Security Compliance

On this Tech Tuesday podcast, Roger Walton talks with John Maher about security compliance. He explains how businesses can assess and improve their compliance with legislative and vendor standards.

Portsmouth Computer Group · Security Compliance

John Maher: Welcome to Tech Tuesday brought to you by PCG, a managed services and security provider in Portsmouth, New Hampshire. I’m John Maher. With me today from PCG is Roger Walton. Welcome, Roger.

Roger Walton: Great to be with you, John.

Why Do Businesses Need to Care About Security Compliance?

John: So, Roger, today we’re talking about security compliance. Why do businesses need to be concerned about compliance?

Roger: Compliance is all about is a set of requirements that someone out there has deemed that your business needs to meet. So, that could be … In some cases that could be legislation. So, we know, for example, that pretty much anyone in healthcare these days is required to meet the HIPAA requirements.

But there are plenty of other people that come up with requirements they need you to comply with. So, just to give you a couple of examples. If you are a supplier in the defense sector, your prime contractor is going to have a set defense requirements that all of their subcontractors have to meet. If you want to do work for them, then you’re going to have to meet those requirements.

There are also vendor requirements. And so, the most familiar one to a lot of people is insurance companies. If you want to get cyber insurance, then they’re going to come out with a long list of questions about your cybersecurity defenses that you’re going to have to answer. And if you don’t comply with that, then if you ever have a claim, they’re going to be carefully going through all of the things in the questionnaire and making sure that you comply with it. So, you could be in serious trouble if you haven’t complied with it.

Other Types of Compliance Concerns

John: Are there other types of compliance that businesses need to be concerned about?

Roger: There are certainly other examples within those broad categories. So, at the legislative level, several states have privacy requirements that require you to keep the personal information of employees or other personal information you have, they require you to keep that private. For folks that are playing in the financial sector, then the security and exchange commission has some significant requirements that they expect you to meet.

In addition to the defense-related compliance elements, there are also folks that are working for utilities that will find that they have very similar requirements that they’re being asked to follow… If I want to be a subcontractor to an electric company, for example, then they’re going to give me a similar set of compliance requirements that I have to meet. Another example in the vendor requirements category is if I want to use credit cards, then my card processor will want me to be complying with PCI or the payment card industry requirements.

Consequences of Not Being Compliant

John: And what are the consequences of not being compliant? I would imagine it depends on, for example, which government agency is overseeing that or in the case of, like you said, if it’s a credit card company that has certain rules, maybe you’re no longer allowed to accept those credit cards or something like what. What are some of the consequences that might arise from not being compliant?

Roger: There are many cases where if you don’t meet compliance, you are not allowed to do business. So, I talked a couple of times about the Department of Defense supply chain. You will not be allowed to be a subcontractor to one of the big contractors if you are not compliant with those requirements.

John: Yeah. So, I mean, we’re talking about things that could completely shut down your company, if you’re not-

Roger: That’s right, it’s an absolute requirement to be in the business that you’re in. And it’s becoming much more common as well, both in terms of how often these things arise and how strictly and seriously they’re enforced, we’ve seen a big increase in compliance needs over the last couple years and we certainly expect that to increase going forwards.

How Do You Assess Compliance Issues?

John: So, how is compliance assessed? Do businesses get audited like they would for tax issues, say?

Roger: That is actually a very interesting question. There certainly are some cases where businesses get audited by independent third parties, but by and large, not. By and large, compliance is assessed through self-certification of one form or another. So, we certainly see cases where the Department of Defense, for example, has announced that it’s going to start requiring audited compliance benchmarks, but that has not happened yet.

So, it’s much more common that compliance standards are self-assessed, but if something goes wrong, then there could be consequences. And those consequences, obviously you could get shut down in terms of that particular business relationship, but it could also involve lawsuits and other things, if you are found out to be negligent or fraudulent in some way… Particularly to have faked results or faked the answers to the compliance questionnaires.

How Businesses Meet Compliance Standards

John: Right. Can you give me a few examples of some things that I might need to do as a company in order to be compliant?

Roger: Let me talk about IT security-related compliance, because there are certainly compliance requirements that go well beyond that. But IT security compliance is what PCG primarily gets involved in. So, we certainly see there are requirements for some processes and technologies. So, the types of passwords that you use, using multifactor authentication is a big concern these days. So, having a second code from your phone to corroborate your or authenticate you when you put in a password, having firewalls on your network, that kind of thing.

Just as important and some would argue more important, is that all your practices and processes are documented. Much of the requirements of compliance, is to have the documents and to make sure that the people on your team know about the documents and that you actively manage them and keep them updated. And then there are things like training, to make sure that all your team or the appropriate people in your team know how to react in certain circumstances.

And obviously it applies to IT users recognizing a phishing email, so they will know what to do. And more importantly, what not to do, if they see something that even looks like it could possibly be a phishing email. But there’s training for, let’s say, privileged users who have access to administrative accounts. There’s training for senior management, so they understand their responsibilities and priorities in any type of situation that arises.

How Can Businesses Learn More About Compliance

John: And how do I discover what it will take to become compliant? I imagine that I have these documents that outline the rules that I need to follow, but how do I know what my company is already doing correctly, and what we’re not doing correctly, and what needs to be changed in order to become compliant?

Roger: Sure. Yeah. So, you’re right, that in most cases the compliance requirements are written down somewhere. Although, whether they’re clear to you depends a little bit on your ability to understand the sort of very technical language that some of them are written in.

The other thing that is sometimes difficult to determine is that … They may tell you that you need to have a solution to a particular, let’s say, vulnerability or threat, but they don’t necessarily tell you how you must implement that. Or there may be several different ways to meet a particular requirement. And so, understanding what would be sufficient and what would work best is important …

It’s not always easy for businesses to understand what is sufficient to meet the requirements.

The Importance of a Compliance Assessment

John: And so, what is it that needs to be done then in order to make sure that I’m aware of what needs to be changed?

Roger: We typically recommend a compliance assessment. We then will gain some understanding of your environment, so we have the right context. But then sit down with the responsible parties and walk through each of the requirements, understand what you do today in that area, if anything. And then we talk about what If you are not fully meeting the requirement in our view, what are the ways in which you might be able to do that? So, that’s something we can go through one-by-one and complete.

And many of these compliance frameworks have over 100 different controls that you have to meet. And certainly, in some areas they can be over… They can be up to 1,000 controls or more. Most of the ones those small businesses have to deal with are in the 100 to 200 controls kind of level. But once you’ve gone through and looked at what are all the things that need to be met, the next question is, do you have to be 100% to do business?

And sometimes the answer may be yes, but sometimes the case may be what they really want to see is that you’re taking them seriously, that you have and documented some part of the compliance requirements, and you have real plans to move towards addressing the others. So, in that latter case, then you have much more of a strategy question, which is, which ones should I really be doing now because I’m getting a lot of bang for the buck doing those? Every compliance requirement is not necessarily equal in terms of the weight that it’s given by the authority that is overseeing it.

Who Should Lead a Compliance Assessment?

John: So, who’s best to lead a security compliance assessment like that?

Roger: You really need two things. One is that you need someone that understands the requirements, but you also need someone that understands IT environments in general. But ideally, your IT environment. It can be very hard for an auditor to walk through the door. I mean, they certainly know all the ways that don’t meet the requirements, but if they don’t know your environment, it’s very hard for them to advise you specifically on an implementation plan that would be deemed to be successful, that would be relatively straightforward to implement in your environment.

I think that a combination of someone that ideally knows you, but if not, is used to working with implementing such systems for a business like yours. But together, with obviously understanding the framework and understanding the way that the various approaches are viewed by the authors and so on.

What Happens After the Compliance Assessment?

John: So, what comes next after the compliance assessment? It sounds like you’d provide a list of the things that the company needs to do in order to become compliant. Maybe it’s organized in a fashion so that you’re hitting the absolute essential most important things first. And then, like you said, coming up with a longer-term plan to make sure that you’re addressing all of the other things. Is that sort of what the next step is?

Roger: That’s right. And I will also say that very few small, medium-size businesses can’t address all those requirements by themselves. They’re going to need some help… But the type of help they’re going to need there is very specific… because they may have some IT staff that can certainly take on some of the requirements. They may have documentation people. They probably have IT training people.

So, if training is one of the things they need, then that’s something that we can do. There are a bunch of tools and technologies that can help you meet many of these requirements. And those are also things that PCG can help you with. Yeah, becoming compliant is a process. It’s going to take an investment. It’s going to take some time. And at least in the case of a small, medium business, you are certainly going to need a partner to work with you through that process.

How Often Should You Repeat Compliance Assessments?

John: And do security compliance assessments need to be repeated? And if so, how often?

Roger: For most of the compliance frameworks will be quite specific about how often they need to be done. The typical requirement is once a year.

Contact PCG for More Information

John: Okay. All right. Well, that’s really great information, Roger. Thanks again for speaking with me today.

Roger: Thank you, John.

John: And for more information, you can visit the PCG website at or call 603-431-4121.