We rationalized the GDPR risk assessment in a more streamlined manner because GDPR is even less prescriptive than HIPAA. Our decade of experience provides you with a foundational list of 10 Essential Controls that any compliance regime requires. The Compliance Stack™ is a way to explain this groundbreaking innovation to the marketplace.
1. Risk Management: This Control encompasses the entirety of an entity's Risk Management program ("Program"), including Risk Assessments and implementing additional Security Controls ("Controls") that reduce Risks to levels that are "reasonable and appropriate."
2. Incident Management: There can be no effective Risk Management Program, including but not limited to Breach Notification, of security incidents are not tracked.
3. Inventory (Security Objects): Controls are applied to Security Objects (e.g. most think in terms of an asset inventory but the term encompasses much more than that).
4. Administrative: Compliance is a multi-disciplinary subject matter domain that requires a skillset far greater than technical acumen.
5. Authentication: The ubiquitous nature of smartphones has led to widespread use of two-factor authentication by most large organizations including banks, brokerages, and of course all the major technology firms.
6. Breach Notification: Breach notification, under every compliance regime where it is applicable, has become the 800-Pound-Gorilla that drives enforcement. Such is the case for HIPAA and we expect this same Gorilla to dominate GDPR enforcement. Large Breaches attract the attention of regulators.
7. Disaster Recovery: Disaster Recovery is yet another meta-control because it encompasses much more than data backups. Of course, backing up your protected data, and all your data for that matter is mission critical.
8. Audits: Measurement against a baseline of a compliance regime's requirements is the only level of granularity that matters during an audit.
9. Technical Controls
: This is another meta-control that of necessity must be treated as such because it is where the most innovation is currently occurring in cybersecurity defenses (i.e. for the moment we are discounting the importance of process innovations because they are so little understood). What we enumerate here as sub-controls are the basics, the most important of which is encryption.
10. Physical Controls: Physical Controls are such a no-brainer that they often go overlooked because of our obsession with technology.