Gain a Competitive Edge with Data Security Compliance
The complexities of operating an Account Receivable Management (ARM) organization can be quite daunting, especially considering today’s technology-centric world. Data security and compliance against various industry standards/regulations has become a fundamental business requirement of operating an ARM.
Fortunately, along with this new technology challenge of compliance, comes a new business opportunity and a meaningful competitive advantage for an ARM. By adhering to certain data security best practices and having your organization audited and certified by a cybersecurity expert, new revenue growth can be realized with a huge return on investment. “Its an investment in time and money, but these (data security) compliance audits mean millions of dollars of revenue to my business.” – CEO of a midsized ARM client
What is Data Security Compliance?
Data security compliance is the process by which an organization is certified by an authorized auditor as meeting the requirements of a regulation or standard. Compliance standards are designed to provide a framework to help ensure a solid cybersecurity posture. A secure posture allows companies to keep sensitive data protected from being read, copied, changed, or deleted by cybercriminals. In other words, it provides a standard of best practices to help defend against a hacker looking for a way in to steal this sensitive data.
Modern ARMs are aggressively investing in a few key data security compliance certifications – as a means of protecting and growing their business. With proven operational and technology controls and systems in place, these ARMs are regarded as a superior vendor choice in the eyes of their customers and prospects.
Typically driven by the requirements of their customers, prospects and vendors – the most common data security compliance certifications sought by ARMs are:
PCI DSS (Payment Card Industry Data Standard) is an information security standard for any company that accepts, processes or stores credit card information. This standard ensures that proper controls are in place to protect credit card transactions and that all payment information is accepted, processed, and stored in a secure ecosystem.
A Qualified Security Assessor (QSA) is a data security firm that is qualified by the PCI Council to perform PCI DSS assessments.
The Assessor will:
- Verify all technical information given by merchant or service provider
- Use independent judgment to confirm the standard has been met
- Provide support and guidance during the compliance process
- Be onsite for the duration of the assessment as required
- Adhere to the PCI Data Security Standard Assessment Procedures
- Validate the scope of the assessment
- Evaluate compensating controls
- Produce the final Report on Compliance
The ISO 27001 is an information security standard that helps organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to them by third parties. Many ARMs choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.
ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
The standard specifies a management system, which allows for all information security to be under management control. The requirements include:
- Examining an organization’s information security risks in context with threats, vulnerabilities, and impacts
- Designing and initiating a comprehensive suite of controls and other forms of risk treatment, such as risk avoidance or risk transfer, to address any risks that are unacceptable
- Adopting a process that ensures all information security controls continue to meet the needs of the organization on an ongoing basis
HIPAA (Health Insurance Portability and Accountability Act) was established in 1996 to modernize the flow of healthcare information. Any company that has access to or uses personal healthcare information (PHI) must be HIPAA-compliant. For an ARM, its critical to be HIPAA compliant in order to do business with customers in the healthcare or healthcare-related industry.
The HIPAA Privacy Rule addresses how PHI can be saved, assesses, and shared. For handling any PHI data, an organization must follow standards related to physical and technical safeguards. Audit reports and tracking logs are also necessary. Technical policies should be in place that cover integrity controls or measures that have been taken to ensure the data is not altered or destroyed. Finally, network security is another requirement of HIPAA, protecting against unauthorized public access of PHI.
The Health Information Trust Alliance (HITRUST) is a private company collaborating with healthcare, technology, and information security stakeholders to establish the Common Security Framework (CSF). HITRUST is a more formal standard with a certification aimed at protecting sensitive healthcare information. The CSF is an outline that any organization can use to create, access, store, or exchange sensitive data. This framework is flexible and an efficient way to meet regulatory compliance and risk management. Organizations can modify the CSF based on the type of organization, size, systems, and regulatory requirements.
Conclusion: Data Security Compliance – ARM Clients Expect It
When an ARM reflects on how to better position itself for winning new customers and retaining existing clients, it is quite important to understand that data security compliance is a real business requirement. Since customers are often highly regulated themselves, they’ve become very diligent about data security and thus are demanding their vendors prove compliance against various data security standards in order to protect their business. In short, ARMs that don’t choose to embrace this trend, are choosing to be left behind by the competition in their hyper-competitive industry.