1. Compliant ≠ Secure
One of the most troubling mindsets within an organization is “I’m compliant, ergo I’m secure.” Where compliance may be a good place to begin your “quest for security”, unless you look at your environment from a risk-based approach, and manage your environment based on the results of your risk analysis, you may be unpleasantly surprised when an outsider exploits a vulnerability found in your infrastructure. Simply checking off the boxes in order to fulfill a specific compliance requirement does not mean that you can sit back until the next audit period with the assumption your environment will remain secure and protected from any outside, malicious attacks. Maintaining security requires an ongoing analysis of business assets, and what you are doing to protect each of those assets. The best way to ensure both security and compliance is to include both in the initial business plan conversation as a two-way approach.
2. Not having a designated Compliance Officer
The role of the Chief Compliance Officer is on the rise as companies are beginning to understand the importance of designating an individual within the organization whose focus is on maintaining compliance with the constantly evolving regulatory landscape. With the sweeping realization that regulatory compliance is being more heavily enforced, many organizations are beginning to realize this may be a full-time job.
3. Thinking of independent audit as expense
The term “audit” has held a negative connotation in the business world for about as long as the word has been around. Words such as “burdensome”, “intrusive”, and “costly” may all be words we associate with an audit. It’s time for organizations to begin thinking of an independent audit not as an expense, but rather an investment. The fines that come along with non-compliance and/or data breaches will be much more costly and burdensome on your organization than being proactive about your compliance and security and planning an independent audit into your budget. Not only will you be able to validate your compliance, but having compliance audits already performed by an independent third-party auditor can also give you a competitive advantage when obtaining new business.
4. Scope mismanagement
Managing scope is critical to a successful compliance program. Understanding scope means understanding both business processes and how technology supports them. Business processes – such as the specific details as to what is asked over the phone in a call center and whether or not the entire phone call is recorded – play a significant role in identifying the technology that supports the business process. Once we’ve identified these applications and systems, it’s time to think about technical scope. Which system components store, process, or transmit the data in question? Which system components provide security services to the first group? Which system components are connected to (even if they don’t have to be) to the first group? With this information, we now know specifically where to apply all controls for a successful compliance program.
5. “Trust is a control”
In a perfect world, we would all undoubtedly trust anyone and everyone that we work with. Unfortunately, it’s important to remember that trust is not a control, and employees are humans, and humans make mistakes – intentionally or unintentionally. It’s okay to trust, but from a risk-based perspective, we must also verify. This is why monitoring, account permissions, access, and system configurations, are all among important controls that should be applied to your organization’s security posture.