the pitfalls of buying cyber insurance, read this article.
Compliance is a shared responsibility between organizations and their IT vendor(s). There are three components to compliance that all business owners and managers should know. It’s important to understand the boundaries of each component and what’s included so organizations can shore up those areas. Compliance is a team sport that requires conversations between organizations and their IT partner to bring clarity of responsibilities.
Technical Controls
Technical controls are things like antivirus, two-factor authentication, backups, updates and patching schedules, firewalls, etc., that companies have in place to ensure everything is being done on the technical front to protect sensitive information. In many cases (but not all) the security of your company’s network is in the hands of your IT partner. Understanding who manages each aspect of your technology is critical.
Physical Control
Physical control centers around the physical accessibility of information and systems. This might include monitoring who has access to the server room, keeping the server room locked, ensuring workstations are locked when not in use, etc. Who takes ownership of this area largely depends on where a company’s servers are physically located. For companies that house their servers on their property, it is their responsibility to ensure access is limited and controlled. For organizations whose servers are offsite in a data center, that responsibility falls on the shoulders of their IT partner and the data center, but it’s up to your company to safeguard any components located on your property, including workstations. Again, having a conversation with your IT partner will alleviate any confusion about who is accountable.
Administrative Control
Administrative control is the area that many companies neglect. This inattention to this very important component of compliance is what gets many businesses in messy and costly trouble. Administrative controls are the policies and processes that should be in place to prevent both accidental and intentional damage. An example is insisting on two-step verification for any wire transfers. You can read more about that here.
Your cyber insurance policy might not cover expenses in the event you have a data breach due to lax administrative control, so you must be insistent that policies and procedures are in place and followed by your team. This is the one component of compliance that is 100% the responsibility of the business owner. Should your business fall victim to a cyberattack because of poor administrative control, you’ll be the one under the microscope. Your IT partner should be able to provide you with guidelines to creating policies and best practices.
At MIS, we are SOC 2 Type 2 certified and have vast technical knowledge and experience in securing our clients’ networks. If you would like more information about how we can help your business, we’d love to talk. Reach out to us here!