One of the 'necessary evils' that virtually every corporate security team has to deal with is regulatory compliance. There are a range of compliance standards, and depending on the industry you do business in, and the type of corporation you are, chances are that you have to comply with one or more regulatory standards. Let's look at some of the more common standards out there, and discuss how NCA can help you maintain that compliance.
Common Compliance Standards
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard, or PCI for short, is a set of rules designed to ensure that merchants who handle credit card information are managing, storing and transmitting that information in a secure manner. In short, if you take credit card payments, you are subject to PCI.
Health Insurance Portability and Accountability Act (HIPAA)
When HIPAA was first introduced, the idea was to allow for the easy movement of patient health records from one healthcare or insurance provider to another, so that people would have more choice in their healthcare coverage. A somewhat unintended result of that legislation were the derived requirements that mandated secure storage and transmission of that data - something that many healthcare and insurance providers weren't practicing at the time. Over time, HIPAA has been revised to mandate even more clearly defined controls on the security of patient healthcare records. If your business is involved in healthcare in any capacity, chances are that you are subject to HIPAA.
Sarbanes-Oxley Act (SOX)
First drafted in the wake of the Enron scandal, the Sarbanes-Oxley Act of 2002 mandated that corporate officers sign off on their financial reporting, with criminal penalties for those who sign off on fraudulent reports. Like HIPAA, SOX was really concerned with financial reporting, but it had a number of derived requirements involving secure data storage, along with other security considerations. If your company is public, you are subject to SOX compliance.
The Real Value of Compliance
The list above is just a small sample of the regulatory landscape, and many companies are subject to more than one. For example, if your company is a chain of health clinics and your company is public, you're most likely subject to all of the three standards above. It's easy, given all of the regulations out there, to lose sight of the value of compliance, and treat it as a 'box-checking' activity.
But most of the compliance regulations out there are based on real-world lessons, and a healthy security approach will usually drive a healthy compliance approach. As they say in the security industry, a good compliance program doesn't mean you have good security, but having a strong security program does mean that you have a good compliance program.
Achieving Compliance with NCA
NCA can help you achieve not only compliance with different standards, but a strong underlying security practice that will help your team achieve true security.
The NCA Security Analytics service deploys best in breed security platforms from vendors like RSA within your enterprise, to provide you with the information you need to achieve both compliance and real security. Our team of engineers handle the implementation and ongoing management of the platform, providing you with a prioritized list of action items and potential vulnerabilities, along with detailed and correlated information on potential incidents. NCA manages the service, so that you and your team can focus on your strategic security and compliance objectives.
If achieving security compliance, and true security, sounds interesting to you, contact us today to get started.