What is Information Security Compliance?
Information security is about looking after the information your organisation stores and processes is safe and that information systems operate as intended through implementation of efficient security controls. Information security is built upon three foundations: confidentiality, availability and integrity. It applies to numerous information types: paper records, desktop files, portable devices, displayed materials and spoken information. The purpose is to prevent confidentiality breaches, data losses and processing of inaccurate data as well as to ensure information is available when required.
Information security compliance is an umbrella term for conformity with numerous legislative and regulatory standards. The hefty task of compliance within the UK currently includes, but is not limited to: the Data Protection Act (DPA) 2018, the General Data Protection Regulation (GDPR), the Copyright Designs and Patent Act 1998 and the Payment Card Industry Data Security Standard (PCI DSS). Compliance is both the individual responsibility of data users and the corporate responsibility of your organisation. Non-compliance can result in damage to your organisation's reputation, interruptions to service, legal action being taken against you, wasting resources and putting people at risk.
UK Compliance Standards
The Data Protection Act (DPA) 2018 is the current UK legislation governing the processing of personal data. Personal data is any data relating to an identifiable, living person and processing is anything that is done with this data. The DPA 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). It outlines a set of rules to be followed by data controllers (those who own data and are responsible for it) to abide by.
The Copyright Designs and Patents Act (CDPA) 1988 is the current copyright law within the UK. The CDPA gives creators of literacy, music, artwork and theatre the right to control the ways in which their material is used. Rights are in place for between 25 and 70 years, dependant on the type of work.
Compliance Standards beyond the UK
General Data Protection Regulation (GDPR) is a European Union law governing the processing of personal information. It was brought about to renovate outdated legislation, providing a better fit to the technology governed world we live in.
The Payment Card Industry (PCI) security standards council is a global organisation dedicated to maintaining, evolving and promoting PCI standards to protect card users. The Payment Card Industry Data Security Standard (PCI-DSS) is intended to reduce card fraud by tightly controlling data storage, transmission and processing. Organisations have met their legislative requirement by requiring anyone accepting credit/debit card payments to implement the Payment Card Industry Data Security Standard (PCI-DSS). You should check your company's policies when processing any card payments.
The International Organisation for Standardisation (ISO) is an international organisation, independent from any governments. Members comprise 161 national standards bodies who share knowledge and develop voluntary standards for many industries, such as technology, healthcare and finance. One such standard is the ISO 27001 which outlines information security management systems best practice. Whilst ISO certification is optional, it can help to ensure information security and reassure customers.
The US Sarbanes-Oxley Act (SOX) of 2002 is a US federal law, passed in response to numerous corporate and accounting scandals. It was implemented to strengthen financial disclosure requirements and prevent accounting fraud. SOX applies to those trading on US territory. In 2001, it came to light that the telecommunications giant WorldCom had falsified its financial records. The company reported a profit of $1.4 billion instead of a net loss and subsequently went bankrupt in the summer of 2002. This high publicity scandal demanded the change that SOX brought about.
The Importance of Information Security Compliance
Good information security practices allow you to get the best out of your information and be confident that the security risks are managed. Not only will your customers have more confidence in you, but also your partners will. Compliance also ensures you meet your legal and regulatory responsibilities. On the other hand, poor compliance may results in confidentiality breaches, data losses and loss of reputation. Disciplinary procedures can include: internal processes; investigations and enforcement by the Information Commissioner's Office (ICO); penalties from professional bodies; litigation by third parties, criminal offences and even arrest. Thorough information security training for all staff members will help you ensure your business is meeting compliance requirements.