IT Compliance vs. IT Security : “What’s the difference?”
It is without a doubt that 2018 has become the year of IT Compliance. With so many new laws becoming effective, including EU’S GDPR, California’s Data Privacy Law, and Canada’s PIPEDA, the line between security and compliance may seem easily blurred for IT professionals. So, the question becomes: How do we produce a comprehensive security program, while ensuring that we meet compliance obligations? However, there is one problem that surfaces repeatedly, regardless of which regulatory standard (e.g., PCI, HIPAA, etc.) your company must meet, and that is failing to understand the difference between compliance and security. Sometimes organizations think that these are one and the same to the point that they become so consumed by complicated regulations that they stop focusing on security altogether. This month's edition of Ask Our VP of Compliance will address the differences between IT Compliance and IT Security:
You have your corporate email defenses lined up. While you may be using an out of the box product such as Microsoft O365 or something more sophisticated like ProofPoint – here is what you need to know.
Although you might be as safe and secure as possible you should still be aware of the vulnerablities that exist and can affect you.
Unless users are restricted from using mobile email apps, there is nothing that can protect you. This risk extends even to disclosure of your corporate authentication.
Author: Danielle Johnsen (VP of Compliance)
Date: 21 May 2018
This document defines Digital Edge’s policy on General Data Protection Regulation of European Union and is based and principles.
Friends and Colleagues,
It is critical that at this time, the Digital Edge Security Team sends an urgent warning about a wide-spread email phishing campaign aiming at Microsoft Office 365 users. The emails have subject similar to this: “View your Office 365 Business billing statement for…”.
The email looks very real and our Security Team is urging what users should pay attention to when analyzing such email for authenticity.
Multiple clients have notified us about receiving said emails and some people were getting trapped by this campaign.
Click here to read more about this incident of email phishing and possible remediation for this and further attack involving setting up spying rules in your Office 365 account.
Using cloud platforms does guarantee that customer deployments on those platforms will be automatically secured. Regardless of how advanced the security of the products is, if a customer leaves login as admin/admin - the entire deployment will be vulnerable. This admin/admin is only one very simple example, and is exactly why Equifax had its major security breach.
Digital Edge not only suggests, but implores companies to implement security frameworks such as ISO 27001, NIST Core or SOC2.
Recently, the resumes of potential, current, and previous employees of the US Department of Defense and the US intelligence community were exposed. The documents were found on an insecure Amazon S3 bucket that was not password protected. Amazon needs a stronger third-party cybersecurity to prevent these issues, especially since it is such a large company. This can become very disastrous, for clients and Amazon if the problem isn’t fixed. To find out more information, click here!
A brief message from the Digital Edge Security Team:
Traffic analytical tools can cause unintentional sensitive information disclosure.
Most of precisely targeted attacks on IT infrastructures are originated from outside of security perimeters of the victimized organizations. However, the security openings allowing cyber attackers to breach security mechanisms overwhelmingly originated either with unintentional help of insiders or disclosure of sensitive information.
As of May 1, 2017, Digital Edge is proud to announce its official certification of the International Standards Organization (ISO) 27001 framework for Information Security Management, a specification for an information security management system (ISMS). ISO is an independent, non-governmental international organization with a membership of 163 national standard bodies. ISO is credited for publishing more than 2100 international standards, covering almost every industry, from technology, to food safety, to aviation and healthcare. By adopting the ISO 27001 framework, Digital Edge will protect businesses from threats, including internet fraud, hacking, overseeing of transactions and other cyber security threats.
Undergoing the process of getting certified by ISO is vital to Digital Edge because these standards evaluate process effectiveness and better structures company management and growth. Digital Edge’s clients will always be insured with quality services with the core value of “Stability, Security, Efficiency, and Compliance”. Digital Edge received this certification with minor and no major non-conformities, proving once again that our security processes are constant.
Receiving the ISO 27001 certification, proves that Digital Edge’s processes meet the best quality and security standards for our clients. Digital Edge guarantees our clients and partners are receiving outstanding services, demonstrating our serious commitment to these security controls.