If you're managing information technology decisions in an effort to keep your organization financially compliant, there can be a lot to consider. Fortunately, you aren't alone.
"I work with a lot of small businesses where the finance department is often burdened with IT," says Alex Insley, Twinstate's Unified Defense Strategies Technical Manager. And a burden it can be: Not only do you need to know about the specific regulations for your industry and the financial industry, but you also need to know the ins and outs of IT security. In an ever-evolving IT ecosystem, where do you even begin?
Information Technology 101: The Rundown
Your security needs likely don't have the same rigid parameters as does your compliance mandate. But that doesn't mean you should meet those needs with any less fervor than you would meet your mandate, as the former allows you to do the latter. Because the best way to remain compliant with financial regulations is to keep your data safe, let's start with a discussion about security.
Here's what you need to know:
Network security, including a next-generation UTM firewall, is of utmost importance, notes Insley. Even if your organization is small, it is not less likely to be attacked than a larger organization. It would be unwise to go cheap on network security. Instead, you should consider finding a partner who can help you identify exactly where you need to secure your organization.
Do you need intrusion prevention and detection? Do you need awareness training for your employees? Do you need to scan your web and email traffic? The short answer to all of these questions, of course, is a resounding yes. To ensure there is nothing bad entering or leaving your network, consider the following:
Typically, a patch fixes a bug in your software. Regular patches, and ensuring they actually took place, is important because the threat actors of the world take advantage of vulnerabilities that are improperly patched. There will always be some sort of hole, but with regular patches, you can at least fix the ones you know about.
Machines that are too old can compromise your security. You'll need to make regular machine, workstation and server replacements a part of your regular budget if you are to stay compliant and safe. Keeping machines up to date also requires an asset inventory. Knowing every item on your network and when it was last updated can help you get on a regular replacement schedule, thereby reducing downtime and increasing both productivity and customer satisfaction.
Having the right security and antivirus software is a must for compliance. Consider hiring a Managed Security Service Provider (MSSP) to help you choose, implement and update the right software. A reliable MSSP, like your machine updates, needs to be a regular budget item. If you weigh that cost against the potential risks of compliance violations or data theft, you'll find you'll experience a significant return.
"Backups are big," says Insley, "especially when you’re involving financial compliance, such as PCI." What's a backup? The copying and archiving of your data, such that you don't lose everything when you experience a data loss.
Backups absolutely have to be off site, explains Insley. "And you need to take the human element out of that movement as much as possible. Transporting or using tapes or hard disks is really not an option anymore. Accept the cloud based backup solution," he says.
In planning your backup solution, you'll need to determine your Recovery Time Objective (RTO). How long do you have until a compromised business process must be restored before there are unacceptable consequences? That's your RTO, and knowing it will help you choose an accurate backup solution.
"The lower the RTO, the more you'll spend on a backup solution," Insley says. "You need to plan for the worst and hope for the best."
In addition to all of the above items, written policy is critical to your financial compliance success. What's the IT use policy? You need to have a document signed by each employee that states their understanding and agreement.
Compliance Requires Maintenance
Achieving compliance isn't only about creating it, but also maintaining it. As you push toward compliance, you'll need to have a way to verify that you are compliant at any given time. You have to be able to collect info, ask the right questions, find where you're falling short and put solutions in place.
This list sounds overwhelming, but there's good news: you can implement systems that can truly help you maintain your desired level of compliance without requiring constant updates and fixes. You could set up an in-house server for this effort, but Insley strongly recommends working with an established MSSP, who will be able to provide you with weekly reports.
Financial Compliance: Getting Specific
Now that you've taken Information Technology 101, you're ready to get specific about your compliance regulations.
Financial compliance can be complicated, and your requirements will differ from other businesses' depending on what type of data you keep and your industry. There are, though, some regulations most businesses have in common, which you can find explained in this intuit piece, and financial regulations you can't ignore, as outlined by Inc. magazine.
However you choose to move forward, rest assured that making strides toward compliance will reduce your existential and concrete risks, ultimately lower your stress, and help your organization both run efficiently and serve its customers better.
Originally published on 05/10/2016