14 things you need to know about IT security compliance

What is IT security?

Information Technology security refers to:

• risk assessment
• planning
• controls
• processes
• workflows

involved in the protection of enterprise resources, like:

• computers
• mobile devices
• networks
• services
• data

from threats that negatively impact enterprises, such as:

• physical security
• unauthorized access
• malicious code
• cyberattacks
• data breaches

What is compliance in IT?

noun

com·pli·ance kəm-ˈplī-ən(t)s

1

a: the act or process of adhering to a desire, demand, proposal, or regimen or to coercion

b: conformity in fulfilling official requirements

Option 1b above best defines compliance within IT. In this definition, “official requirements” refer to regulatory laws that organizations in affected industries must abide by to ensure that end users are protected when using their services.

While we’ll delve into laws and best practices later, a brief example of compliance in IT requires keeping patient health information (PHI) safeguarded against unauthorized access on mobile devices. To comply with this, configuring volume encryption enforces this requirement, keeping PHI data protected while at rest.

How are IT and security compliance different in cybersecurity?

The short answer is that they’re not very different.

The longer answer requires us to delve a bit deeper into the aim of IT security compliance in cybersecurity.

Previously, we explained what IT compliance is. Keeping that in mind, compliance in cybersecurity refers to the act of “adhering to official requirements” with the explicit aim of establishing the most secure system possible.

Beefing up security to meet regulatory compliance is often referred to as hardening. One way of achieving specific compliance needs is by utilizing standards and frameworks that act as a blueprint for organizations wishing to attain a desired level of security. Specific laws and standards are covered in a later section, but suffice it to say that by aligning with compliance frameworks, regulated businesses can strengthen their security posture, keeping users, devices and sensitive data protected as threats are prevented and risk factors mitigated.

Why is security compliance important?

Laws that specify a minimum set of protections for users of identified business processes are designed by government agencies and applicable to certain industries. These regulations are not variable, open to interpretation nor can organizations cherry-pick which parts of the law they choose to comply with. In short, regulated businesses must comply with the full extent of applicable regulations.

Because of the criticality of complying with regulatory laws, each regulation has its criteria for organizations that unknowingly (or willingly) violate these laws.

Impacts on your organization stemming from security compliance are:

• Reputation and public standing
• Business opportunities and partnerships
• Revenue and finances
• Legal liability
• Business operations

Security compliance laws and standards

The laws (regulations) are designed to protect users, devices and data in regulated environments while standards and frameworks are designed to address security vulnerabilities, helping organizations address their unique needs along their compliance path.

It’s important to note that, while IT and Security teams can simply configure endpoint security tooling, controls, processes and workflows to be more secure at any time, one of the greatest benefits of aligning with standards and frameworks is that the solutions they provide are typically mapped to any number of industry regulations. This takes the guesswork or trial-and-error aspects out of the compliance management equation, allowing administrators to adopt and deploy security configurations across their infrastructure that meet (or often exceed) the minimum requirements stipulated in the regulatory requirement.

In other words, standards and frameworks already:

1. identify the best ways to secure resources
2. maximize protections based on the OS platform
3. align protections to specific industry requirements
4. adhere to IT and Security best practices
5. simplify the deployment of hardening configurations
6. ensure compliance extends across the infrastructure
7. streamline compliance enforcement

Common global regulations

• Health Insurance Portability and Accountability Act (HIPAA)
• Family Educational Rights and Privacy Act (FERPA)
• General Data Protection Regulation (GDPR)
• Financial Conduct Authority (FCA)
• Sarbanes-Oxley Act (SOX)

Common standards and frameworks

• Payment Card Industry Data Security Standard (PCI-DSS)
• macOS Security Compliance Project (mSCP)
• National Institute of Standards and Technology (NIST)
• Center for Internet Security (CIS)
• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)

Security compliance best practices

1. Obtain support from management to gain stakeholder and critical contributor buy-in when developing a security management plan.
2. Determine applicable regulations based on industry, physical location where the business operates from and where its customers are regionally located.
3. Perform risk assessments to identify vulnerabilities and determine risk tolerance levels across your infrastructure.
4. Understand compliance requirements and how they impact your organization’s security compliance management plan by performing a compliance review that includes critical contributors, like legal, financial, operational and administrative stakeholders.
5. Utilize industry standards and frameworks to aid organizations on their path to compliance and adherence to regulatory requirements while creating secure baselines that reduce attack surfaces.
6. Establish security controls to prevent threats, minimize risk and mitigate vulnerabilities to balance management and security with a comprehensive defense-in-depth strategy.
7. Implement active monitoring to gather rich telemetry data, providing insight into device health, as well as provide administrators with real-time alerts of detected issues.
8. Design a patch management strategy that addresses missing security patches, including OS-level updates and keeps apps up-to-date on a regular cadence, reducing vulnerabilities and patching known bugs.
9. Create policies to ensure that requirements continue to be met by enforcing compliance holistically across the infrastructure — including personally-owned devices (BYOD).
10. Augment workflows with automation that minimize risk vectors by streamlining incident response to known threats, aid threat hunting of unknown threats and speed up remediation tasks.
11. Document everything as part of an efficient change management process that also documents all resources, processes and disaster recovery procedures. This includes testing patches, software and controls in a designated test environment — never in production.
12. Conduct frequent audits, combined with continuous monitoring and change management, to proactively identify possible issues with controls, procedures or workflows.
13. Create an end-user training program occurring regularly to inform users of evolving threats. Also, conduct frequent performance-based campaigns to assess users’ practical knowledge of threats and provide crucial feedback on their results, as well as remediation tasks to reinforce training.
14. Review documentation regularly to iteratively improve IT, cybersecurity and compliance management plans based on lessons learned through continuous improvement throughout the device and software lifecycles.