I am often asked the question, can organisations achieve compliance with standards and frameworks such as GDPR, PCI DSS and ISO27001 as a by-product of great data and information security best practice in the future.
The fundamental answer is yes; however as with all big questions where the answer is yes, there is always a ‘but’, and the ‘but’ here is that this is not a simple proposition and there are some significant and fundamental differences between different data security and privacy standards which will need to be managed separately, but there are far more synergies and crossovers than there are unique requirements.
Managing great data and information security best practice across multiple data security and privacy standards needs to be carefully planned within a robust governance risk, strategy and compliance framework, with overall accountability vested in an Executive Board role, and responsibility divulged to the Chief Information Security Officer (CISO) and his or her function.
Organisations depend on data and information to be successful, particularly in the ever evolving and fast paced digital age where the processing, transmitting and storing of data is fundamental to the organisations’ survival, evolution and growth; customers expect service to be instant and impeccable, driven by advanced technology and data, in a world where the customer has more knowledge of the rights they hold over their own personal data than ever before.
As well as the importance of protecting an organisation’s intellectual property (IP) (eg. highly sensitive and confidential business trading data), the protection of customer and colleague personally identifiable information (PII), including debit and credit card data (payment data) is equally important.
Inadequate protection of an organisation’s data and information means that the viability of the organisation’s business operations could be severely compromised, and it is important to acknowledge that adequate securing of the data an organisation owns and uses is just as important as the data itself.
Whilst the answer to the original question is an unreserved yes, as already mentioned, different data security and privacy standards have their own peculiarities, nuances and requirements, and achieving one will not achieve the others without some additional effort and cost incurred.
However, a thorough and regular organisational operations risk assessment across the requirements and controls of multiple standards will throw up a significant number of synergies and opportunities to combine controls, efforts, resources and cost. An organisation’s information security and data privacy strategies should be combined and largely managed as one information security strategy and program.
With the almost absolute reliance on computers, systems, applications and networks an organisation should also amalgamate its cyber security strategy and program into one overarching data security strategy and program. Such a strategy and program will however still require specialist attention to each of the security and privacy standards an organisation needs to maintain, requiring for example a Data Protection Officer (DPO) in relation to GDPR, and a PCI management team in relation to PCI DSS, working alongside and integrated into an Information Security function.
Information Security cannot achieve great data and information security best practice alone; data security and privacy is everyone’s responsibility, and an organisation’s information security and data privacy strategy and program must be aligned to the overall Group operational strategy and program to be acceptable and successful, and championed from the Chairman and the Non-Executive and Executive Boards down.
Information security and data privacy require Executive Board sponsorship, with the Executive Board and an organisation’s Senior Leadership Team (SLT) setting the example and setting the tone of a data security and privacy culture that must pervade consistently across an organisation’s operational businesses.
Data security must become part of an organisation’s collective ‘muscle-memory’ and a pervasive culture of data security should be fostered consistently across the business.
This article will be followed up with a series of further articles exploring in more detail the PCI DSS Future topics touched upon here.
UKDataSecure is currently working with organisations across multiple industry sectors and ‘start-ups’, small and medium sized enterprises (SME’s), FinTech’s, retailers and others.
We can help your organisation with everything you need to secure your data environments, whether it be data security policies, incident response planning, security by design, data permeation, expert resources and experience, remote Data Security-as-a Service (SaaS), or Privacy-as-a-Service (PaaS), training and awareness or something bespoke for your organisation.
We can also help you to achieve and certify PCI DSS compliance, GDPR, ISO27001, Cyber Essentials, IASME, NIST, SOC2, NIS and CAF.
We’d love to talk to you today to see how we can help you with PCI DSS; please contact us and book a short chat this week using https://bit.ly/ukdsbookacall.
I look forward to talking through the details of the services we offer as soon as we can, and I look forward to working with new clients to achieve appropriate data risk management and information security governance and compliance as required.
Comments