Well, That’s One Way To Handle Security
GECSP, GDPR, Sarbanes-Oxley, HIPAA, PHI, PII, PCI
Serious question: Is your company compliant with these?
More serious question: Do you have any idea what all these stand for?
They all have to do with IT security and compliance. I knew some of them. But, honestly, as an IT manager in my company, I didn’t give them much thought. We had a security analyst. His entire focus was to make sure he not only knew what these acronyms stood for, but that we were in compliance with them and anything else we needed to comply with. I had other items I had to be knowledgable on.
That was a great strategy. . .and then our security analyst took a position with another company. Good for him. Bad for me. But, he had a manager, right? Another security expert. I started working with Rajiv. And Rajiv made sure we were compliant for our audits. And then Rajiv took a position with another company. But, it was okay, because we’d hired Austin to replace our original security analyst. . .except that Austin had come from our accounting department. Security analysts were so hard to find and hire that we opted to hire from within and train Austin to be a security analyst.
At this point I started learning acronyms. Austin is very sharp and has quickly mastered the intricacies of data security. But, considering we went through two security experts in just a couple of months, I decided that I needed to become my own expert.
In terms of training, it actually works out well. As Austin is learning the details of being a security analyst, I can tag along with him and learn as well.
GECSP: Global Essential Compliance and Security Policies – designed to anticipate any possible risks of fraud and violation of any security guidelines. Essentially, a list of best practices and policies designed to help your organziation avoid fraud.
GDPR: General Data Protection Regulation – A European law that is designed to harmonize data privacy laws across Europe, to protec and empower all EU citizens data privacy adn to reshape the way organizations approach data privacy. Not just for European companies, but anyone who has clients or employees in Europe. (It replaces the Data Protection Directive DPD.)
Sarbanes-Oxley: A law passed by the US Congress to protect investors from the possibility of fraudulent accounting activities by corporations.
HIPAA: Health Insurance Portability and Accountability Act – A US law that provides data privacy and security provision for safeguarding medical information.
PHI: Personal Health Informaiton – Generally the data that HIPAA requires you to protect.
PII: Personal Identifiable Information – Personal data that can be used to identify a person. Typically this information is the holy grail for hackers: social security numbers, birthdates, names, addresses.
PCI: Payment Card Industry – Provisions for protecting customer personal credit card data.
I decided I needed to learn the details of these standards for three reasons. First, each law/requirement was specifically designed to protect customer information. I’m very interested in making sure my company’s customers data is safe. Second, my company and our client do multiple security audits through out the year. I need to be able to help my sites prepare. Finally, not following some of these laws means that the data owners (that could be interpreted as me) could face severe penalties up to and including jail time. Yeah, that’s a pretty good incentive.
It’s not good enough to just have a security analyst. To really protect your customers, you should probably go brush up on how to be a security expert yourself.
Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or email him at rbliss at msn dot com(c) 2017 Rodney M Bliss, all rights reserved
Great article! Love the closing remarks since security is everyone’s responsibility. One suggestion though, IT is generally the data custodian, not the data owner. Data owners are typically the business that IT supports. IT will rely on the data owners for defining items such as retention policy, classification, and so on. Glad to hear you’re buttoning up your security knowledge. Keep up the great blogging!
Thanks. Chime in anytime.
BTW, we decided not to move forward with the center in Florida. I missed seeing Spring training games by a week.