Ahmed Sousa, the Systems Engineering Director (EMEA) at Poly, speaks about data security and compliance policies companies need to follow in the region

How has the need for data security and compliance changed over the past year?
Data security has become even more critical to organizations and government entities for more than just moral and legal reasons. Data falling into the hands of hackers and immoral people could spell a lot of trouble for the entities and society as a whole. It can also cause damage to the reputation of these organizations besides having financial and logistical repercussions.

For most companies during the quarantine, work environments changed significantly. Workers were sent home, services moved to cloud providers and the security perimeter looked different.  Companies and security organizations have had to quickly adapt and implement new (and sometimes creative!) ways to monitor activity to identify and thwart threats – oftentimes with little to no new financial resources or tools.   
 
What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance?
Globally, ISO/IEC 27001 is the most widely accepted international standard for information security best practices and provides assurance that the best-practice information security processes have been established and implemented.

Every organization should focus on 3 core elements that function as a security framework – Confidentiality, Integrity, and Availability. Some of the best practices include data auditing, real-time alerts, risk assessments and clean up of stale data.
 
Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow?
In Europe, GDPR compliance is the framework that organizations adhere to. In the region, there are no such specific laws but the onus is on each organization to ensure that they are being safe and ethical. Public data is information that can be freely used, reused, and redistributed by anyone with no existing local, national, or international legal restrictions on access or usage. The main consideration for processing public data is ensuring veracity.
 
What according to you are the five tips that companies need to follow to comply with data security regulations?
Go back to basics. Companies must continuously evaluate the following:

• Policies, Procedures, Standards and Guidelines – These documents must exist and be reviewed at regular intervals to ensure they are up to date and address both risks and requirements.
• Employee Training and Awareness – Workers should receive regular security awareness training that addresses the real risks an organization faces.  Make sure your training curriculum address not only concepts and industry best practices but also your internal security and data privacy policies
• Be aware of any data protection regulations you must comply with – Data Protection laws are quickly being adopted and/or updated in many countries and even in individual states across the globe.  Know what your obligations are regarding the movement of data (Cross-Border Data Transfers especially). You may need to formally execute written agreements to satisfy regulatory requirements and process data in compliance with laws.
• Network Security – Corporate and development networks should be managed and controlled to protect both systems and applications
• Vulnerability Management – Managing technical vulnerabilities within the companies information systems should be constructed on timely information through regular threat assessments.

Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant?
Poly helps unleash the power of human collaboration with secure video, voice, and content solutions. Poly privacy and security practices are applied to the design, development, implementation, hosting, and maintenance of systems, infrastructure, and the networks that store Poly and customer data.

Poly’s Information Security Management System (ISMS) is ISO/IEC 27001:2013 certified. Poly’s ISMS is comprehensive and covers people, processes, and technologies used to provide unified communication and collaboration services and solutions to employees, customers (both hosted and on-premises). The Poly Product Security Standards align with NIST Special Publication 800-53, ISO/IEC 27001:2013, and OWASP for application security.

Guidelines, standards, and policies are implemented to provide our developers industry-approved methods for adhering to the Poly Product Security Standards. Also, Poly follows a secure software development life cycle (S-SDLC) with an emphasis on security throughout the product development process.

Do you believe the line between data security and data privacy has started to blur?
Not blurring, no. Security is the process of layering together tools, technical configurations, and procedures (like logging and monitoring) to prevent compromises in data confidentiality, integrity, and availability.  Privacy is a legal concept.  We can use security measures to accomplish privacy objectives.

Organizations have begun establishing lines of defense for data security. Many are even working on compliance through their privacy and security teams with a focus on data governance and management. It is important that every function in the organization from HR, Marketing, Operations to Security understand their responsibility and be in compliance.