Because of the explosion of data breaches in the past 10 years, most businesses are aware that compliance with IT regulation and security policy is imperative. That doesn’t stop the governments of most nations enforcing regulation to remind us of this. Maybe it’s because I have been in the IT industry most of my life, but I believe IT regulation is vital in this digital age. However, it is typically vague and much less effective than written law. Government regulation tends to be difficult to understand and followed without assistance. One way businesses are assisted with IT regulation is by following a certified IT framework. These frameworks are written in less general terms and describe IT “best practices”. Businesses can use them as a reference to achieve regulatory or security compliance.
Popular IT Frameworks
Cobit a framework designed by Information Systems Audit and Control Association (ISACA) provides management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT.
ISO 38500 an IT framework used by management and originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC). It is similar to and builds upon previous ISO frameworks.
Calder-Moir an IT Super-Framework that pulls all the existing frameworks together in a way that enables an organization to maximize its benefit. CALDER-MOIR IT Governance Framework is designed to help you use all these overlapping and competing frameworks and standards.
Common IT Regulation
A government regulation created in the Clinton Administration, the Health Insurance Portability and Accountability Act (HIPAA) primarily mandates compliance for the security of Protected Health Information (PHI). Originally passed in 1996 it was later amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule. HIPAA promoted physical, administrative and technical safeguards for the protection of PHI. It contained some of the strongest language to date of any regulation under the Privacy, Security, and Enforcement rules. It is the most important and revolutionary regulation of our time.
The European Union’s (EU) General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. GDPR was approved by the EU parliament in April 0f 2016 and was enacted in May of 2018. It is designed to protect the data of all EU citizens whereever in the world they reside or do business. As is the case with most new regulation some of the details and enforcement are not clear yet. Most US based multi-nationals have taken this very seriously and have begun the process of compliance. For small and medium business (SMB) compliance starts with several questions:
- Do we have data of EU citizens?
- Is the data benign such as found on a business card or more details such as health records or political or religious affiliation?
- Where is this data and how can we protect it?
While complete compliance may be not possible currently the best practice for SMB is to know where the data resides and to develop and document policies for its protection.
In addition to government regulation, industry associations have aligned to create a compliance standard for their data. One primary example of this is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS develops a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. The PCI Security Standards Council originates the standards for compliance with all credit card information as well as an approved list of assessors who audit and validate an entity’s adherence to PCI DSS.
Regardless of the size of your business, if you have an IT presence you are likely subject to regulation. However, with a strong IT partner that has a deep understanding of IT frameworks like Two Ears One Mouth, compliance can be achieved.