TÜV Rheinland Blog - Insights from Asia and Africa

When Compliance Alone Is Not Enough

Posted by TUV Rheinland on Jul 12, 2018 5:40:11 PM
TUV Rheinland

Meeting compliance is vital for organisations across all industries — but it’s a mistake to think that compliance equals security for your network and your data. While regulations are improving all the time, IT managers and the C-suite too often believe that checking all the boxes required by regulators will ensure their organisation will pass an audit or be 100% protected from a breach.

We can see the shortcomings of compliance mandates as it relates to security in highly regulated industries like healthcare. HIPAA places a high emphasis on patient privacy, yet healthcare was the second hardest hit industry in 2016, according to the 2107 edition of Verizon DBIR, recently released.


Compliance vs. Security

  • Industry regulations are designed to safeguard sensitive customer data such as PII and protect consumers. Other assets such as intellectual property, employee data, and competitive intelligence may not be included in the compliance requirements but could impact operations and cause revenue loss.
  • Regulations create a good baseline for your cybersecurity strategy, but they can not keep up with the always-evolving threat landscape. Audits only supply proof of compliance during a specific window of time and are not a good indicator of ongoing best practices.
  • Third-party risk has become one of the top concerns for cybersecurity, but regulations are still not consistent in addressing it. The recently released New York State regulations for banks and insurers suggest that regulators are in tune with third party risk, but it remains to be seen if other states or the federal government will follow suit — and how soon.
  • The Internet of Things, not well addressed in regulatory requirements, and the cloud are changing the way companies do business, but at the same time amplify security issues.
  • The scale of the disruption as a result of a compromised system is not entirely understood by organisations. Last year’s unprecedented Dyn DDoS attack and the recent WannaCry ransomware attack are excellent examples of the massive footprint of an organised attack.
  • Multi-vendor environments, interconnected internal systems, affiliates, business associates and third parties make it increasingly easier for a hacker to penetrate one system and compromise numerous others. Krebs on Security recently reported on a breach at hospitality vendor Sabre, which disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.


How RSA Archer Can Help

To effectively manage risk, meet compliance mandates and also increase security, organisations need to change their siloed approaches to risk management. Tracking and managing risk is a complicated process, and the stakes are too high, to depend upon manually managing risk. It’s no longer sufficient to scale based on error-prone spreadsheets and ad hoc reports.

RSA Archer is a proven method for meeting risk and audit requirements, complying with regulations and eliminating data inconsistencies. Recognised by Gartner and Forrester as a leading GRC platform, RSA Archer allows you to design and implement semi-custom but all-encompassing and centralised audit solutions, preserve data integrity and automate reporting for consistency. The tool helps facilitate decision-making that’s based on accurate and timely reporting. 

Our experts have more than a decade of experience with RSA Archer and a portfolio of projects that have the highest level of customer satisfaction. Named the RSA Archer Partner of the Year 2016, TUV Rheinland OpenSky has the largest team of subject matter experts found anywhere that have demonstrated how innovative solutions will help businesses meet their compliance, risk and security goals and reduce overall risk management costs.


For more information, speak with our experts:

Contact us now 

Topics: Certification, compliance, cyber security