DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Five Steps to Make Compliance a Breeze

Five Steps to Make Compliance a Breeze

Learn how to work with security compliance in order to create a more secure platform for your users and a more knowledgeable team.

Lisa Parcella user avatar by
Lisa Parcella
·
Oct. 25, 17 · Security Zone · Opinion
Like (1)
Save
Tweet
2.37K Views

Join the DZone community and get the full member experience.

Join For Free

Many organizations are required to regularly educate employees about security responsibilities and best practices to meet compliance requirements, including PCI-DSS, HIPAA, NIST, and more. With well-rounded security awareness and application security training programs, your teams will better understand their roles and responsibilities around maintaining compliance for your company. Here are five steps you can take to ensure that meeting your compliance goals are easily achievable.

1. Don't Fight Compliance, Embrace It
Compliance often feels like a chore, but compliance mandates are rooted in admirable principles - when it comes to security, compliance standards ensure data is handled, stored, and destroyed in a secure manner, which has a positive impact on the reputation, integrity, and profitability of an organization. HIPAA compliance works to ensure that some of our most private data - medical data - is kept secure from attack and exploitation. As the 10th Edition of the Verizon Data Breach Investigations Report outlines, in 2017 the healthcare industry saw 458 incidents, 296 with confirmed data disclosure, with Privilege Misuse, Miscellaneous Errors and Physical Theft and Loss representing 80% of breaches within that industry. Data by type that was compromised is as follows: 69% Medical, 33% Personal, 4% Payment. [1] The majority of the data compromise came from misdelivery, disposal error, and loss, meaning that with the proper compliance training many of these breaches could have been completely prevented. Security training mandated by compliance teaches practical skills and is a good investment in the security posture of your entire company. Let everyone in your organization know the benefit of training beyond simply "checking the box" on compliance.

2. Make a Plan
Compliance deadlines have a way of creeping up on us. Oftentimes it feels like a mad dash to complete all the necessary training and activities. With the EU's move to requiring compliance with the General Data Protection Regulation (GDPR) as of May 25, 2018, studies abound with shocking statistics of the lack of preparedness of organizations around the world. One such study conducted by TrustArc of 204 individuals from companies subject to the GDPR found that from among their respondents, 61 percent had not even started the process of GDPR implementation, and only 11 percent had implementation underway. [2] Even though they are halfway through the compliance notification period, more than half of these companies haven't even begun their compliance process. In spite of all the competing demands on a company's time, making time for compliance initiatives is an investment of the overall security posture of the business and a safeguard against attack and fines and remediation for non-compliance. Work backward to roll out compliance training in a steady cadence over a defined period of time with enough buffer to meet the compliance deadline. This will give employees enough time to really learn the security concepts and put them into practice well ahead of looming deadlines and snooping auditors. If you communicate early and often with employees throughout the compliance process, everyone should be well aware of their role in achieving organization-wide compliance.

3. Compliance Is Everyone's Job
No matter your role at an organization, compliance applies to everyone in some way. Unfortunately, a recent Ponemon report sponsored by Experian Data Breach Resolution found that compliance does not always receive the executive support it needs. Citing the study, "...only 30 percent said their organization's C-suite was fully aware of the company's compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority." [3] By tying compliance objectives to overall corporate goals and key performance objectives, everyone can keep compliance top of mind and understand the role of compliance in the context of their overall job responsibilities. Executive buy-in and support of achieving compliance goals goes a long way in setting the proper expectations across an organization.

4. Distill Larger Mandates Into Actionable, Targeted Directives
When it comes to compliance mandates, different aspects apply to different employees. The ability to distill and focus larger mandates into more digestible directives for each group helps keep everyone on track to compliance. For instance, in a retail environment where PCI Compliance is required, employees working at a cash register will have to understand different data handling concepts than those employees on the development team creating the company's mobile applications. Take some time to create targeted messaging for each different group within your organization based on their role in the compliance process.

Sources: 

[1] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

[2] https://iapp.org/news/a/survey-61-percent-of-companies-have-not-started-gdpr-implementation/

[3] http://www.experian.com/blogs/data-breach/2017/06/27/survey-companies-ill-prepared-global-data-breach/

Data (computing) security

Published at DZone with permission of Lisa Parcella, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Upload Files to AWS S3 in JMeter Using Groovy
  • How to Set Up and Run PostgreSQL Change Data Capture
  • How to Use Geofences for Precise Audience Messaging
  • Pre-Commit Hooks DevOps Engineer Should Know To Control Kubernetes

Comments

Security Partner Resources

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo