The weakest link in the chain of protection of computer infrastructure and corporate data is always the human being
Computer security is not just about applying technology to create protective barriers. The task of safeguarding the data and assets of the organization also includes ensuring that the company complies with certain laws, rules and regulations that establish best practices so that the data remains secure.
In a hyperconnected world, the risks that companies face multiply. The Internet has become a fundamental tool for any business and is present in almost the entire value chain.
A vulnerability opens the door for cybercriminals to enter the company and steal sensitive information. Ensuring that procedures and standards are followed is the first step in keeping the company safe.
What is compliance?
“Compliance” is an English term used to define the set of procedures and good practices adopted by organizations to identify operational and legal risks. It is often associated with regulatory compliance, but it is much more than that.
It is, fundamentally, to establish prevention, management, control and reaction mechanisms for possible risk situations. Why is compliance in cybersecurity key? In a context of digital transformation the risk of suffering a cyber attack is increasing.
The old mechanisms of perimeter control are not enough for an organization that depends more and more on what happens in the online world to operate. The risk of suffering an attack is one click away.
Employees work today inside and outside corporate buildings and, in many cases, bring their own devices. This is a challenge for the areas of security, information technology (IT), which are responsible for protecting these equipment and the information they process and store, but also for those in charge of the processes within the organizations.
The weakest link in the infrastructure and corporate data protection chain is always the human one. Therefore, beyond the need to comply with the regulation, it is important to define and ensure that certain procedures and best practices are complied with to prevent a click from destabilizing protection barriers.
Regulation and regulatory approach
Regulations have been developed in different countries aimed at multiple industries, such as HIPAA (acronym for Health Insurance Portability and Accountability Act) for the North American health market, other global ones such as SOX (acronym for Sarbanes-Oxley Act), PCI DSS (acronym by Payment Card Industry Data Security Standard) and, recently, GDPR (acronym for General Data Protection Regulation).
All these regulations have one aspect in common: the computer security measures that companies must have to safeguard the integrity, confidentiality and availability of information.
For example, GDPR, the European Regulation of Protection of Personal Data, entered into force on May 25, 2018 and arises in response to the risks of exposure of personal data that materialized with the digital transformation and the mass use of the Internet.
Among its principles and obligations it is highlighted that:
* It establishes that personal data must be treated “in a lawful and transparent manner” and collected for specific purposes and indicate to people such purposes at the time of collection.
* It implies restrictions on the use of personal information – personal data cannot be used for other purposes that are not compatible with the original purpose of the information.
* Indicates limits to the collection of user data – only the personal data that is necessary to fulfill that purpose should be collected and processed.
Although the norm is European, it is important to meet the requirements as it also applies to companies established outside the European Union (EU) but that offer products and services (paid or free) or observe, use or store personal data of citizens of the EU. In Argentina there is a package of laws related to cybersecurity.
The main ones are those of Computer Crime (Law 26,388), Protection of Personal Data (Law 25,326) and its regulatory decree 1558/2001, Digital Signature (Law 15,506) and its regulatory decree 2628/2002. To this group must be added those specific to the markets where the companies operate. For example, financial services often have more rigid rules about how or where user data should be protected.
Compliance with the rules must not only be carried out as a way to avoid penalties, but, in the area of computer security, it must be transformed into an essential mechanism to ensure the proper use of personal data and sensitive information.
In addition to the mandatory rules and regulations, companies have tools such as the family of ISO 27,000 international standards available to ensure their management systems are safe.
ISO 27,000 is a set of standards to help manage security assets such as financial information, intellectual property and information from employees and third parties. It is another way to start working on best practices to guarantee information protection and computer security.
In large companies it is common to find regulatory compliance programs and the appointment of a person in charge (usually with the position of “compliance officer”) whose main function is to ensure that the entire organization follows good practices and complies with the procedures established by standards .
Although their functions will depend on the organization, in general, they can be summarized in providing support, designing compliance matrices and monitoring systems, performing risk analyzes to determine high-impact regulations and setting priorities.
It is a multidisciplinary position that can be occupied by lawyers or businessmen as well as by auditors. The control activity can be outsourced to ensure greater independence.
In SMEs, it may be more difficult to generate an area responsible for compliance, but this should not be forgotten. In general, the task is left to senior management.
In both SMEs and large corporations, technology is an ally of senior management to take control. There are many companies that provide corporate governance, risk and compliance solutions to help companies manage governance and regulatory compliance.
These can be offered as software that is installed in the client’s house or in its modality as a service, which allows for greater flexibility. Whatever the modality chosen, having the help of a software will allow to unify activities, manage policies and improve governance and compliance with standards.
Find out the latest on digital economy, startups, fintech, corporate innovation and blockchain. CLICK HERE