IT security compliance standards, such as HIPAA and PCI DSS, are designed to help ensure that IT systems remain...
secure and to prevent the compromise of sensitive information. Even so, it is theoretically possible to be fully compliant with regulatory requirements and still be vulnerable to attack.
The reason for this is the way that the security compliance regulations are designed. Obviously, every set of regulations is different, but in at least some cases, the regulations define security objectives for covered organizations but do not explicitly state how these objectives must be met. In such cases, it is ultimately up to the individual organization to figure out how best to comply with the regulatory requirements.
In some ways, this open-ended approach to security compliance standards makes sense. A ten-person organization, for example, is not going to have financial access to the same security resources as a Fortune 500 company.
The disadvantage to this approach, however, is that it sometimes allows for complacency over time. Consider for a moment that at least some of the regulatory requirements have existed for decades. Although the regulatory requirements might remain relatively static, technology constantly changes, as do the threats that an organization must protect against. If an organization is to remain secure, it must continuously reassess its existing security plans and ensure established security protocols are still compliant with applicable regulations.
Security compliance standards begin with basics
The most basic step that an organization can take to protect against emerging threats is, of course, to perform patch management in a timely manner. In addition to making patch management a high priority, however, organizations should review their options for enhancing endpoint security on at least a quarterly basis. Such a review may include evaluating new operating system-level security features, and determining if and how such features should be used. The review process might also consist of checking to see if new versions of third-party endpoint security software are available, and if there are new security products that might perhaps do a better job than those products that are currently in use on network endpoints.
Another important step that can be taken in an effort to ensure adherence to regulatory and security compliance standards is to reevaluate the organization's PC refresh policy from a security standpoint. Historically, PC refresh policies have been little more than a mandate to replace PCs once they reach a certain age and have had almost nothing to do with security. On modern systems, however, security is increasingly being tied to a PC's underlying hardware. Windows 10, for example, uses a virtualization-based security architecture to provide hardware-level protection of the operating system's integrity. Organizations should evaluate their endpoint hardware to make sure that it is suitable for hardware-level security.
Unfortunately, regulatory compliance alone does not guarantee security. Otherwise, you would never hear stories of compliant organizations being fined for security breaches. The best way that an organization can protect itself against emerging security threats is to go beyond adhering to security compliance standards and regularly reevaluate its defenses with regard to new security tools and with regard to emerging threats.