The information security compliance function works in an organization under the supervision of the Chief Information Security Officer or CISO to implement the information security compliance program at all levels to avoid cyberattack risks and data breaches.
Before delving into the knowledge and skills required for the information security compliance team to do their jobs properly, as well as the responsibilities they have within an organization, it is necessary to have a brief overview of the evolution of the compliance function. The concept of compliance refers to the observance of valid rules, laws, and standards or the process within which this is achieved.
The compliance functions started to emerge during the 90s as a response to big scandals that shook the USA. One example is the scandal of the procurement of a 400 US-dollar hammer and 600 US-dollar toilet seat by the Department of Defense in the 80s. The US Sentencing Commission established the first Federal Sentencing Guidelines for Organizations in 1991.
It introduces the possibility of lenient punishment for organizations that had “efficient” Compliance and Ethics Programs in place at the time the offense was committed in response to an increasing number of corporate scandals and the fact that punishment for organizations was inconsistent because of different punishments for the same offenses. This guideline created room or positions for compliance officers whose job was to develop and implement compliance programs in organizations. With the burgeoning corporate scandals around the world in the early 2000s, such as Enron, Siemens, Avon, Volkswagen, and so on, the compliance profession grew in importance.
Information Security Compliance Function
The compliance function comprises various departments with different roles and responsibilities. One of the departments is the Information Security Compliance function, which ensures that applicable laws, rules, regulations, standards, and other related requirements are timely identified, understood, and disseminated to the management for compliance.
The Information Security Compliance function works as an advisor to the business, information technology, and operations department to ensure that they correctly understand and apply the principles of data protection and information security-related regulatory requirements. The Information Security Compliance function prevents big financial and reputational losses arising due to regulatory non-compliances and possible cyberattacks on the core applications and networks of the organization.
In a nutshell, the Information Security Compliance function creates information protection, data protection, cybersecurity, and other related policies, processes, and programs to ensure the following:
- Management of risks and unwanted events
The Information Security Compliance function ensures that servers, networks, systems, software, and other information sources are secured. Also, effective controls for cyberattacks or data loss are also implemented to deal with possible threats and data loss incidents. The Information Security Compliance function regularly monitors the delivery channels, technology infrastructure, networks, servers, and information systems, to ensure that suspicious access or unauthorized data access attempts are timely identified and addressed to prevent data losses.
The Information Security Compliance function enables the employees to perform their day-to-day activities in compliance with applicable data protection laws, regulations, and internal information security compliance policies and procedures.