British Airways facing a record £183 million ($230 million) fine over a security breach and compromised personal data.
Marriott facing a $123 million fine over a security breach from last year.
These numbers are staggering, and for anyone in IT, they can be terrifying. How do you know you are doing the right thing to protect your organization? How do you verify that you are following the best practices around security and data protection? Many times, Security and Compliance are lumped together but they do have slight differences that work together to form the overall picture.
IT security, infosec or whatever nomenclature you use is all about the tools and processes that you use in your organization to protect it. Physical security at the datacenter, firewalls and anti-virus/malware, intrusion protection software, and even user training about passwords and USB keys and more are all part of the day to day battle. All of this revolves around the security aspect of keeping your data, environment, and organization safe from outside harm. Whether in house or in the cloud, security is in constant evolution, an “arms race” so to speak, as bad guys figure out new ways to break in and good guys figure out new ways to stop them. We’ll talk more about security, security strategies, and how cloud can help you secure your environment in another blog post but let’s take a minute to discuss compliance and how that plays into all of this.
Security really revolves around the tools and the applications that you use every day to make sure your company is protected. Compliance, while very much related to what you do from a security perspective, is all about the best practices, requirements, validating those tools, and mandates of outside 3rd parties who have been seen by the industry as the source of truth, or at times validators, for what you should be doing in your organization to protect it. The reason why compliance is necessary is because it forms a base level of an organization’s ability to comply and meet the strict regulatory best practices. It also allows other people to know that if you are accredited with a certain compliance regulation, they know that at least you follow all of the steps and processes outlined by them. When dealing with international contracts or customers or even just putting in processes, by leveraging these compliance frameworks, you guarantee that at a minimum, someone can look at your certifications and know exactly what you are doing to protect your data or potentially their data and information. Could you imagine every time you talked to a vendor you had to see their entire suite of security software, tools, and processes and then verify that they are up to a good level of standards that you feel comfortable with? It would be impossible, and that’s why adherence to compliance helps solve that.
When it comes to cloud, compliance can get a little muddy because you never really know what’s your responsibility and what the cloud is doing. Do you bring your own tools and certifications? Do you have visibility into the reports you need for auditing? Do they even know how your regulated industry treats the various compliance requirements? That’s where we come in to help. When you make the transition to cloud, you no longer have to make sure that everything you do falls under various guidance whether you are in a regulated industry or not and that includes everything from the data center where your applications will now live, all the way to how changes and issues are communicated with you. You need to have that ultimate trust in your cloud service provider and as you can see here:
We have multiple certifications and attestations for various global compliance directives. In fact, we are one of the only two nominated by CSA STAR gold certification.
For financial services firms, our compliance posture particularly with respect to PCI-DSS v3.2 and hands-on support of the audit process, as well as underlying security controls of the iland cloud platform attracts customers.
For Healthcare specifically, iland is able to help customers in this industry achieve the full cycle of HIPAA and HITRUST CSF compliance for their cloud workloads with 3rd party issued attestations and certifications for HIPAA adherence to the HITRUST CSF framework as well as HIPAA reporting available through the iland cloud console and compliance experts to help with audits and executing BAAs.
iland performs various audits throughout the year, covering a wide breadth of industries to insure compliance and regulatory compliance. The following are the current audits performed by third (3rd) party entities annually:
- ISO 27001
- ISO 9001
- ISO 20000
- CSA STAR
- HITRUST CSF
- BS 10012:2017
- PCI-DSS v3.2
In addition, iland adheres to various regulatory requirements for security and breach notification inclusive of SEC, FISMA, EU GDPR, UK ICO and PCI-DSS. The management of these notification processes are performed through the iland Risk Management, Incident Management, and Problem Management processes. Additionally, Senior Management is involved through the Compliance and Security representation at the Executive Board level.
At this point your head is probably spinning. Where do you even begin? It’s not easy but that’s why we have a dedicated staff compliance team who can help answer any of your questions or concerns. Worried about GDPR? Sure, we know all about that! Data protection acts and data sovereignty rules got you up all night? Not a problem, we have got you covered! With full integration of reports in the iland secure cloud console, you can download any of the compliance reports you need for auditing and make sure you have the utmost confidence that your cloud solution will adhere to any compliance needs you have, regulated or not.
So don’t let compliance concerns halt your cloud adoption, find out more by contacting us at https://www.iland.com/services/compliance/