The variety of laws and regulations governing how organizations manage and share sensitive information can look like a bowl of alphabet soup: HIPAA, GDPR, SOX, PCI and GLBA. A multinational conglomerate, government contractor, or public university must comply with ten or more, which makes demonstrating regulatory compliance seem like a daunting, even impossible, undertaking. But there are a manageable number of precautions you can take to secure customer data that will tick the boxes for many different regulations.
Organizations that have control of their information have an easier time demonstrating compliance with regulations. Passing a compliance audit boils down to proving to auditors that your organization has implemented three fundamental things: adequate data security, access control and comprehensive reporting of your information sharing activity. While individual regulations prioritize these differently the requirements do not change.
Keep track of data
If you don’t know where your sensitive data is stored, it’s not protected and months can pass before you realize you’ve been hacked. So, your first priority is identifying all systems where your data “lives” including local storage like CIFS file shares and SharePoint, public cloud storage systems like Dropbox and OneDrive, and endpoint devices. Classify specific files that contain confidential information and separate them from files that don’t. Customer data that’s segregated is easily located and efficiently transferred or deleted, both requirements for compliance with GDPR.
You are responsible for governing the data your employees access, regardless of how they access it. For starters, implement access controls so only authorized employees can view, edit, download or share confidential information. Also, assign different controls to different employees. The more advanced content platforms allow you to set different controls for different users. Also, set expiration dates to files or folders to block access to them after a specific project is complete.
Encryption provides an extra layer of security and control over your data, as well as the systems holding and transmitting your data. This enables regulatory compliance with HIPPA for healthcare organizations, PCI DSS for retailers, and other regulations. Data encryption also allows your employees to continue sharing files through familiar systems like email. For complete control of your encrypted data, you must have sole access to your encryption keys.
Encryption key ownership prevents a public cloud service provider from providing law enforcement with access to your content without your knowledge. Only a private cloud solution provides the peace of mind that your organization retains full control of your sensitive content.
Organizations must also monitor what employees do with sensitive information for regulatory compliance. Data leaks stemming from careless or malicious insiders are just as harmful as cyber attacks from hackers and nation states. For some regulations, including NIST 800-171, businesses must demonstrate visibility into individual system users and their devices. Therefore technologies that monitor and log system use provide critical visibility into who is accessing which files and whether any anomalies are present. For example, why is an employee in Finance suddenly downloading files stored in an Engineering folder? Similarly, data loss prevention tools mitigate the risk of accidental data leakage.
Lastly, it’s critical that you also regularly train your employees on the fundamentals of information exchange, governance and best practices for regulatory compliance. Every employee must understand the risks inherent to sharing confidential information, even via authorized channels.
The penalties for non-compliance are costly and embarrassing, particularly if it involves a data breach: fines, dismissals, litigation and lost business. By identifying sensitive data, enforcing access control, securing data at rest and in transit, maintaining comprehensive audit logs, and finally employee training, you have established the foundation for regulatory compliance.
About the essayist: Izak Bovee is Director of Product Management at Accellion, which supplies a secure file sharing and governance platform.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-3-key-ingredients-to-stress-free-compliance-with-data-handling-regulations/