Achieving Security Compliance In Small And Midsize Businesses

  /     /     /  
Publicated : 22/11/2024   Category : security

Achieving Security Compliance In Small And Midsize Businesses


How can smaller businesses meet compliance requirements with limited resources? Here are some tips


The following is excerpted from Achieving Security Compliance in Small and Midsize Businesses, a new report posted this week on Dark Readings
SMB Security Tech Center
.]
When it comes to compliance, small and midsize businesses have it rough. Like larger organizations, they have real and difficult-to-achieve regulatory mandates. Indeed, depending on the business theyre in, the services they provide, and the type of data they process and store, SMBs can have just as many regulatory and compliance considerations as larger companies.
However, unlike their larger cousins, they often dont have room in the budget for teams of dedicated personnel or specialized compliance expertise. This means that while their regulatory compliance requirements might be the same, SMBs and larger firms abilities to respond are not.
All of this creates a quandary for SMBs: How can they be sure to address regulatory mandates without pulling resources away from critical tasks that enable the business to thrive?
Its a Catch-22: If they channel resources into compliance activities, they might negatively impact their ability to compete, but that ability to compete could be reduced if they dont address regulatory compliance considerations. Fortunately, there are a few strategies and resources that can help -- most importantly, the kill two birds with one stone model.
First and foremost, its important to clear up a myth many practitioners have about regulatory compliance in an SMB context -- specifically, that because theyre small they dont need to worry about compliance in the first place.
This is a dangerous assumption. In fact, the exact opposite is true. Governing regulations are very seldom tied to an organizations size. They may have a provision or two that addresses how approaches should be tailored to organizational context and risk (which might include size), but even if thats the case, the requirements themselves dont differ. Instead, where they have an impact on IT, regulations are usually tied to data.
For example, in the case of the Health Insurance Portability and Accountability Act (HIPAA), the salient factor governing applicability is whether the law applies is whether the organization processes protected health information; in the case of the Payment Card Industry Data Security Standard (PCI DSS), its whether or not the organization handles cardholder information; for state breach disclosure legislation, the determining factor is exposure of personally identifiable information.
In all of these cases, its the data that governs how information should be protected -- not the size, structure or other characteristics of the organization protecting it.
SMBs can benefit from studying the people and companies that have come before them -- or have essentially been there and done that when it comes to compliance.
For example, SMBs can leverage free and low-cost resources to help with the selection and implementation of controls for meeting regulations, to help deploy controls where they will provide the most value and to obtain technical guidance about implementation.
All of this is not to say that SMBs can just ride on others coattails without any effort whatsoever. Rather, SMBs will have to spend significant time reading through documents, understanding their applicability and planning how to use them strategically. Its really a front-loaded exercise -- theres some work required before the benefit can be realized.
So what resources are appropriate for SMBs in this context? In terms of thoroughness, its hard to beat the U.S. National Institute of Standards and Technologys 800 series of special publications. Because these documents are freely available and designed with a full range of organizational sizes in mind (a number of government agencies have fewer than 100 employees), they can be a way for SMBs to get additional technical guidance for only the cost of the time it takes to read through the documents.
Particularly helpful is SP 800-53, which contains a road map of controls designed to secure federal information systems. Why would that be helpful to a private sector SMB? Because of what happens once those controls are mapped to the regulatory requirements in the SMBs scope. By mapping either directly (for example, mapping a regulation like HIPAA or an industry standard like PCI DSS to the controls in SP 800-53) or indirectly (via an intermediate layer such as ISO/IEC 27002:2005), an SMB can get a comprehensive playbook of technical guidance about the implementation of specific controls.
To read more about the resources and data available to help SMBs achieve compliance -- and for some tips on how they can get there --
download the free report
.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Achieving Security Compliance In Small And Midsize Businesses