Hey, y'all! The end of the year is almost here, and the holidays are coming too! This time of year is all about self-reflection and making plans for the future. When it comes to planning, it's important for organizations to think about their security and compliance goals for the coming year. There are tons of articles out there about how to implement different compliance frameworks, but not many of them explain why they're important or what they're protecting. So don't sleep on it - make sure you've got your compliance game on lock in the coming year.
Understanding Compliance as a way of life!
The formal definition of compliance is ‘the act of obeying an order, rule, or request.’ I’m going to come out and say exactly what you’re thinking “Gee, that sounds terrible!” And this is one of the biggest problems with compliance - it has a bad PR problem! The moment someone thinks of compliance, the words that come to mind are; boring, legal, enterprise, risk-averse, costly - don’t think I need to go on.
In fact, I even had a hard time convincing myself that this would be a worthy topic to write about. So what changed? I started looking at compliance through a different lens - not some certification or audit that is necessary for your organization but a safety net that ensures the protection of consumers and employees.
Let’s take a real-world example - one that many of us are familiar with - the FTX and SBF saga! FTX was registered with and licensed by the Commodity Futures Trading Commission (CFTC), an independent U.S. government agency that regulates the U.S. derivatives markets, including futures, options, and swaps. The company was operating mainly out of the Bahamas.
In spite of the CFTC license, FTX, like much of crypto, wasn’t regulated. No compliance, no rules! Without compliance and regulations in place, SBF started engaging in questionable practices, such as using customer funds to invest in Alameda Research, a crypto trading firm co-founded by none other than SBF himeself! This ultimately resulted in retail investors losing billions of dollars.
It is quite obvious that if FTX were operating in a regulated environment, much like any financial services firm, just the complex ownership structure shared by Alameda and FTX would have violated a bunch of compliances. In a regulated environment, there would have been checks and balances on how customer funds could be used, which could have prevented people from losing their hard-earned money.
So if I’d like readers to have one takeaway from this piece - Compliance is not just about licenses and certifications. It's about protecting people from being cheated or losing their money. If you care about your customers and their data, it's time to take compliance seriously.
Consider the following for your next compliance thought exercise: Do you have control over customer data and dollars, and do you care about ensuring that innocent people are not harmed by your mistakes or carelessness? If the answer to both of these questions is YES, it's time to take compliance seriously!
Cost of Compliance and of non-compliance!
If you are still not convinced about taking compliance seriously, it’s best to look at numbers objectively. The financial costs of non-compliance are steep. According to a study on 53 multinational organizations by Ponemon Institute and Globalscape, the findings were really interesting:
The average cost of compliance is $5.47M, whereas the average cost of non-compliance is $14.82M.
On average, organizations lose $5.87 Million in revenue due to a single non-compliance event.
Organizations lose an average of $4 million in revenue due to a single non-compliant event.
So clearly, it is financially a lot more lucrative for organizations to stay compliant rather than stay non-compliant. In addition to the financial costs, non-compliance can also result in damage to an organization's reputation and loss of customer trust, further compounding the negative effects.
Overall, taking compliance seriously is crucial for the long-term success and stability of any organization.
All the right rules in all the right frameworks, so yeah, we’re going down!
Now let’s get to the main section of this article, understanding all different compliance frameworks. It's important to examine these frameworks not just as a list of rules, but as a way to protect certain aspects of your customers, such as their privacy, financial information, and protected health information. If your organization handles any of these customer attributes, you may need to obtain compliance certification. To fully comprehend these frameworks, it's helpful to focus on the customer attributes they are designed to protect, rather than solely on implementation details.
Once you look at different compliance frameworks from this lens, you will immediately know if it’s right for your organization or not - which is always our goal at To Do or Not To Do!
We are going to cover the following frameworks:
SOC2
HITRUST
HIPAA
SOX
PCI
SOC2: Keeping private information private
SOC 2 is a set of ‘Standards for Organization Control (SOC) that includes the security, availability, processing integrity, confidentiality, and privacy of a company's systems. SOC 2 reports are designed to provide assurances to customers that a company is maintaining appropriate controls to protect their data and ensure the availability of its services.
Customer Attributes:
The customer attributes protected by SOC 2 are those related to the integrity of the customer's data, as well as their privacy and confidentiality. This could include things like the customer's personal identifiable information (PII) - Name, Date of Birth, Social Security Number (SSN), financial information, and other sensitive data.
HIPAA - So that sick-notes don’t end up on TikTok
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a set of federal laws that establishes national standards for the privacy, security, and transmission of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
Customer Attributes:
HIPAA protects customer attributes related to their medical information, including their personal and demographic information, medical history, diagnostic and treatment information, and other sensitive medical data. HIPAA applies to a wide range of entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle medical information on their behalf.
PCI DSS - So that card info doesn’t end up on the Dark Web
PCI, or Payment Card Industry (PCI) compliance, refers to the standards set by the Payment Card Industry Security Standards Council for protecting cardholder data. To become PCI compliant, companies must meet the Payment Card Industry Data Security Standard (PCI DSS) requirements for things like network architecture, access controls, encryption, and security assessments. This helps protect against security breaches and data theft and is often required for companies that accept credit card payments.
Customer Attributes:
The customer attributes protected by PCI DSS are those related to payment card information, such as the cardholder's name, account number, expiration date, and security code (CVV). PCI DSS applies to any entity that stores, processes, or transmits payment card information, including merchants, payment processors, and financial institutions
SOX: Keeping organization accounts accountable!
The Sarbanes-Oxley Act (SOX) is a federal law that establishes standards for public company boards, management, and public accounting firms to improve the accuracy and reliability of financial reporting. It was enacted in response to corporate accounting scandals and applied to all publicly traded companies in the US, as well as foreign companies with securities listed on a US stock exchange. It is enforced by the US Securities and Exchange Commission (SEC).
Customer Attributes:
SOX does not specifically protect customer attributes but rather aims to ensure the accuracy and reliability of a company's financial reporting. This can indirectly protect customers by providing them with confidence in the financial information provided by the company and reducing the risk of fraud or other financial misconduct.
HITRUST really deserves some HIPRAISE!
The Health Information Trust Alliance (HITRUST) was founded in 2007 to provide a comprehensive framework for protecting sensitive information and managing compliance. The organization's "HITRUST approach" is particularly helpful for healthcare organizations but can be applied to companies in other sectors as well.
HITRUST certification enables companies to demonstrate their compliance with HIPAA requirements using a standardized framework. By becoming HITRUST certified, vendors and covered entities can show that they have the necessary controls and processes in place to protect sensitive information.
Customer Attributes:
HITRUST is designed to protect any information that can be used to identify an individual or that is considered sensitive or confidential. This can include a wide range of customer attributes, depending on the type of organization and the information it collects and processes. This can include any or all of the following:
Personal identification information, such as name, date of birth, and social security number
Health information, such as medical history, treatment plans, and test results
Financial information, such as payment information and billing records
Personal preferences, such as communication preferences and language preferences
What does it take to achieve compliance and truly stay compliant?
This is a question dreaded by many organizations because focusing on compliance really does take significant time and resources. While I won’t go into the specifics of each compliance standard, let me provide a framework that can be applied to all of them when it comes to implementation.
The main goal of any compliance framework is to ensure that the business stays compliant at all times. Compliance implementation involves creating systems, processes, and documents that demonstrate the organization's commitment to protecting customers and employees and following industry laws. It's a way to minimize risk.
Now processes and documentation are still relatively well-understood parts of compliance, and while rigorous, they can be figured out with the right resources and knowledge. However, building the right systems for compliance can be tricky for many organizations. This involves putting controls in place to measure and validate security, such as background checks for employees, role-based access control over infrastructure, audit logs, and penetration tests.
There are tools that can help organizations accelerate the compliance process. Companies like Drata, Vanta, and SysDig offer solutions for building the right processes, documentation, and systems to meet various compliance frameworks.
Adaptive's product also helps organizations with infrastructure access and IT compliance. Our privileged infrastructure access management platform audits every query, eliminates credential sprawl, and reduces threat vectors. This not only helps organizations stay secure and continuously compliant, but also reduces a lot of the overhead and work needed for evidence-gathering during audits.
Compliance isn’t for me - I believe in YOLO!
It really wouldn’t be a To Do or Not To Do piece if we don’t steel-man the other position (thanks @all-in-pod)!
Compliance can often seem like a distraction or a nuisance to organizations. It is only natural for members of any organization to defer or even altogether ignore compliance, at least during the earlier stages. The arguments against compliance tend to sound something like this:
Nothing’s really happened in spite of us staying non-compliant. So what’s the point?
Compliance seems like a huge investment of time and resources and is a legit distraction. Let’s worry about this later.
Would anyone ever find out if we are not compliant?
Why should I worry about compliance when the org is really small, there is no product-market fit, and there are not many employees or customers?
Now all of the above points are valid. Fundamentally, you wouldn’t want to focus on compliance at the risk of business taking a hit - that makes no sense.
But the counterpoint is any or all of the above thoughts can often lead to a situation where the organization realizes that they need to get compliant quickly, but often it’s already too late - case in point, FTX! While it may be tempting to prioritize other aspects of your organization over compliance, the potential costs and risks of non-compliance far outweigh the time and resources invested in maintaining compliance.
Thanks Ronak, very useful info, and it would be awesome if you could also write a sequel only on SOC2 :-)
Great informative article. Would love to know how Adaptive can help more in SoC2 compliance