This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
Regulatory compliance isn't exactly the most exciting topic, however, it is one of the most important. After all, failing to meet compliance requirements can result in harsh penalties, including hefty fines. Not to mention, compliance standards, such as PCI DSS, Sarbanes-Oxley, GDPR and HIPAA, are designed to ensure the security of your data and the potentially sensitive information it holds. On top of this, government regulation such as Personal Data Protection Act (PDPA) in Singapore aim to protect data from prying hands -- be it companies or cyber criminals; a recent development of the PDPA may mandate organisations to inform customers of personal data breaches as soon as they are discovered.
With that in mind, here are three key things you should remember when it comes to regulatory compliance:
1. Compliant doesn't equal secure
Being compliant is one thing, but being secure is something else entirely. Think of all the high profile data breaches we have seen over the past few years. How many of those companies were "compliant"? Well, quite frankly, all of them had to meet regulations and many did so successfully. Yet they still made data breach headlines.
Thus, it is important to not fall into the trap of thinking that if one adheres to compliance requirements, security is guaranteed. In fact, many regulatory bodies are now making a point to educate organisations that the compliance standards they oversee will not always ensure their company data is secure. You should think of regulatory compliance as a starting point.
Having the right talent to manage such situations is also just as important. According to a recent study conducted by SolarWinds, nearly two-thirds (61 percent) of IT professionals in Singapore indicated that hybrid IT has required them to acquire new skills, while 11 percent say it has altered their career path. These statistics clearly indicate that there is a need for a higher skilled workforce to tackle difficult environments, on top of hiring individuals that can untangle sticky situations.
2. Forget about breach shaming, have a sense of breach sympathy
Due to global data breach disclosure laws now in place and with the upcoming Cyber Security Bill in Singapore, we bear witness to new (and sometimes old) breaches which are not often lost in the coverage alongside commentary on compliance.
These reports traditionally question the competency of the affected organizations (this includes the recent attacks in Singapore, such as the breaches on NTU and NUS), thereby essentially breach shaming the organization. Collectively, we need to get to a point where we have more breach sympathy instead-0"If it can happen to company XYZ, which was compliant, it could happen to us."
Doing so will help organisations ensure that they are constantly on their toes, seeking to improve security posture, and it will also promote better collaboration across the industry. IT professionals have traditionally excelled at sharing information and expertise on a personal level, but we have to begin sharing information at the organisational level to develop collective strength against shared threats. Regulatory bodies will also hopefully step up to participate more fully in this free exchange, which will affect both what it takes to be compliant and what it means to be compliant.
3. Continuous compliance results in increasing complexity, but it can be worth it
To aid in closing the gap between being compliant and actually being secure, many organisations are moving towards a continuous compliance model to help reduce and limit exposure to compliance and security risks.
Continuous compliance involves constantly reviewing processes and quickly making any necessary updates as a result of deviations from their intended performance. However, despite the fact that continuous compliance is effective at eliminating the gaps between compliance and security, it also greatly increases the complexity of managing compliance.
In addition, here are several specific best practices that can help you on your compliance journey:
- Thoroughly document processes, policies and procedures: Documentation is a crucial component of compliance, but it is often the most neglected aspect. Creating comprehensive, in-depth documentation will be beneficial beyond an audit. Compliance is an ongoing process, so it's important to always keep documents and information current by scheduling time to review and revise documentation throughout the year.
- Clearly understand compliance requirements for your industry: Every regulated industry is different. Regardless of which flavor of compliance your organization follows-PCI DSS, HIPAA custom corporate policies or government policies-it's imperative to understand what exactly is required. Remember, some compliance requirements are clearly defined while others provide only vague guidelines.
- Monitor devices and systems for compliance: Once proper documentation and a clear understanding of your industry's requirements is achieved, the next step is to identify which devices, systems, applications and data must be monitored for compliance.
- Continuously review policies and procedures: Reviewing policies and procedures on an ongoing basis and then comparing them with the most updated requirements helps overcome the fear and stress that often accompany audits.
- Automate processes wherever possible: When dealing with an immense amount of data, reviewing audit trails can be a long and challenging task. By automating wherever possible, workloads will be decreased and processes simplified. Security information and event management (SIEM) and other log solutions can play an important role in automating many compliance-related tasks and processes, along with providing important alerting functionality.