Achieving regulatory compliance within your IT infrastructure in light of the GDPR is paramount both in terms of fulfilling legal requirements with regards to security but also for the good of your business. The standards are designed to protect potentially sensitive information, ensure that your data is secure and protect said data in a world where attacks are growing in sophistication and number. Yet there is big difference between being compliant and being secure.
Additionally, whilst achieving regulatory compliance may seem like a high mountain to climb, maintaining regulatory compliance in the future may mean that the mountain needs climbing on a yearly basis! In a constantly evolving world of organisational changes, new information and knowledge, changes to technology (and how we use it) and changes to our customers and surroundings, a pragmatic, agile and maintainable approach to compliance is crucial.
The ‘continuous compliance’ model may provide a bridge between being compliant and being secure and there are several elements to this approach which require consideration.
Firstly – know your rules. For UK businesses, Good Practice Guide 13 (GPG13) offers guidance on protective monitoring and is a vital tool for companies hoping to defend themselves from data breaches. Standards such as the GDPR are designed to help ensure that your data is secure and exist for the good of your business, not just to make your life difficult!
Secondly – keep an eye on your paperwork. The world of security and compliance changes quickly and regular review of documentation, policies and procedures throughout the year is an important part of compliance that is frequently overlooked. Whilst it’s true that nobody likes paperwork, comprehensive, thoroughly documented policies are critical to compliance and maintaining them in light of change is essential.
Thirdly – make monitoring a priority. Regular identification of which systems, applications, devices and data need to be monitored should be undertaken and acted upon. Comprehensive monitoring can identify security issues and will ensure that compliance can be proved.
Finally, why not consider sharing your experiences? Whilst IT professionals frequently share information and expertise on a personal level, organisational sharing and collaboration across the industry is less common. It’s all too easy to stand back and point out another company’s flaws post-event when it may actually be more useful to adopt an ‘if it happened to them, it could happen to me’ stance thus keeping your business alert to possible breaches and leading to more stringent security.
Development of a collective approach to security and availability management has the power to provide greater insight into the threat landscape thus strengthening the position of your own business. You never know, it could inspire regulatory bodies to also participate – shedding greater light on what it actually means to be compliant and how to do so.
Food for thought?