How is it that when I buy insurance or make a financial transaction, I immediately begin receiving contacts from companies offering similar products and services? They know me, my email ID, and sometimes my phone number. Is it an example of data or information theft? An insider theft?

How many times do we hear about someone getting a text message from an apparently well-known service provider that sounds genuine and asks them to click on a link? They click the link, enter some details, and swoosh…… Money disappears from their bank account.

Today we live in a digital world. All these frauds, thefts, attacks put a question mark on the security and safety of online transactions and particularly your own data.

This is not theoretical; we have seen this with the Colonial Pipeline hack or with the ability of hackers to disrupt our supply chains. 

What is the solution?

Cybersecurity, IT security, data security, IT compliance, technology compliance … The topic is known by many different names and encompasses a large scope.

IT or Technology Compliance is a term that encompasses many different aspects related to Technology Management in an organization. Earlier, it referred to nothing more than secure storage. Even today, the prime focus is on the security of data and ways to manage it.

What is the difference between IT Compliance and IT Security?

“Compliance is a systematic approach to governance designed to ensure that an institution meets its obligations under applicable laws, regulations, best practices and standards, contractual obligations, and institutional policies.”

Therefore, IT Compliance would mean following the laws, policies, and guidelines related to IT processes, infrastructure, and data. The obligations can be imposed by a third party’s requirements or accepted within.

IT Security is generally understood to focus on protecting data from impermissible access, including intentional malicious attacks. It is intended to protect a company’s IT assets and security systems that are implemented for safeguarding IT infrastructure and business data.

In this blog series, we will look at different aspects of IT or Technology Compliance. I am listing a few of them below. We will discuss each topic in greater detail and try to answer some related questions.

1. Identity & Access Management: Who are the people in your organization? What are their jobs? What accesses do they need to perform these jobs? Who provides them with these accesses? Who monitors what they do? Are the accesses granted and revoked as per need?
2. Control Over Data Sharing: Are data security and data sharing the opposite of each other? What balance needs to be maintained while sharing data? What is the purpose of data sharing? What are the types and the risks?
3. Data Loss Prevention Measures: What can cause data loss? What are the types of data loss? What are the causes? How to prevent data loss?
4. Disaster Recovery / Business Continuity: This is an important topic in IT Compliance. What is the most important data to protect? What are the likely scenarios? How will the disaster impact my business? How are the risks to be mitigated? What is the plan? Who is part of the plan? How to measure the effectiveness of the plan?
5. Incident Response: In the event of a cybersecurity incident, who should be contacted, what should be done, and what are the best policies and guidelines to follow?
6. Protection against Malware: What is the purpose of Malware? What are the types of malware? Are viruses and malware the same thing? What is the risk of malware? How does malware spread? How to prevent malware
7. Corporate Security Policies/ Data Security: Why is a Corporate Security Policy required? How do you guide employees’ behaviour towards the security of company’s data, assets, and IT systems? What are the different types of policies? What are the measures to implement them?
8. Physical Security: What are the examples of Physical security? What is the scope and levels in Physical Security
9. Monitoring & Reporting: Why is monitoring & reporting important? Whose responsibility is it to monitor and report on compliance? What factors should you consider when monitoring compliance? Who is the audience for reporting on compliance? What are the methods for reporting?

Please leave a comment below if you are aware of any more aspects of compliance and the questions that each topic should address.

Resources

https://er.educause.edu/blogs/2017/1/compliance-privacy-and-security-whats-the-difference