Home Compliance alone isnt enough to protect your business
 

Keywords :   


Compliance alone isnt enough to protect your business

2021-06-08 20:53:22| The Webmail Blog

Compliance alone isnt enough to protect your business nellmarie.colman Tue, 06/08/2021 - 13:53   When your business sets out to achieve a compliance standard such as PCI DSS, GDPR, CCPA or HIPAA youre taking an important step toward protecting your business. The compliance process will require you to address key controls around firewalls, passwords, encryption, malware, access, etc., and implement security best practices. These are all important elements to a security program. But, unfortunately, compliance alone isnt enough to protect your business from todays rapidly evolving cybersecurity landscape. Compliance standards are typically designed for a unique and specific purpose. For example, PCI DSS was created to enhance cardholder data security and protect account data. But because its limited to a specific scope boundary or enclave, it may not protect all key assets, systems and functions critical to your organization (outside of that enclave). Even within the boundary itself, its likely you may still need to implement more pervasive controls to better secure the overall environment in which it operates. Other regulatory compliance programs also have a similarly limited design. GDPR focuses on broad digital privacy protections. CCPA focuses on data privacy rights. HIPAA is designed to protect health data. And SOX was created after major corporate scandals, to certify the accuracy of financial statements. These standards, as well as others, certainly address the goals of the compliance initiative they were built for. And they reach numerous critical control families and encourage many best practices. But theyre not designed to be the foundation of your cybersecurity program. So what should you do?   Integrate your compliance program into a risk-based framework By all means, implement regulatory compliance standards when theyre: Required by your organization and/or industry Defined contractually Expected to encourage business growth Or needed to support other business or legal functions   But at the same time, seek to stack required compliance programs with an overarching risk-based framework that can be used as a more solid, cybersecurity foundation.   A risk-based framework centers on understanding and responding to factors that can lead to confidentiality, integrity and availability failures. And it starts with controls that secure your organization from present or perceived risk scenarios. You can use a risk-based framework to build or improve upon your cybersecurity program by focusing the design and implementation of controls, technology and associated investment based on risk to your organization. Applying a risk-based framework will help you create a more secure overall environment than compliance alone. It can also help you stay more current and relevant within a rapidly evolving security landscape, since you can modify controls more freely based on actual risks important to your organization. Oftentimes regulations are not updated quickly enough to provide you with ample security assurance, so stacking required compliance programs with a more thorough, risk-based framework is a much more optimal route to follow.   Benefits of a risk-based framework approach By applying a risk-based framework approach, you can: Protect your most critical assessments thoroughly Customize controls according to your specific security and organizational needs Take a more proactive stance on security Encourage a resilient culture Improve your regulatory compliance posture organically A risk-based approach to cybersecurity delivers all of these benefits and more, based on its fundamental and pragmatic design. By understanding what the most critical assets are first, and then responding to real-world risk scenarios that may impact those critical assets, your organization can get on the right path towards proactive security that minimizes your threat landscape. By encouraging employees to work with risk team members and share actual threats (paired with a risk team proactively hunting for threats), your company culture becomes more resilient to changes in the external environment. This in itself will also help to improve control posture organically, which also supports downstream regulatory compliance maturity at the same time.   What are some risk-based frameworks to consider? To most effectively manage your cybersecurity program, implement a risk-based framework that also helps you maintain compliance, where applicable. The two most well-recognized frameworks include:   The International Organization for Standardization / International Electrotechnical Commission (ISO 27001) is an internationally recognized standard that provides a risk-based framework for Information Security Management Systems (ISMS). Its designed to help ensure continued confidentiality, integrity and availability of information, and it can be used by organizations of any kind that need to manage asset security. You can also be certified within this framework and achieve various business benefits by doing so, such as maintaining current business, winning new deals and improving overall security posture.   The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing standards across all federal agencies. Specifically, NIST Special Publication 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems. Although NIST was established to provide guidance for the protection of agencies and citizens private data, this risk-based framework applies to a broad base of public and private sector organizations. For that reason, private sector businesses can and have chosen to implement this framework, or parts of it, within the formation of their own cybersecurity programs as its widely accepted as a gold industry standard. The overall design of NIST 800-53 is enterprise focused, meaning the controls are not as boundary specific as other regulatory compliance programs.    Cloud security management with Rackspace Technology When it comes to cloud security management, you dont have to go it alone. Rackspace Technology can partner with you to address every element of your security journey and take the weight off of your in-house team so they can focus on more strategic initiatives. Through our experience across thousands of clients and our extensive partner ecosystem, we can help you define and implement a cloud security strategy designed to keep your business safe. Do you know your current cybersecurity risk score? Take our 15-question self-assessment today. Then take advantage of a professional consultation with one of our cloud experts who will review your results and offer best-practice recommendations on how to address any identified security gaps.   Compliance alone isnt enough to protect your businessCertification standards encourage many security best practices. But theyre not designed to be the foundation of your cybersecurity program. So what should you do?Discover your cybersecurity risk score./lp/cybersecurity-risk-self-assessmentTake the assessment

Tags: your business protect compliance

Category:Telecommunications

Latest from this category

All news

»
16.11LL
16.11 1.2.3.4.5.6.
16.11KTF 21SVTW
16.11 a
16.11 Lord Finesse From The Crates To The File
16.11AB6IX
16.11TOMIX JR EF63()
16.11
More »