### JOHLEM.net ### --- CHEATSHEET COMPLIANCE What Is Compliance and Why Is It Important? In IT, compliance is a set of digital security requirements and practices. Following compliance requirements is a way to ensure that a company’s business processes are secure and that sensitive data (including customers’ data) won’t be accessed by unauthorized parties. Sometimes compliance is a legal requirement for a certain industry (HIPAA), and sometimes it’s an IT security standard (ISO). The cost of non-compliance can be very high. It depends on the framework, violation, and other factors. Let’s take GDPR as an example. For severe violations, a fine reach up to 20 million euros or up to 4% of the violator’s total global turnover, whichever is higher. To be compliant, you have to implement appropriate security measures to protect your data from unauthorized access, exposure, cyberattacks, and other threats. By implementing strong IT security practices, you do not only comply with laws but protect your business from the negative consequences of data breaches, as well. Besides, being compliant is a good way to improve trust between your business and your customers. Achieving compliance doesn’t guarantee that you will not face a security incident. Still, to become compliant, a company implements many good security practices that will reduce the probability of a breach. It is always reasonable to continue improving your security, even if formal compliance requirements have been achieved. IT Compliance Standards and Regulations The regulations you need to comply with depending on the industry, geographical location, and other factors. Let’s take a look at some of the common compliance regulations and standards. HIPAA – Health Insurance Portability and Accountability Act – Helps to ensure security and privacy standards to protect all patient records and health information as used by medical organizations and their subsidiaries PCI-DSS – Payment Card Industry Data Security Standard. NIST – National Institute of Standards and Technology provides security recommendations for Information Technology, allowing organizations to become NIST compliant. CSA – Cloud Security Alliance – This provides best practices for security and compliance in the realm of public cloud ISO – International Standards Organization provides guidelines to guarantee quality, security, and safety in accordance with best practices set forth. GDPR – General Data Protection Regulation – A new set of data privacy and security regulations set forth by the European Union to ensure the data privacy, right to ownership of data, and the right to be forgotten be entrusted to the individual ----- GDPR GDPR protects the security and privacy of data belonging to EU citizens and residents. So, if your company operates with such data, GDPR may be applied to you (even if your company isn’t located in the European Union). https://spinbackup.com/blog/gdpr-compliance-checklist/ HIPAA HIPAA—IT compliance standard for the healthcare industry. HIPAA regulates how medical organizations protect the sensitive information of their patients. To be HIPAA compliant, you have to ensure that all health data is secure and confidential. NIST SP 800-171 Consulting firms, suppliers, and other businesses working with federal or state agencies need to follow NIST compliance. This standard highlights various aspects of data management, including access control, risk assessment, system integrity, and many others. CCPA If you have customers from California, you may need to comply with The California Consumer Privacy Act, or CCPA. This law protects personal data like name, email address, phone number, and other information that can help to identify a consumer or a household. When do you need to comply with this law? Read our article dedicated to CCPA: SOX Sarbanes-Oxley Act, often referred to as SOX, regulates how an organization handles its financial information. As modern companies use computer systems to store their information, it’s reasonable to talk about SOX compliance in IT. To stay compliant, you have to ensure that the financial data of your company is stored securely and access to it is controlled. ISO 27001 ISO 27001 focuses on information security management systems (ISMS). Following ISO standards helps you to manage the security of financial information, intellectual property, employee details, or other sensitive data. Following ISO standards is a common practice that not only ensures that your data is safe but also reassures your clients that their data is protected. SOC 2 If you are a SaaS solution provider, you may need to achieve SOC 2. SOC 2 is an auditing procedure that describes security measures, implemented by a company to protect the data of its customers. Cloud Computing and Compliance IT compliance regulations and standards apply to all kinds of digital data, including your information stored in the cloud environments like G Suite and Office 365. Implementing the best practices of cloud data security and compliance will help you to protect your business-critical information.