With high-profile cases of cybercrime and data leaking on the rise, now more than ever it’s important to ensure that your business and users are keeping up with the latest in IT and security compliance rules.
From keeping your user data safe to complying with governmental data storage requirements, having strict guidelines in place is essential for ensuring the smooth running of your organisation and for preventing mistakes.
With a lot of talk of compliance and security online these days, however, it’s easy to get confused by all the terms and jargon being used in the industry. To help clear things up, whether you’re an IT business support manager or a curious novice, here is our glossary of the key IT compliance terms:
Internal compliance is the set of rules laid out by you or your IT manager to govern how an organisation’s systems and hardware gets used. Internal rules will typically cover things like when and where data can be accessed or hardware can be used, what websites you can visit while on the company network, whether or not users can install new software, or what attachments can be downloaded from emails.
In contrast to internal compliance, external measures are those set out by governments or industry regulators for your business to follow. Governmental regulations often cover data storage and retention, stipulating what to retain and for how long, and can also include things like backdoors for law enforcement agencies and rules about recording digital communications.
There is a wide range of different external compliance rules to follow depending on what industry and country you are operating in. If you work in IT business support, get in touch with Foration today to find out how we can help with your business’ compliance.
Attestation and Assurance
In order to meet some compliance criteria, it’s often necessary to have your organisation audited by an external body - someone to look in on how your users and systems work to make sure the correct controls are in place.
Once you’ve been audited, you will usually receive one of two things, either an attestation or an assurance. An attestation is available where an auditor has directly reviewed your business, examining the evidence directly and first hand to assess your compliance. An assurance is where the auditor makes their decision based solely on evidence that your company has provided them with, without them seeing your work in person.
It may seem like an attestation, being a first-hand audit, would be better, but this isn’t the case as some certification and audit types only allow either an assurance or attestation to take place, not both.
Whether you work in IT business support or are an IT user, you’ll likely be familiar with technical controls, even if you didn’t know that’s what they were called.
As a category of measures for securing your organisation’s IT systems and data, technical controls cover things like strong password requirements, file encryption, network access and authentication, and access to hardware. Many IT managers find themselves walking a fine line between security and inconvenience, as many technical controls, if poorly implemented, can negatively affect a user’s system interaction.
While technical controls cover how systems are accessed, administrative measures look at who can access them. These measures are typically in place to prevent unauthorised access to user data, to maintain lists of current and past users and to grant permissions accordingly, and to keep track of who is accessing data and where they are at the time.
Controls such as these play a large part in data security compliance, helping to mitigate the risk of malicious leaks and reducing the risk of large data loss if any one account is breached.