Put Security before Compliance
If your business is covered by one of the many federal regulations mandating data security, you undoubtedly spend a significant amount of time ensuring that your company is in compliance. But all too many organizations are so focused on achieving compliance that they lose sight of the real goal—protecting the data.
It is possible to meet the minimum requirements for compliance without truly being secure, especially when you have to deal with multiple, overlapping directives. But with tools like Symantec Endpoint Protection and Backup Exec, you can strive for the best possible security and achieve compliance in the process.
In this article, we give you an overview of security- and data-related federal regulations that could affect your business. We recommend three broad steps—what we call the “DDD strategy”—that will help you not only achieve compliance but actually meet the goal of securing your critical data:
Develop a set of well-defined security and compliance policies.
Deploy the right tools to protect your system and every platform within it.
Develop a systematic backup strategy.
The world of compliance is a chaotic jumble of acronyms like SOX (Sarbanes-Oxley), GLBA (Gramm-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standards), and FOIA (Freedom of Information Act), just to name a few. For larger organizations with dedicated admins and IT staff, understanding and addressing the compliance mandates is more manageable, but for small and medium businesses, it can be overwhelming to even figure out where to begin.
Unless your business is a publicly traded entity governed by the SEC, SOX should not have any impact on you; unless you work for a government agency, it is unlikely that you need to concern yourself with FOIA. However, PCI DSS affects virtually every business, and many small and medium businesses fall under the guidelines of HIPAA, GLBA, or both.
PCI DSS: This is an industry guideline, not a legislative requirement. It was developed as a baseline to ensure that credit card transactions and credit card data are properly protected to maintain consumer confidence and the integrity of the credit card processing industry.
According to the PCI DSS guidelines, “PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data.” It is safe to say that PCI DSS affects virtually all businesses in some way.
HIPAA: The Health Insurance Portability and Accountability Act covers a broad range of health care rules and regulations for data protection. The act covers the use and disclosure of individuals’ health information by entities that HIPAA regulates.
The goal of the HIPAA Privacy Rule is to ensure that personal health information is properly protected while facilitating the flow of health information necessary to provide high-quality health care. HIPAA applies to health plans, health care clearinghouses, and any health care provider that transmits health information in electronic form—meaning that just about any business related to the medical profession needs to comply.
GLBA: The Gramm-Leach-Bliley Act governs actions by businesses related to the financial industry. The GLBA Financial Privacy Rule requires that covered businesses provide consumers with a privacy notice that explains what information those businesses collect, where they share that information, how they use it, and how they protect the data.
Businesses covered by the GLBA Financial Privacy Rule include non-bank mortgage lenders, real estate appraisers, debt collectors, tax return preparers, investment advisors, and more. If your business deals with customers’ money or advises them on handling their money, you are probably required to comply with GLBA data protection mandates.
Achieving Minimum Compliance
It can be a complex struggle to achieve compliance, especially for businesses that must meet multiple regulatory and industry mandates at the same time. Some businesses may deal in financial matters and health insurance as well as accept credit card payments, putting them under the gun for complying with GLBA, HIPAA, and PCI DSS all at once.
An entire cottage industry has sprung up around compliance. You’ll find a complete range of compliance certifications, consultants, and auditors to help you analyze your security and data protection policies and procedures and ensure that your business meets applicable compliance requirements.
Each of the individual regulatory or industry compliance mandates was developed to address specific concerns. Ostensibly, if a business achieves compliance with a given set of directives, that implies that the business is secure and that it properly protects the data it is entrusted with. However, that is not necessarily true.
Achieving and maintaining compliance with data protection requirements is certainly better than nothing. But the regulations and guidelines are often broadly written, open to interpretation, and intended to create a minimum acceptable baseline—not an impenetrable web of security.
The DDD Strategy in Action
When you set out to check boxes to achieve compliance, you might meet the letter of the law while missing its spirit entirely. Do you want your data protected by the minimum acceptable security measures, or do you want to ensure that your data is properly protected?
The reality is that achieving compliance is often not enough to truly secure your network or adequately protect data. However, if you keep your eye on the prize and aim for the best possible security and data protection, you will attain compliance and peace of mind at the same time.
Compliance is about preventing sensitive data from being exploited or compromised. It is about taking all necessary steps to ensure that only authorized users can access and view the customer information your business is entrusted with, and that it never falls into the wrong hands. Here are three critical steps you can take to meet these goals.
1. Security and data protection start with well-defined policies. Your business should have established guidelines that outline proper data-handling and data-security measures, while your employees need to be aware of your policies and educated about the risks and consequences of compromising data.
You also need to have tools in place to help enforce those policies and security measures to monitor for threats and protect data. Symantec Endpoint Protection and Symantec Backup Exec provide a solid one-two punch to accomplish these jobs.
2. Phishing scams, Trojans, and other attacks can infiltrate your systems and compromise the data they contain. You need to have tools set up to identify and block both known and emerging or zero-day threats to prevent malicious attacks from exposing sensitive data.
Symantec Endpoint Protection delivers integrated antivirus and antispyware for Windows and Mac OS X systems providing comprehensive protection, including firewall and intrusion prevention. Symantec’s Insight and SONAR technologies stop malicious behavior by detecting new and rapidly mutating malware, including previously unknown threats.
3. Symantec Backup Exec is a powerful solution for backing up data on both physical and virtual systems. It includes Unified Archiving to streamline and consolidate backup data, and it is an integral tool for the data retention necessary for compliance.
Achieving and maintaining compliance is no easy feat for organizations of any size, and it can seem overwhelming for small and medium businesses. But if you focus on security first—and use state-of-the-art solutions like Symantec Endpoint Protection and Symantec Backup Exec—you’ll exceed the required minimums.