Fact of life: Data and the processing and transactional functionality that makes use of that data has to reside in a secure environment. Given the number of data breaches that have occurred this year alone, that’s self-evident. So, when the organizations with which you work are reported to be compliant with SOC and other data-security requirements, that compliance is not to be taken lightly. Here’s why:
Compliance indicates the processes and practices within the organization have required levels of oversight. Monitoring is in place for unusual activity, configuration changes are authorized, and access is granted only to approved users. Normal activity is baselined to make deviations readily apparent and to determine the presence of potential threats.
Compliance also indicates adequate alerts and audit procedures are in place to:
- Ensure awareness aberrant activity and to initiate a corrective response.
- Identify the root causes of aberrant activity to ensure appropriate remediation.
- Trace aberrant activity forensically to determine its source, its path in the system, the parts of the system affected, the nature of the affect, where it might go or what it might affect next.
But Who’s Accounting?
Compliance with SOC and other data-security requirements also means personnel within compliant organizations are accountable to their customers and to each other for upholding the terms of compliance. From preventing breaches to identifying potential weaknesses, from shoring up potential weaknesses to remediation if it’s required, the appropriate people in audited organizations are on notice and on the hook. They should also be responsible for conducting regular assessments on patch management, vulnerability management, and overall system-security management — and reporting the results of those assessments to all of their data- and system-security peers in the organization.
If you’re not sure if the organizations with which you work are compliant with data-security requirements, here are a few things you should do:
- Ask if the organization has any data-security policies or procedures in place.
- If so, ask what they are.
- If not, worry … a lot … and find a new home for your data.
Some things are worth worrying about more than others. The security of your data is one of them.