When I started at Tripwire just over five months ago, I never really thought about compliance and why it’s critical. To me, it was something that companies went through and dare I say it, it seemed a bit boring. But the more time I spend at Tripwire, the more I understand why business compliance requirements are so important and how they help us as a society operate. Depending on your geographic area, your industry of work dictates which compliance standard to which you need to adhere. If you’re dealing with card payments, for example, then you have to comply with PCI DSS from whichever location in which you’re based. By contrast, if you’re based in the United States and work in the healthcare sector, then HIPAA applies. Finally, unless you’ve been living under a rock for the last 12 months (or not answered calls from security vendors!), then you’ll know that the GDPR is going live in May 2018 and will affect the EU and any countries handling data of EU citizens. But why is being compliant so important? What does being compliant bring to the organisation that it wouldn’t get if it didn’t go through the (sometimes painful) process of getting systems and processes in order? Below are a few points that I can think of.
Generating More Business
A compliant business that has proved itself to auditors is going to be a more reputable organisation to do business with. Proving to customers and suppliers that you adhere to certain standards will almost inevitably show them that you’re a trustworthy organisation and that you’re diligent enough for them to work with you. This then leads to loyalty and ultimately more business.
Being able to demonstrate compliance when dealing with customer data – whether that’s credit card and payment data or personal data such as names, addresses, and email addresses – is vital. By being compliant, you’re able to show auditors, customers and suppliers that they can trust you with this information. If you’re not compliant, this data is in jeopardy, and when data is in jeopardy, it’s more at risk. We’ve all seen the newspaper headlines where Company A has suffered a data breach; this can lead to many things including drops in share price, reputational damage and loss of business.
Fines and Penalties
The most obvious example is around PCI compliance and the penalties you could receive if in breach of regulations. Whilst not a legal obligation, fines for not being compliant could be in the thousands and damage the reputation of the company, penalties which can affect future business. As a result, being able to demonstrate compliance is vital.
A Way Forward
The good news is that from a technical standpoint, getting your technical systems to a compliant state doesn’t have to be a long, tedious affair that ends up being more of a manual spreadsheet-driven process than an automated technical one. Tripwire Enterprise is able to take the strain, whether you’re working to achieve a compliant standard or maintain compliance. By using automated policy templates, systems can be checked on one or multiple standards and show where compliance is failing (or succeeding). Over 700+ profiles are available to customers for download, and custom profiles can be created to cater for any compliance checking. This blog is in conjunction with the SBL CSP event at York Racecourse on May 23-24, 2017, where I’ll be talking about how Tripwire can assist with governmental compliance, security, and IT Ops.