A Primer on Compliance

With cybersecurity at the forefront of many IT professionals’ minds, many organizations that utilize IT and have access to sensitive information have legally required safeguards that are directed at protecting that data. This comes in many forms, of course, and in our work as a Managed IT Services Provider we deal with these restrictions on a daily basis.

At their core, many of these requirements stem from legislation at various levels. Some of the most common compliance requirements are borne from Sarbanes-Oxley Act – SOX (2002), Federal Information Security Management Act – FISMA (2002), Health Insurance Portability and Accountability Act – HIPAA (1996), Payment Card Industry Data Security Standard – PCI DSS (2001), and National Technology Transfer and Advancement Act – NTTAA (1995).

So…what does that mean for YOUR business?
It means that these third-party requirements often occur in certain industry verticals, although not always. Some of the most common are in financial, medical, and government contracting industries. However, PCI DSS compliance can benefit any business that uses credit cards as payment, for example. Failure to comply with these various standards can leave businesses with legal liability or loss of opportunity.

(Quick note: I apologize in advance for the oncoming acronym assault, however they are a key to understanding this world of compliance and are commonly used terms.)

Some examples of Compliance Organizations:

NIST 800-171/CMMC
The National Institute of Standards and Technology, or NIST, is responsible for this common framework which most often pertains to certain (especially Department of Defense) government contractors. The standards set forth in NIST 800-171 (which is transitioning to the Cybersecurity Maturity Model Certification, or CMMC) specifically apply to non-governmental computers capable of storing or transmitting Controlled Unclassified Information (CUI). While CUI could refer to a huge multitude of items from blueprints of parts for a military vehicle to certain government process manuals to parts for rocket engines to many things in between, the model works on gauging advancements along a cybersecurity framework (CSF). NIST/CMMC compliance relates to structures, systems, and personnel that surround, interact, and integrate with CUI. For full details on NIST 800-171, you may consult the document here.

PCI DSS
Coming directly from the name of the legislation that spawned it, Payment Card Industry Data Security Standard (PCI DSS) compliance is applicable to any merchant who uses credit cards in their transactions. These exist primarily to prevent credit card fraud, which costs the financial industry billions of dollars per year, and by extension strengthen the cybersecurity defense around systems that transmit or store related information. Companies can be penalized and fined—and lose the ability to process cards at all, a nightmare in today’s economy—if a data breach occurs and PCI compliance is inadequate. By some reports, barely 50% of organizations are truly PCI DSS compliant!

HIPAA
Similar to PCI DSS, HIPAA gets its name from its associated legislation: the aforementioned Health Insurance Portability and Accountability Act. HIPAA compliance is specifically geared to the industry in which sensitive patient data is kept. This can be loosely defined as businesses or organizations that provide treatment, payment, or support operations with a medical focus. Primarily relating to individual privacy with regards to protected health information (PHI) or electronic PHI (e-PHI), HIPAA compliance covers both technical and physical safeguards to breach. Telehealth in the age of COVID has made this more complex in some ways. Still, compliance failures that are considered “willful” can result in a minimum $50,000 criminal fine. Even smaller violations range from $100 to $25,000 fines.

How do businesses get audited?
Audits vary between the organizations. NIST 800-171 used a self-assessment in many instances (which, frankly, were not always completely accurate). This is changing with the transition to CMMC, where a business is required to be audited by an accredited third party. HIPAA audits often occur based on complaints, mistakes, security incidents, or discovered wrongdoing. PCI audits are common after a breach of information has been discovered and/or traced back to a particular business.

How do businesses prepare for audits?
There are many ways businesses prepare their personnel, structures, and technology for audits. The most common are periodic check-ups on compliance physical and technical process and policy checklists. If none exist, a business should consult an outside agent to help align it with applicable requirements.

But I pay an IT company, I’m covered.
Are you sure? Unless your business has a written contract assigning liability, responsibility rests with your business! Even as an IT MSP, Certified CIO strives to advise our customers regarding proper compliance process alignment, cybersecurity insurance, and to help create policy. Still, the specific business or organization is responsible for their compliance as we cannot enact these changes without the approval of the business or organization.

Then how can Certified CIO help me with this?
Certified CIO can conduct a variety of compliance related consulting tasks for your business. These include advising on tasks and policies commonly related to various regulatory compliance items to conducting more in-depth compliance alignment checks. If you are unsure of where you stand, pick up the phone and call us or CONTACT US!

Tabbie Coulter

great professional service and very timely!! would highly recommend for your IT needs.

Jessie Palma

I love this company. They have soo much talent there and they always fix it so quickly! They are very professional and courteous! I've gotten to know some of them because we treat each other like human beings :) It's like having an extended family.

Fernando Perez

Awesome management! Great company.

Joseph Silbaugh

I needed to add an older laptop to the business account for my use on the road. CIO did everything remotely for me. It made the task so easy. They updated everything, added my office 365, my 3 emails and checked everything. Great job, quick and efficiently no stress. I recommend them highly

Kay Westerhold

Always a quick response. Issue solved and can continue on with the task every time. Great job CCIO!!

Bill Fissell

The service was prompt, friendly and knowledgeable. Could not ask for more than that.

Kevin Slack

Upgraded our router with Comcast. It did not go smoothly until Steve Plumlee got involved and got everything working well. When Steve is working on our IT issues, they get resolved. Amen.

Hickory Falls Family Entertainment Center

Thanks for going more in-depth with your engineers and investigating solutions and resolving some of our email challenges.

Bill Moorman

Certified CIO is a smart, professional and friendly team of engineers to work with. I am a bright person but computers can make me feel incompetent. The team at Certified CIO never allows you to feel awkward even asking the most basic questions. You have been a lifeline many times. Thanks for your support.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Better IT for Business. Call Today! (717) 340-6000 (443) 283-0666

Share This Story, Choose Your Platform!

Better IT for Business. Call Today!
(717) 340-6000
(443) 283-0666