Even if the word sounds highly technical and complicated, put simply, acting “compliant” means nothing more than adhering to the applicable laws, customary industry standards, or voluntary commitments – in other words, acting “in accordance with the rules.” The term compliance is used across all economic sectors, which is why we talk about “IT compliance” in the IT world in order to clarify the context. Compliance is often neglected in daily business operations, and corresponding rules are usually only in place in larger companies. In the event of a data leak, for example, business owners may face severe penalties if the incident can be attributed to non-compliant practices.
Companies that store and process customer data are subject to strict regulations on how this data is to be secured and in what context it may be used and passed on. As is the case in all areas of jurisprudence, ignorance is no excuse. The problem is that compliance with the law must be ensured throughout the entire company and embraced by all employees: after all, a chain is only as strong as its weakest link. In order to avoid legal trouble and warnings, companies should draw up IT compliance guidelines (policies) that are binding for all employees. Subsequently, it is important to monitor and enforce their compliance within the company. This is the only way to successfully protect IT and maintain an adequate level of data security.
The legal provisions are very extensive and vary according to country, industry, and type of company. Telecommunications providers, for example, must not only take appropriate measures to contain the spread of malware, but they also have an obligation to report attacks on their infrastructure. If they do not comply with the obligation to report these attacks due to a lack of early warning systems in place, in Germany, for example, they may be subject to a fine of €50,000 in accordance with Section 43 (1) of the German Federal Data Protection Act (Bundesdatenschutzgesetz).
All companies that collect, store, and process the personal data of their customers must adopt technical measures to prevent unauthorized access to their telecommunications and data processing systems. If customer data enters the wrong hands due to missing or insufficient IT compliance measures or is misused for unintended purposes without the consent of the persons affected, the German Federal Data Protection Act stipulates penalties of up to €300,000 for cases of negligence. In addition, the affected customers may be entitled to compensation.
In principle, company management is required to monitor compliance with legal regulations within their company. Of course, it can also delegate this responsibility to someone who knows the industry regulations and what technical measures are necessary and appropriate. Therefore, if available, the IT department or administrator is often assigned these tasks and then develops the IT compliance policies in coordination with company management. A policy management scheme is then put into place to monitor compliance with these policies. It is often difficult for companies to determine which laws specifically apply to their industry and line of business. Professional IT security service providers – such as G DATA – can help align your own compliance requirements with the relevant laws and requirements.
Policy management solutions that regulate, among other things, which rights employees have on the network or on their PCs and mobile devices can be extremely helpful in enforcing compliance requirements. An IT administrator could use policy management to specify, for example, that no USB storage media may be used on laptops or that the database containing customer data may only be viewed by certain user groups and only on the company’s internal network. Personal devices that employees use at the company (“Bring Your Own Device” or “BYOD”) must also be considered when implementing IT compliance. Effective mobile device management represents one way of properly addressing this issue. In the event a smartphone with internal company data is lost, for example, all data on the affected device can be deleted remotely.
Another potential useful solution is ISO 19600 certification in conjunction with introducing a compliance management system. In the event of an incident, a company has proof that sufficient measures have been taken to avert damage.
In order to effectively enforce your company’s policies, a policy management solution should enable device control, for example. This allows IT administrators to prevent employees from using USB sticks or other external drives on company computers. It prevents threats such as a network penetration caused by a malware USB sticks placed on the company premises by an attacker. It also prevents sensitive company data from being copied from endpoints that are deliberately isolated from the network.
Another important component of policy management is application control by means of blacklisting or whitelisting. This allows you to specify which applications employees are allowed to install or launch on company computers. This prevents information from being smuggled out of the network unnoticed via instant messengers, for example.
Policy management should also make it possible for individual websites to be blocked for employees to ensure endpoint security. Finally, a solid policy management solution should allow administrators to specify how long individual users or groups may use the Internet.
When enforcing IT compliance requirements, care must be taken not to violate the rights of employees. For example, employee devices may not be searched indiscriminately for company data if this carries the risk of disclosing personal information. In addition, employees themselves should contribute to IT compliance by being made aware of data protection.
Care should also be taken when selecting IT resources for ensuring IT compliance. It is advisable to choose a security solution that reliably prevents third parties, such as foreign intelligence services, from gaining access. The software products of G DATA are strictly researched and developed in Germany. That is why the security solutions comply with the stringent laws governing data protection in Germany and the EU and do not contain any backdoors for secret service agencies.