A written information security policy, or WISP, is vital. Make sure there’s a person in charge of enforcing it.
Sensitive data, especially personally identifiable information, must be encrypted at all times, from the server, to the cloud, to a laptop or USB drive.
Simply having a firewall isn’t enough – it needs to be kept up-to-date, and you should consider unified threat management (UTM).
You need to have up-to-date protection against malware, and the latest patches and virus definitions to guard against intrusion. Implement an update schedule.
It’s not enough to have systems and policies; you must also educate staff and boost user awareness. Employees should be trained and sign off on security awareness at least annually.
Make sure security expectations are clear in your contracts, and always perform due diligence.
Make sure employees only have access to data that’s vital for them to perform their duties.
View this as a continuous process, not a finite task. You must review your security procedures at least once a year to ensure they’re up to the task.
If you’re resisting the allocation of proper security resources, you should be aware that the state will levy serious fines for compromising regulations.
Just because you have complied with the regulation doesn’t guarantee your data is safe. It’s a solid foundation for the information security program you should continue to build.