The following is excerpted from "Achieving Security Compliance in Small and Midsize Businesses," a new report posted this week on Dark Reading's SMB Security Tech Center.]
When it comes to compliance, small and midsize businesses have it rough. Like larger organizations, they have real and difficult-to-achieve regulatory mandates. Indeed, depending on the business they're in, the services they provide, and the type of data they process and store, SMBs can have just as many regulatory and compliance considerations as larger companies.
However, unlike their larger cousins, they often don't have room in the budget for teams of dedicated personnel or specialized compliance expertise. This means that while their regulatory compliance requirements might be the same, SMBs' and larger firms' abilities to respond are not.
All of this creates a quandary for SMBs: How can they be sure to address regulatory mandates without pulling resources away from critical tasks that enable the business to thrive?
It's a Catch-22: If they channel resources into compliance activities, they might negatively impact their ability to compete, but that ability to compete could be reduced if they don't address regulatory compliance considerations. Fortunately, there are a few strategies and resources that can help -- most importantly, the "kill two birds with one stone" model.
First and foremost, it's important to clear up a myth many practitioners have about regulatory compliance in an SMB context -- specifically, that because they're small they don't need to worry about compliance in the first place.
This is a dangerous assumption. In fact, the exact opposite is true. Governing regulations are very seldom tied to an organization's size. They may have a provision or two that addresses how approaches should be tailored to organizational context and risk (which might include size), but even if that's the case, the requirements themselves don't differ. Instead, where they have an impact on IT, regulations are usually tied to data.
For example, in the case of the Health Insurance Portability and Accountability Act (HIPAA), the salient factor governing applicability is whether the law applies is whether the organization processes protected health information; in the case of the Payment Card Industry Data Security Standard (PCI DSS), it's whether or not the organization handles cardholder information; for state breach disclosure legislation, the determining factor is exposure of personally identifiable information.
In all of these cases, it's the data that governs how information should be protected -- not the size, structure or other characteristics of the organization protecting it.
SMBs can benefit from studying the people and companies that have come before them -- or have essentially been there and done that when it comes to compliance.
For example, SMBs can leverage free and low-cost resources to help with the selection and implementation of controls for meeting regulations, to help deploy controls where they will provide the most value and to obtain technical guidance about implementation.
All of this is not to say that SMBs can just ride on others' coattails without any effort whatsoever. Rather, SMBs will have to spend significant time reading through documents, understanding their applicability and planning how to use them strategically. It's really a front-loaded exercise -- there's some work required before the benefit can be realized.
So what resources are appropriate for SMBs in this context? In terms of thoroughness, it's hard to beat the U.S. National Institute of Standards and Technology's 800 series of special publications. Because these documents are freely available and designed with a full range of organizational sizes in mind (a number of government agencies have fewer than 100 employees), they can be a way for SMBs to get additional technical guidance for only the cost of the time it takes to read through the documents.
Particularly helpful is SP 800-53, which contains a road map of controls designed to secure federal information systems. Why would that be helpful to a private sector SMB? Because of what happens once those controls are mapped to the regulatory requirements in the SMB's scope. By mapping either directly (for example, mapping a regulation like HIPAA or an industry standard like PCI DSS to the controls in SP 800-53) or indirectly (via an intermediate layer such as ISO/IEC 27002:2005), an SMB can get a comprehensive playbook of technical guidance about the implementation of specific controls.
To read more about the resources and data available to help SMBs achieve compliance -- and for some tips on how they can get there -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.