Compliance is more than just checking items off a list. It is a dynamic process. It ensures the items in each domain of your IT infrastructure meet or exceed your security goals. This should include all legal, regulatory, and standard requirements. Conditions change in any organization. The status of how well you are meeting your goals can change as well. Make all decisions related to security controls to satisfy your security policy. Be sure to meet any other relevant compliance requirements. For example, the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) place requirements on handling health and medical information. The Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act (SOX) place requirements on financial information. Many states place additional requirements on personally identifiable information. Ensuring compliance to your security policy keeps security-related actions headed in the right direction.

The move toward cloud-based applications and components leads to more noncompliance exposure. Most recently, The European Union’s General Data Protection Regulation (GDPR) has added more requirements on how organizations collect and use individual’s personal data. In the U.S., the state of California has enacted the California Consumer Privacy Act (CCPA) of 2018 that bears some similarities to GDPR. In both cases, organizations must provide controls to limit what personal data are collected and how they are stored, used, and disposed.

It is important to implement compliance requirements to minimize the impact on business drivers. Business drivers are the components (including people), information, and conditions that support business objectives. Any negative impact on business drivers may have a negative impact on your organization’s ability to satisfy business objectives. Carefully research the impact to business drivers before you implement any compliance controls.

Remember that compliance requirements dictate how your organization conducts its activities. Whether the compliance requirement comes from legislation, regulation, industry requirements, or even your organization’s standards, the result is the focus. In most cases, there are multiple ways your organization can control activities to ensure compliance. Always consider alternative controls to achieve the end result compliance requires. You’ll likely find that some controls are less costly and less intrusive than others. Don’t just accept the first control that does the job. Many times, alternate controls are just as good but intrude less on your organization’s activities.

Due Diligence

Paying attention to compliance can reduce liability in direct and indirect ways. You can think of it in terms of additional insurance. In the context of information security, the term due diligence means the ongoing attention and care an organization places on security and compliance. You can reduce your exposure to third-party liability by investing resources into establishing and maintaining compliance. Demonstrating aggressive compliance activities can reduce the liability potential if security incidents result in damages. In short, being compliant looks good in court.

You can follow the PDCA cycle to demonstrate due diligence. PDCA directs your activities to continuously evaluate your security position and make any changes necessary to better meet your security policy. As long as your policy contains all necessary compliance requirements, documenting your PDCA activities will provide substantial evidence of due diligence.

Microsoft has developed a risk assessment tool specifically to address cloud-based application risks. The Compliance Manager is a workflow-based tool you can find in the Microsoft Service Trust Portal. This assessment tool incorporates the requirements of multiple standards and regulations, including ISO 27001, ISO 27018, NIST, HIPAA, and GDPR. The Compliance Manager helps users of Microsoft cloud-based services, such as Office 365 and Azure, assess and evaluate their organization’s level of compliance with a range of standards and regulations. FIGURE 10-13 shows a sample screenshot of the Microsoft Compliance Manager (from Microsoft’s website). You can learn more about the Microsoft compliance Manager at https://docs.microsoft.com/en-us/office365/securitycompliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud.