Biggest IT Compliance Headaches and How to Fix Them
Complying with data regulations is a major concern for organizations and a nagging problem for IT professionals. While these issues have always existed, the underlying drivers of compliance have changed in recent years.
In the past, most organizations engaged in compliance initiatives to align with national regulations such as SOX and HIPAA. The majority of the security concerns revolved around hardware and software. However, today most enterprises must govern, manage, and ensure compliance for the large amount of data they handle. Organizations increasingly have to worry about the implications of international legislation, such as the GDPR, which has eclipsed national regulations.
CIO.com interviewed dozens of security experts, IT professionals, and compliance officers to get their take on the main compliance issues facing organizations today. They identified five issues and provided suggestions on what IT leaders can do to enable organizations to comply with government and industry regulations.
Bring Your Own Device
Personal devices, such as tablets and smartphones, create a wide range of security vulnerabilities. Organizations can mitigate these vulnerabilities by developing and implementing elaborate bring-your-own-device policies and backing them with strong controls. Enterprises can implement mobile device surveillance and management protocols, such as Google Mobile Device Management. Such protocols are critical to effective BYOD oversight because they enable system administrators to disconnect devices or deny access to selected accounts remotely.
Moreover, administrators can prevent BYODs from compromising critical data through theft or data loss by implementing device lock passwords that lock devices for extended periods. IT managers should also replace SMS-based passwords with time-bound one-time password applications, such as Google Authenticator.
"The biggest compliance-related issue facing CIOs today is shadow IT -- a threat caused by the use of unseen third-party solutions including devices and apps," says Orlando Scott-Cowley, Messaging, Security & Compliance Evangelist, Mimecast, a provider of email management, compliance and archiving solutions.
"Corporate IT has grown to be complex and cumbersome, so end-users have started using their own third-party services to get their jobs done, such as large file sending services," Scott-Cowley says. But oftentimes these apps or solutions are out of the organization's control, causing the IT department a major headache. "The best medicine to cure the headache? Educate end-users; give CIOs the controlled power to constantly assess services for suitability, and deploy modern enterprise cloud solutions to solve overall compliance problems."
The General Data Protection Regulation is an encompassing European privacy regulation that came into effect on May 25, 2018. It goes beyond data security by regulating how organizations use personal data and respect individual privacy. The GDPR is a pervasive law that impacts the whole enterprise and requires organizations to actively oversight or manage third-party vendors.
Firms that have operations in Europe, process or collect personal data from Europeans, trade in Europe, or handle personal data for European corporate clients must comply with this law. Compliance means mapping and inventorying data from the whole enterprise, managing vendors, seeking individual consent for personal data, regularly auditing and updating privacy compliance programs, and respecting individual right to be forgotten. Failure to conform to the GDPR can cost enterprises up to 4% of their gross revenue.
Firms should begin by documenting their data processing activities and the associated risks, including applicable data rights. Article 30 of the GDPR requires all organizations that are subject to the regulation to record of all their data processing actions. IT managers can use free tools, such as the template provided by Everlaw to ensure compliance.
The increasing adoption of the internet of things (IoT) has led to an exponential growth in the number of interconnected devices and endpoints. Experts note that IoT security standards lag behind other applications exposing organization networks to varied threats. The convergence between digital and physical applications is happening in several industries, including automotive, financial services, and utility companies.
Unlike traditional threats that often result in financial or reputational damage, IoT threats can cause physical harm to individuals. CIOs can ensure that IoT systems are fully compliant with security regulations by scheduling annual penetration testing. This activity should be performed regularly and after changes to the IoT architecture. Alternatively, firms can sandbox IoT devices to a separate network area with limited access to sensitive data and credentials.
Chief Compliance Officer
Over the past few years the role of CCO has become one of prime importance with the implementation of new compliance mandates. The CCO and compliance management team are now viewed as the first line of defense.
More information role of the CCO along with a full detail job description are available.