These days, businesses of all sizes are concerned about IT compliance and regulations.
The rise of ransomware attacks, data breaches, and subsequent litigation forces companies, non-profits, and government agencies to worry about what’s happening throughout their supply chain.
Organizations that never worried such problems before are now suddenly receiving letters from customers demanding certification of compliance with HIPAA, PCI CIS, or a state’s privacy law.
But, meeting the demands of specific IT regulations isn’t always a simple task. It requires coordination and communication between legal counsel, IT managers, and operations managers, who all need to understand the details of such rules.
However, after going through the process a few times, a pattern emerges.
Ultimately, all IT compliance boils down to three key principles: practice, documentation, and proof.
Practice Your IT Compliance
You know what they say: Practice makes perfect. No matter what goal you’re chasing, doing something over and over is the best path to improvement.
Practice encompasses the processes already in place. Usually, this is easiest part of the IT compliance process, since we all adopt the same basic principles to one degree or another.
For example, many IT compliance standards require data backups. The manner in which your company backs up data becomes your practice. The more you do it, the easier it becomes, and the more likely you are to continue doing it.
Will every practice meet compliance standards?
Although ideally, you’d want them to, reality rarely reflects that.
In truth, people tend to develop habits early on in their training and development, and carry them forward throughout their careers. It applies to habits both good and bad alike.
That’s not to say people can’t adopt new ones, but it’s hard to “unlearn” something you’re accustomed to.
Because of this, make sure you examine your training techniques and overall policies, to ensure you’re following proper compliance policies and IT regulations.
Documentation cements the intent of your organization and sets the written standard.
Though some IT managers view documentation as a hassle, it provides the keystone for compliance audits. It’s one of the easiest components for attorneys and non-technical auditors to examine.
Surprisingly, organizations often fail audits for their lack of documentation – not for incorrect processes. It might be of the most common problems, but it’s also one of the easiest to correct.
All you need to do is put your actions into writing.
Then you need to describe how your organization will meet that standard.
You’ll want to include details broad enough that your team retains the flexibility to use multiple tools and technologies, yet specific enough that an auditor can judge if your organization meets policy requirements.
For example, the NIST Cybersecurity Framework PR.IP-4 requires that “Backups of information are conducted, maintained, and tested periodically.”
To meet this requirement, you might write:
- Company X will back up data daily. Full-systems backups will be performed weekly.
- Backups will be stored off-site, with a cloud-based backup vendor. They will be stored online and connected to our main server, and offline on hard drives held by a managed IT service provider.
- To test the efficacy and availability of backups, we will perform a monthly data recovery exercise from our server backup, and quarterly from our off-site hosted backups.
- Backups will be retained for a period of seven years. After seven years, data will be approved by legal counsel for destruction.
These various clauses can be easily verified, and also match up against the NIST requirements to conduct backups (1), maintain backups (2, 4), and to test backups (3).
Yours would vary a bit, of course, but you can see how even a few brief sentences become powerful documentation tools.
If creating a written policy seems intimidating, you can always search the internet to find public examples to follow. Alternatively, you can always reach out for professional guidance.
Regardless of how you come up with your policy, make sure it’s approved by your legal counsel.
Proof, typically in the form of IT reports or penetration tests, demonstrates that your organization meets IT regulation and internal policy standards. Determining right form of proof requires communication between your IT team and legal advisors.
Continuing the earlier example, IT could provide a report showing various devices and their backup status, along with one verifying the success of backup restoration tests.
Lawyers may also request a complete list of devices, to ensure every system meets your written standards.
Deciding what you need now, before any problems crop up, goes a long way towards avoiding any problems in the future.
Putting It Together
The first encounter with compliance requirements can be painful and confusing.
Organizations typically find themselves scrambling to document and implement the necessary procedures.
The law, business practices, and IT technologies constantly change. As these changes occur, organizations need to adjust to keep up with these moving targets.
Your organization should have quarterly and event-driven reviews of practices, policies, and proof, to ensure continued compliance.
Where gaps or discrepancies are found, propose, approve, and verify necessary adjustments.
And never forget to practice, practice, practice!
An outsourcing expert such as Ideal Integrations can make the process easier. Our decades of experience allow us to work with your team to understand your compliance needs and propose reasonable and repeatable solutions.
Ideal Integrations and Blue Bastion offer technology and service options for meeting IT regulation and compliance standards, as well as reports and penetration tests, to verify practices in place.
Complete the form below or call us at 412-349-6680 and receive a no-obligation consultation to help reduce compliance headaches today!