Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are going to discuss a topic that makes some people get excited, makes some people cringe, and causes anxiety in even others. That topic is compliance. Compliance, according to the Cambridge dictionary, means “the fact of obeying a particular law or rule, or of acting according to an agreement”. So, you could say that in order to be in alignment with a specific regulation, one must comply with the details within that regulation.

Compliance in and of itself when related to business is a checklist of areas or items that must be addressed or paid attention to in specific ways in order to meet certain requirements. There are several different laws and regulations that require compliance, depending on the industry you are in. Are you compliant with the speed limits in your particular area? Compliance with the law simply means you have ensured you are meeting the requirements of that law, to state it another way.

Now, within business, compliance takes on more in-depth meaning than simply watching ones speed or complying with a law. Healthcare organizations, for example, need to be in compliance with the Health Information Portability and Accountability Act, or HIPAA (H.I.P.A.A.) for short. Educational institutions that also deal with healthcare, like the University of Nebraska Medical Center, have to ensure compliance with the Family Educational Rights and Privacy Act, otherwise known as FERPA due to the educational aspect of the institution as well as being compliant with HIPAA.

Sarbanes-Oxley compliance is another big one. Compliance with SOX deals in financial recordkeeping and reporting. There are also standards that organizations strive to be compliant with, as this helps grow business. NIST SP 800-171 compliance, for example, which deals with “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” helps show to other potential partners and customers that the compliant organization meets the necessary requirements to protect the data specified.

Think about that for a moment. You have an organization that strives to do business with other organizations. How do they begin to develop trust in you? Showing that you are compliant with industry regulations, laws, and standards indicates that you take your position in the industry seriously and that the organization has done its due diligence. That can establish initial trust, where a non-compliant organization cannot.

Compliance can definitely help organizations connect and grow, but being compliant does not mean that the organization is completely safe and secure. Remember, compliance is similar to a checklist. This was spoken about back in 2021 during the Risk Management discussion. If an organization takes a risk-based approach to their security posture, compliance falls in line with that type of approach. A compliance approach, however, does not address all risks within an organization and can leave gaps that need to be addressed.

Why would compliance cause anxiety? Well, maintaining compliance is often a requirement to stay in business with certain companies. So, to ensure that the compliance is maintained, external audits are performed. If an organization is not prepared, the auditors can cause some unrest within the organization as they ask detailed questions and request artifacts that show the necessary work has been completed to maintain compliance. Auditors keep organizations on their toes and keep them honest.

Take a moment to learn about the organization where you work. The type of work you do, and the laws, regulations, and standards that the organization should be in compliance with. This will help you understand why certain security controls are in place and what the security controls are supposed to protect. GuardSight, for example, is NIST 800-171 compliant as well as SOC 2 Type 2 compliant. They have gone through many hours of policy composition and editing, configuration, testing, and auditing to ensure that compliance was met, which has helped them do business with many other organizations. Compliance is not something that is quick and easy, but once the work has been put in and the due diligence performed, maintaining that compliance becomes a much easier task.

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!