Are you a “Smartie” or a “Dum-Dum” when it comes to compliance? Whether you realize it or not, most businesses today are required to be compliant with one or more laws associated with security and protecting personal privacy. So, what are all these “P” acronyms about, and what do they mean to you?
The lowest common denominator is Personally Identifiable Information or PII. Many assume it refers solely to information such as a social security number, driver’s license, and credit card or bank account numbers. However, it also includes information such as full name, home address, date of birth, birthplace, telephone numbers and more. This dissociated data that, if linked or is linkable to an individual, would become PII and, therefore, needs to be protected. Every business with employees, no matter how small, needs this information in order to pay its employees, subcontractors and more. Quite often, they may also have this information about clients in order to celebrate their birthdays, reach them after hours and more. Be sure you are protecting this information. Most cyber liability insurance policies will include confirming questions to ensure that you are properly protecting this data and the computer network from which it can be accessed. Be careful when answering these questions—answering them inappropriately could cause the insurance carrier to deny a cyber liability claim.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. If your business accepts credit cards, this applies to you. There are different levels of compliance required depending upon your volume. Only take credit cards over the phone? Don’t make the mistake and assume that because you don’t store the information on your network that you are compliant. At a minimum, you must complete a self-assessment questionnaire and have evidence of a passing vulnerability scan. And that’s just the minimum!
PHI stands for Protected Health Information. The HIPAA Privacy Rules apply and hold entities that have access to this type of information to an even higher standard. Organizations that handle PHI have extensive compliance guidelines that must be followed.
So, what is a business to do? Historically, businesses wanted a network like an M&M—a hard crunchy outside and a soft chewy center. In today’s environment, this is simply not enough. Protecting the perimeter is ineffective against targeted attacks, malicious insiders or quite simply, poor internal vulnerability management.
IT Radix recommends at a minimum an annual external and internal vulnerability scan to identify your potential risks. In some cases, even deeper dives, such as a penetration test, may be merited. Once you’ve discovered your potential risks, you’ll want to assess the risk and prioritize your action steps—creating a list of what to tackle first, second, third and so on.
Need help understanding all this? Want to have IT Radix conduct an external or internal vulnerability scan? Give us a call today to schedule a security consultation.
First published in our December 2016 IT Radix Resource newsletter
