Guide to Information Security and Compliance
Why should your small business care about information security?
Make better decisions
Anticipate problems
Boost profitability
Table of Contents
Why should I care about compliance services and training?
Managing and controlling information risk
The purpose of all compliance is to create security for information. Your company has sensitive information on your customers, partners, and employees. Information that, when compromised, can ruin your reputation and cause significant financial losses. And unfortunately, there are entire organizations trying to steal and exploit this information.
There’s a name for the risk this poses: Information risk. All compliance frameworks are created to help reduce information risk by forcing organizations to drive toward securing their info. This way, compliance services (aka information security services) help minimize this risk.
The importance of effective information risk governance practices
If your company loses sensitive information to hackers, you must act quickly. Many businesses do not understand how to implement effective information risk governance practices.
The lack of clarity surrounding information risk governance (i.e., the policies, processes, and frameworks that the company uses to manage and control information-related risks) can cause delays in fixing the data breach. And that can cause irreparable damage.
Our compliance services and training can help you develop and implement effective information risk governance practices. In other words, we can help you manage and control your information risk. And knowing how to manage and control your information risk better secures your information.
Understanding the changing regulatory requirements
Information security is no easy task.
Regulatory requirements must evolve to ensure businesses are protecting their customers against new cyber attacks. So, while you focus on serving your customers, we focus on staying on top of all these changes. This maintains your compliance and information security.
That’s why a compliance partner is so important for your business.
What does "compliance" really mean?
Compliance vs. Cybersecurity
It’s important to note that compliance and cybersecurity are not interchangeable. Again, the aim of compliance is always to drive towards information security and involves meeting minimal regulatory requirements and working within certain frameworks.
For instance, if you’re in the medical industry, you have to meet HIPAA requirements. And you must also have knowledge of the HIPAA Security Rule, which establishes standards to protect individuals’ electronic personal health info. Because these regulations contain security components, it’s easy to think that compliance equals cybersecurity. It doesn’t.
Cybersecurity involves protecting our systems, networks, and data from cyber-attacks. But even if you have cybersecurity solutions in place, you may not be compliant with the necessary regulations and laws.
Consider this analogy… You’re about to go for a drive. When you get in your car, you put on your seatbelt. You can think of compliance as this seatbelt. You must legally wear it when driving. Doing so brings peace of mind in two ways:
- You know that you’re complying with the law.
- You know that you’re reducing your risk of serious injury or death in case of an accident.
You can think of cybersecurity as the airbags in your car. While they aren’t legally required, they offer extra protection when you drive.
When you work with us as your compliance partner, we’ll use compliance and risk assessments to identify gaps in your security and compliance. We’ll then use this information to help implement risk controls.
100% Compliance is Impossible
There is no such thing as being completely compliant. One minute you can be in compliance. And a minute later, one of your staff can click a wrong link that inadvertently puts you out of compliance.
While you can’t reach 100% compliance, you can take steps to reach compliance, so that in the event something happens that causes you to be audited, you can show that you’ve done everything you can to provide a secure and private environment for the information you handle.
Overview of Relevant Regulatory Frameworks
We at InfoSystems are pros at helping you stay compliant with a variety of laws and regulations, including:
- HIPAA
- GDPR
- PCI-DSS
- SOC
A breakdown of these laws and regulations
The regulatory requirements depend on your industry and the data that you’re collecting and processing for your customers. Here are a few of the main ones:
HIPAA (Health Insurance Portability and Accountability Act)
This US law guards the privacy and security of an individual’s medical information and health records.
Even if you’re not in the medical industry, HIPAA still applies if you have personal health information about individuals.
GDPR (General Data Protection Regulation)
This European regulation is for folks in the European Union (EU) and European Economic Area (EEA). It protects their personal data and privacy by giving them control over their own data.
Even if your business is outside the EU, if you store or process information about EU citizens who live in EU states, you must comply with the GDPR.
PCI-DSS (Payment Card Industry Data Security Standard)
The PCI-DSS protects payment account data and transactions. Even if you’re not in the commerce, retail, or financial services industries, PCI-DSS compliance still applies if you store, process, or transmit cardholder data.
SOC (Systems and Controls)
In many cases, a company’s customers don’t have deep visibility into their environments, raising concerns about how that company is handling sensitive data. With a SOC audit, companies go through third-party validation ensuring that the provider has the controls and systems required to provide the desired services.
The Role of a Managed Service Provider (MSP) Serves in Information Security
You should work with an MSP when you want to completely outsource your IT support. An MSP’s tasks include (but aren’t limited to):
- Buying new computers or IT equipment
- Assisting in the transition from old systems to new ones
- Fixing technology (such as hardware, software, and systems)
- Providing IT help desk support
You can also incorporate cybersecurity into your IT support. But to do that, you must either:
- Work with a managed security service provider (MSSP).
- Purchase an MSP Plus add-on with your current MSP.
Working with an MSSP or buying MSP Plus will get you strategies and services for cybersecurity and compliance (in addition to IT support). There are, however, differences in the types of strategies and services between the two.
For instance, not all MSSPs offer the same benefits as buying MSP Plus with InfoSystems.
The Benefits of MSP Plus
When you purchase MSP Plus, you receive benefits in the form of specialized tests and assessments. In this section, we break down each of these.
Cybersecurity Pen Test
When doing a cybersecurity penetration (pen) test, your MSP scans your network, looking for open ports, passwords that haven’t changed, and accounts that are active that should be inactive.
To meet PCI requirements, you must pass four vulnerability scans from a certified vendor.
And when you work with a certified MSP, they’re able to conduct the required testing and provide support as you implement the necessary changes to increase the security strength of your operation.
Technology and Compliance
Your MSP can help you maintain compliance – from regular audits and risk assessments to implementing and managing compliance-related technologies. To do this, your MSP uses evaluations, such as the cyber resilience analysis (CRA).
When your MSP conducts a CRA on your business, they look at your company’s overall cybersecurity defenses and strategies – leveraging both internal and external scans. In the CRA evaluation, your MSP grades you on how your security compares to the different security regulations that require your compliance.
If you aren’t compliant, your MSP will help you get there by:
- Outlining task lists in level of priority.
- Creating a policy set you can follow.
- Developing a step-by-step strategic plan for you to reach compliance (this plan is your roadmap).
Overview of the Roadmap to Compliance
This roadmap will:
- Show you what you need to do to reach compliance.
- Give instructions on how to do it.
- Provide a tool for one year that gives you policies you may use.
But first, you must choose the frameworks you wish to achieve.
Frameworks for Your Roadmap
Your roadmap’s frameworks are guidelines and best practices that ensure you meet regulatory requirements.
For example, suppose your business wants to be HIPAA-compliant. This will require you to implement policies and procedures to prevent, detect, contain and correct security violations.
Use Assessments to Mitigate Risk
In addition to a roadmap, your MSP can provide you with assessments to help you reduce your information risk. At InfoSystems, we offer several of these assessments.
Cybersecurity Best Practice Assessment
As you complete our Cybersecurity Best Practice Assessment, one of our cybersecurity consultants will use a model of well-implemented cyber controls to spot areas where we can strengthen your cyber defense programs. This assessment is great if you want to create a stronger security culture for your small-to-medium sized business.
Security Risk Assessment
As you complete this assessment, one of our cybersecurity consultants will determine the present state of your security program. This involves conducting multiple fundamental security examinations, such as reviews of:
- Documentation
- Policies
- Facilities
- Technology
- Protection strategies
- Staffing
- Training
This assessment aims to spot deficiencies and excesses, which allow us to make improvement recommendations using our proven security methods.
GDPR Data Protection Impact Assessment
As you complete this assessment, one of our cybersecurity consultants will help you do the following:
- Comply with the GDPR.
- Understand the risks to the security and privacy of the data you process.
- Determine ways to mitigate those risks.
California Consumer Privacy Act (CCPA) Cybersecurity Assessment
As you complete this assessment, one of our cybersecurity consultants will help you do the following:
- Comply with the CCPA.
- Understand the risks to the security and privacy of the data you process.
- Determine ways to mitigate those risks.
Regardless of your company’s physical location, the CCPA applies if you meet the following criteria:
- You’re a for-profit business conducting business in California.
- Your annual gross revenue exceeds $25M.
- You buy, sell, or share personal information of at least 100,000 CA residents, households, or devices
- You derive 50% or more of your annual revenue from selling CA residents’ personal information.
This assessment is an annual requirement for applicable businesses.
Business Continuity Assessment & Plan Development
As you complete this assessment, one of our cybersecurity consultants will gather all relevant information to create a business continuity plan for your company.
Your business loses money when disruption occurs. Cyber insurance doesn’t cover all costs and can’t replace any customers who leave you for your competition. That’s why we strongly recommend having a business continuity plan.
Additional Reading
- Implementing Effective Cybersecurity and Security Risk Governance Practices
- Breakdown of Compliance by Industry: Information Security Compliance for Healthcare and Financial Services
- Implementing Digital Transformation Effectively and Safely
- Using Compliance Plans, Partners, and Strategies in an Evolving Regulatory Landscape
InfoSystems Success Stories
InfoSystems is an IBM Platinum Partner
Meet with one of our IBM specialists to ask questions and talk about IBM Storage, IBM Security, IBM Watson, and other premier solutions from IBM.