Industry Perspectives on Security and Compliance

With so many new product and feature announcements within the Microsoft 365 platform, as well as other parallel, integrated, and even competing solutions, it is important to understand and periodically review major trends and issues within your own and other industries. Looking at the topics of security and compliance in several of the leading industries can help you to identify definitions and trends that span all industries, as well as any factors that may be unique to a single industry.

Photo by Jason Dent on Unsplash

Photo by Jason Dent on Unsplash

Below, I’ve highlighted some of this security and compliance difference within four key sectors: Public (Federal, State and Local Government), Education, Financial Services, and Healthcare.

Public Sector

In one presentation given to public sector leaders, compliance was defined as:

“the process of ensuring and proving that policies (internal and external) are being followed.” (Governance, Risk & Compliance for Public Sector, n.d.)

A secondary definition that clarifies the most important laws to follow is provided below:

“For U.S. Federal agencies, the major security and privacy compliance concerns include the Clinger-Cohen Act of 1996, the Office of Management and Budget (OMB) Circular No. A-130, particularly Appendix III, the Privacy Act of 1974, the E-Government Act of 2002 and its accompanying OMB guidance, and the Federal Information Security Management Act (FISMA) of 2002.11 Also of importance are National Archives and Records Administration (NARA) statutes, including the Federal Records Act (44 U.S.C. Chapters 21, 29, 31, 33) and NARA regulations (Title 36 of the Code of Federal Regulations, Chapter XII, Subchapter B).” (Jansen, 2011)

From this information, we can infer that the public sector focuses strictly on compliance to specific and extensive regulation, and that the internal processes are not focused on as much as in the Financial Sector.

In a 2019 CollabTalk survey, we found that members of this industry noticed less clear ownership of security and compliance, focusing more on product lifecycle, and a much higher spread in security and compliance confidence levels between products.

  • Specific compliance threats that are larger for this industry than with other industries: Content lifecycle (e.g. all content is retained forever)
  • Specific security threats that are larger for this industry than with other industries: No monitoring solution specifically looking for security breaches
  • An overview of the Office 365 Security and Compliance Center can be found at https://docs.microsoft.com/en-us/office365/securitycompliance/
  • Additional Office 365 security and compliance guidance for the Public Sector can be found at https://www.microsoft.com/en-us/industry/government, which includes links to the Office 365 US Government service plan and plans for Germany, China (21Vianet), and other Public Sector options.

Education Sector

The education industry views compliance very similarly to the public sector. Although there is no definition specific to the industry, the following passage helps to understand the viewpoint of the industry:

“In addition to the usual security concerns for any enterprise, educational institutions, by virtue of their diverse operations, are subject to numerous compliance regimes, and when it comes to compliance, universities are well aware that you can outsource responsibility, but you can’t outsource accountability.” (Sasikala, 2010)

In addition to this viewpoint, a comprehensive list of other laws and regulations can be found at www.higheredcompliance.org

Compliance in the education sector, similarly to the public sector, is concerned with strict adherence to a large amount of regulations without proactive investments.

In our survey, we found that members of this industry noticed security ownership completely by IT departments and about average compliance and security confidence scores.

  • Specific compliance threats that are larger for this industry than with other industries: Content lifecycle (e.g. all content is retained forever)
  • Specific security threats that are larger for this industry than with other industries: Lack of adequate encryption
  • Additional Office 365 security and compliance guidance for the Education Sector can be found within the service plan details at http://bit.ly/O365_EDU.

Financial Services Sector

The financial industry is the most concerned with remaining compliant out of the industries researched here. For the financial services industry, compliance is a proactive endeavor, as described by worldfinance.com

“Regulation in the financial services sector will continue to pose a challenge to firms both large and small. Compliance is not just about recognizing the key regulatory pressures facing financial institutions, but also proactively ensuring the company is improving its processes and streamlining its operations. As the challenges around compliance continue to put pressure on firms, finding new solutions and methods will be vital.” (World Finance, n.d.)

For the financial industry more than any others, the focus is on reducing cost and streamlining the internal processes that lead to compliance. Another definition of compliance is given by the International Compliance Association below:

“In the context of financial services, businesses compliance operates at two levels. Level 1 – compliance with the external rules that are imposed upon an organization as a whole. Level 2 – compliance with internal systems of control that are imposed to achieve compliance with the externally imposed rules.” (International Compliance Association, n.d.)

Compliance in the financial services industry is also meant to preserve reputation. “Protect against loss of reputation” is in the top five priorities for banks in the financial services industry (MetricStream, 2014). Most of this work tends to show in “Level 2” of the definition above, in increasing efficiency of internal processes to more effectively achieve compliance with external rules.

In our survey, we  found that members of this industry were less familiar (most people not familiar at all) with general trends in security and compliance. Ownership of these problems is at CXO level and CXO’s do tend to be somewhat familiar with trends. Security and compliance confidence scores, however, are mostly low.

  • Specific compliance threats that are larger for this industry than with other industries: Content lifecycle (e.g. all content is retained forever)
  • Specific security threats that are larger for this industry than with other industries: Data protection and recovery from loss and lack of adequate encryption
  • Additional Office 365 security and compliance guidance for the Financial Services Sector can be found within the Microsoft Trust Center overview at https://servicetrust.microsoft.com/ViewPage/FinancialServicesOverview

Healthcare Sector

The Healthcare industry’s typical definition of compliance is:

“The ongoing process of meeting, or exceeding the legal, ethical, and professional standards applicable to a particular healthcare organization or provider…Healthcare compliance covers numerous areas including, but not limited to, patient care, billing, reimbursement, managed care contracting, OSHA, Joint Commission on Accreditation of Healthcare Organizations, and HIPAA privacy and security to name a few. ” (Healthcare Compliance, n.d.)

Although Healthcare is regulated carefully, the Healthcare sector views compliance to these regulations as the extent of their security. In the Compliance Effectiveness Survey, the following conclusion was reached by the researchers:

“For any compliance program, a critical measure of success is its ability to prevent incidents from occurring. Determining how many events are avoided is difficult, though. Employees rarely come forward to report, ‘I was about to commit a felony and then remembered that compliance training I received.’”

This statement from an industry-standard source implies that the Healthcare industry views compliance as a type of security, and that compliance to regulation is intended to prevent “incidents”, one of the goals of a security strategy.

Christian Buckley

Christian is the Microsoft GTM Director for AvePoint Inc., and a Microsoft Regional Director and Office Apps & Services MVP based in Silicon Slopes (Lehi), Utah. He hosts the AvePoint Office 365 Hours (#O365hours) series, monthly #CollabTalk TweetJam, the #CollabTalk Podcast, and leads the monthly Microsoft 365 Ask-Me-Anything (#M365AMA) live stream. He is based in Lehi, Utah (Silicon Slopes).