Security Compliance & You

Over the past 20 years, technological advances have drastically altered the way we communicate, conduct business and go about our day-to-day lives. From smartphones and tablets to social media, the rise of these technologies require constant vigilance as cyber-criminals are hard at work searching for ways to maliciously gain access to your sensitive information.

Cyber-criminals hacking into computers/networks is nothing new; however, the rate at which they are occurring, the amount of accrued data, and the implications it can have, definitely warrants concern for any individual or business that accesses, transmits or stores sensitive data over the Internet. Who can forget the (now infamous) 2013 Target data breach that jeopardized over 100 million consumers’ credit card information?

Such incidents have caused the Security Exchange Commission (SEC) to ramp up regulatory requirements in 2014 which apply to the majority of companies that conduct any aspect of business online. Lack of security compliance not only puts you at risk for losing valuable customers and jeopardizing one’s reputation, but if audited and unable to prove compliance, a business could be subject to expensive fines and sanctions.

Some industries are more at risk due to the sensitive information they deal with, and therefore require tighter security regulations. Emerging privacy rules and changing governmental regulations have very specific requirements for what data needs to be stored, where it needs to be stored, how it is accessed and who is authorized to have access.

Financial Service Providers and Accounting Firms, for instance, are mandated by FINRA (Financial Industry Regulatory Authority) and SOX (Sarbanes-Oxley Act) to back up and secure any electronic communication with reasonable disaster recovery infrastructure. Healthcare providers that store or transmit EMRs or personal health information (PHI) are subject to HIPAA requirements and penalties. In a broader sense, any company that transmits credit card data over the internet must follow PCI requirements. Regardless of your industry, most customers, clients and patients are now educated on these regulations and request proper documentation to ensure their private information is handled with care.

Security compliance is a leading force that’s driving companies to place technology at the forefront of their business strategy. It’s simply not enough anymore to just manage information systems and ensure they operate properly. As a result, cloud service providers are taking the necessary steps to ensure their services coincide with clients’ and prospects’ unique needs. Although the “cloud” may seem like a vulnerable place to keep sensitive data, companies that outsource their IT to a Managed Services Provider (MSP) whose security controls are rigorously tested, tend to be more secure than those who do not.

The SSAE 16 Type II (Statement on Standards for Attestation Engagements No. 16) is an audit performed on managed services providers to ensure their data center, internal processes and operations meet the highest possible standards. These compliance standards include: internal controls, security procedures and management practices as they relate to infrastructure and data security. For example, an essential part of CHIPS Technology Group’s network security efforts is mobile device management. If one of our employee’s loses his/her smartphone that contains sensitive data, CHIPS remotely wipes the hard-drive preventing any type of data theft that may occur.

In addition, the SSAE 16 Type II extends its requirements to include written assertion from the data center’s management about the fair presentation of the system’s design, controls, and operational effectiveness. In the event of an audit, these documents can provide proof that your sensitive data is stored in a highly secure and regulated location.

Although, compliance regulations and security audits may seem like a real nuisance, they are designed to protect your company, your clients and your personal identity. You can’t stop cybercriminal activity but you can take every precaution possible to assure it does not happen to you. Emphasize due diligence when deciding who to do business with. And make sure proper processes and systems are in place to keep your data safe.