A part of doing business is complying with regulations. Regulations
come from various places, primarily governments but also from industries. The
major credit card providers teamed up to create the Payment Card Industry Data
Security Standards (PCI DSS) as an example of an industry-led regulation. On
the government side there are many. Most of you are familiar with HIPAA to
protect health information, and each state has its own laws on the books to
protect consumer data now that Alabama joined the ranks in 2018. There are a
myriad of other regulations out there making it difficult for the average
business to keep up.
What is the process for maintaining compliance? The first
step is to have someone within your organization responsible for compliance. Some
organizations are large enough or in an industry that supports a full-time
compliance manager. Many organizations do not have the means or need for this. This
is typical in the SMB market. Those SMBs should still appoint someone to take
the lead. Think about partnering with an expert to help guide you through the
compliance process. If your appointed person or team does not have the time to
stay current with the regulations, this will be key.
Step two is to understand which regulations your
organization needs to comply with. Are credit cards processed and therefore
should PCI DSS be complied with? Does your organization do work with the Federal
government and need to comply with NIST
800-171 or perhaps the European Union and need to comply with GDPR? Do you know your state PII (Personally Identifiable
Information) statute? Knowing exactly what your regulatory requirements are is
a must. Not knowing the law is not an excuse for non-compliance. (if it were, I
would never get a speeding ticket!)
Now that you have identified the regulations your
organization needs to comply with, the process for compliance is the same
regardless of the regulation. Assess-Mitigate-Maintain.
Assess: Evaluate where you are currently versus the
regulation requirements. (Think gap analysis)
Mitigate: Address the short-comings or gaps to meet
the standards of the regulation.
Maintain: Develop a plan to maintain compliance going
forward.
You cannot be complaint without documentation. Colden
Company has programs in place to help businesses with PCI Compliance, HIPAA and
we also have a program to meet the NIST Cyber Security Framework (CSF) and
provide the necessary documentation. NIST CSF is an excellent framework to
follow since many state PII regulations are loosely based on that framework. If
your organization does business in several states, following the NIST CSF is
a great place to start for compliance. It will meet most states regulations
and show that your organization is taking steps to willfully comply.
Would you like to discuss your specific requirements? Give Colden Company a call at (888) 600-4560 or email us at info@coldencompany.com and let our team of experts put you on a path to compliance.