Compliance

Overview

Compliance 101 or GRC 101 states that despite the size of the organization or industry, all organizations have laws and regulations they must comply with. Compliance is the “action of complying with a command.” It is the process of ensuring that your organization follows all applicable laws, regulations, standards, and practices that apply to your organization and industry.  The laws, regulations, and guidelines established by third-party bodies exist to protect the organization’s employee and consumer data.

A good compliance program reduces your exposure to risks and liability, which goes a long way in building trust for your brand in the market, and that is a HUGE differentiator!

Why is compliance important and necessary?

Enforcing compliance helps protect your organization from regulatory rule violations.  Violations can result in hefty fines and lawsuits. Therefore, it is in an organization’s best interest to make the compliance effort a focused and continuous process. The need to comply can also come from your customers, your organization’s size or location, or your industry. A set of regulatory compliance guidelines exists per industry. For example, specific guidelines exist for an organization in the food industry that may not be suitable or applicable to a Software As A Service (SaaS) organization.

TrustCloud’s primary focus is on the security and privacy regulatory compliance space, which has grown rapidly in the last couple of years. The rapid expansion and proliferation of cloud computing have moved the need for data security to the top.  Businesses of all sizes have adopted cloud services to improve their services and save money. As such, the regulatory bodies have responded by increasing the volume of laws, regulations, and standards for security and privacy. Some examples of security and privacy compliance guidelines include:

1. International Organization for Standardization (ISO) Standards
2. Payment Card Industry Data Security Standard (PCI DSS)
3. National Institute of Standards and Technology (NIST)
4. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
5. European Union General Data Protection Regulation (EU GDPR)
6. California Consumer Privacy Act (CCPA)
7. Sarbanes-Oxley Act (SOX)
8. Service Organization Control (SOC)

Common compliance laws, regulations, and standards

1. GDPR: for any organizations that process EU residents’ data. GDPR has specific requirements for data collection, processing, and destruction. The fines are huge! An organization can be fined as much as 4% of its annual revenue.
2. CCPA: for any organization that processes 50,000 or more California residents’ personal data and makes over $25 million in revenue. CCPA focuses on the consumer’s rights to their data. Hefty fines are also in store for failure to comply with CCPA.
3. HIPAA: for organizations storing, transmitting, or processing Electronic Personal Health Information (ePHI). HIPAA mandates how healthcare organizations should protect ePHI against threats, security breaches, and improper use of health data. Fines can be steep and can cost up to $50,000 per violation.
4. SOX: for any public organization and focuses on how the organization records and stores information and how long critical records are stored
5. PCI-DSS: for organizations dealing with credit/payment card processing, storage, or transmission. PCI requirements focus on building a secure network, implementing access controls for cardholder data, and regularly testing the security system through a vulnerability management program. Fines can go to $100,000 per month for noncompliance.
6. SOC 2: For any service organization storing and transmitting consumer data, SOC 2 focuses on how an organization manages and secures customer data.
7. ISO Series: It is a set of guidelines for organizations looking to protect their data (financial, employee, IP, and customer data).
8. NIST Series: NIST is a set of frameworks for any organization looking to improve their mitigation risk activities.

Compliance for small and medium-sized businesses (SMB) vs. enterprise

Regulatory compliance is a big focus for organizations today; regardless of the organization’s size, it is a huge and expensive effort! Today, SMBs are just as concerned with compliance as enterprises. More than ever, we see an increase in new laws in the regulatory space, penalties, and an increased focus on SMBs. The impact of this targeted focus on SMBs is the reputational damage that can result from noncompliance.

The good news is that SMBs do not have to meet the same level of requirements as enterprises. The concept of maturity is relevant when implementing a compliance program that works for an SMB organization. A maturity level concept can allow an SMB to work its way toward maturity. As the organization grows, more resources can be assigned to compliance efforts, moving from Level 1 (basic maturity) to Level 3 (highest maturity).

For example, to comply with a requirement for a ‘secure email platform,’ according to the maturity level, a solution can look like this:

• Level 1: A free consumer-class solution such as gmail.com is used and relies on the default security
• Level 2: A business-class cloud solution, such as Office 365, is used and relies on the default security
• Level 3: In addition to having a business-class solution, a backup of the solution is present, including additional top-tier services such as multi-factor authentication, email encryption, anti-phishing capabilities, and Data Loss Prevention

There are a lot of nuances with maturity levels, but they provide SMBs with an easier path to meeting the requirements and leave the higher maturity levels to the big organizations.

Limitation of compliance

While compliance laws, regulations, and standards provide a good starting point, it is essential to understand that achieving compliance doesn’t mean your organization is 100 percent secure. 

To learn more about Compliance 101, refer to the following articles.