Your IT Support Provider's Role in Regulatory Compliance
These days, more and more companies are being required to comply with regulations for security, even if they're not in a regulated industry. Specifications for NIST compliance, to name one, are flowing down the supply chain and in order to continue to do business with your customers, you may be required to prove compliance with their security standards.
It's hard to know who is responsible for what when it comes to compliance. These regulations can be confusing and the fines can be steep, so you want to make sure you’re covered.
As with any regulation, compliance generally has many administrative, physical, and technical components. Things like: making sure that sensitive files are in a locked filing cabinet, facilitating employee training, or ensuring that data is encrypted.
In many cases, the regulations have more administrative rules than technical ones. That’s why companies typically task a non-technical person with heading up their industry-specific compliance, oftentimes referred to as a Compliance Officer.
Depending on your organization’s requirements, this responsibility can be added on to an employee’s existing job duties, or a new position around compliance can be created. This person studies and understands the regulation(s), and works with different departments to ensure they are compliant in all areas.
IT Security and Technical Compliance
The area we’ll be focusing on is the technical security of your IT systems.
Your IT department or outsourced IT provider will be responsible for keeping your IT systems secure and up-to-date with the latest security updates and policies.
Many regulations don’t get into specifics regarding which technologies need to be in place, but most seem to agree that companies must take reasonable measures to protect any personal information they collect and retain.
The good news is, many of the “reasonable measures” can be relatively simple for your IT team to implement. They can include creating and enforcing password policies, maintaining user access permissions, running software that is supported by the manufacturers, implementing security threat prevention systems, and keeping systems up-to-date with security patches and updates.
Other areas that get can be more complex involve configuration of how data is stored and protected on your servers or cloud services. Oftentimes, the level in which you are required to protect the data is directly proportional to the sensitivity of that data. Some regulations also require strict backup and retention policies.
Once your Compliance Officer determines the internal policies that need to be implemented for your systems, your IT team can put a plan in place to accomplish it.
Where to Start With Technical Compliance
So, where should you start on the technical side? A good first step would be to identify your Compliance Officer. Next, reach out to a qualified IT professional and have them conduct a security assessment. This will unveil any existing vulnerabilities in your system and will give you a road map for how to remediate these issues.
This post should not be considered legal advice. Consult your legal counsel for specific information regarding your organization’s legal requirements.
About Courtney Casey
In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.