...

IT Compliance Checklist for SMEs

Table of Contents

Why IT Compliance Matters for SMEs
  • Most small businesses don't consider IT compliance until they have a problem.
  • When something like missing laptops, ransomware intrusion, or a breach occurs, only then will they start thinking about compliance implications.
  • However, any company using email, file systems or cloud services has obligations to protect data.
  • Within many small to medium enterprises, IT systems grow gradually over time without being planned properly.
  • IT compliance is not only about following some complex rules or filling out a bunch of paperwork.
  • The larger purpose of IT compliance is simply to protect sensitive information and limit exposure to liabilities from legislation such as UK GDPR.
  • Through sound IT compliance practices, organisations can make themselves more secure and trustworthy businesses.
What IT Compliance Actually Means
  • IT compliance refers to how your organisation implements its technology to protect information, manage access to that information and adhere to established guidelines on security and responsible use. Compliance is not just about regulatory requirements, it’s also about best practice.
  • Consider it this way:
  • Cybersecurity = security measures and protections.
  • IT management = how your systems are managed/operated.
  • Compliance = demonstrating that you are operating/working in accordance with established guidelines.
  • In general terms, compliance for most SMEs consists of three main components:
  • Who can access information
  • How information is protected
  • What will be done if there are issues/errors with the information
Common Areas of IT Compliance Businesses Should Understand
  • Areas of IT Compliance That Companies Need to Know About

1. Data Protection and Privacy

  • Responsible handling of personal and company information
  • Only collect what is necessary
  • Ensure its security

2. Access Control and Permissions

  • Employees should be allowed access only to what is necessary
  • Employees should not have universal access to the company database

3. Password and Authentication Policies

  • Strong passwords; require multi-factor authentication (MFA)

4. Backup and Disaster Recovery

  • Data should be backed up
  • Backups should function properly

5. Device Management and Encryption

  • Laptops and mobile devices should be secure
  • Encryption protects information in transit if those devices become lost or stolen

6. Email Security and Phishing Prevention

  • Employees should know how to identify phishing scams
  • Email systems should have measures in place to protect against phishing attacks

7. Software License Compliance

  • All software must be properly licensed
  • No expired or pirated software should be used

8. Data Retention Policies

  • Data should not be retained longer than necessary
  • Data should be deleted once it is no longer needed

9. Vendor and Cloud Provider Security

  • Know where your data is located
  • Make sure vendors and cloud providers maintain secure environments
Core IT Compliance Responsibilities
  • The responsibility of information technology compliance remains with the business, even when outsourcing IT services.
  • Business owners have a responsibility to ensure that:
  • The business's data is protected,
  • All systems used by the business are secure, and
  • All employees follow basic rules.
  • Employees must:
  • Use all systems provided to them in an appropriate manner,
  • Comply with the policies of the business, and
  • Report any incidents that occur.
  • The key point is:
  • Although compliance is shared, the business has the ultimate accountability for all actions taken in relation to compliance.
Documentation and Policies Businesses Should Maintain
  • While you do not require a large compliance handbook, you do require clear and simple documentation.
  • Your business must maintain the following essential policies:
  • Password policy
  • Acceptable use policy
  • BYOD Policy (where applicable)
  • Backup policy
  • Incident Response Plan
  • Data Handling Guidelines
  • Why this is important:
  • Employees will know what they need to do
  • Expectations will be made clear
  • Risk will be reduced.
Essential IT Security Controls for Schools
Data Protection Access Control Passwords & Authentication
• Only essential data is stored
• Data is securely stored
• Sensitive data is encrypted 		• Users only access what they "need"
• Permission reviews take place regularly
• Accounts for staff who leave are cancelled 		• Appropriate password policy is in place
• MFA is turned on for key applications
• No users share accounts
Backups Devices Email Security
• Data is backed up frequently
• Backups are tested for correctness
• Off-site/cloud backups exist 		• All devices are encrypted
• All devices have screen locks activated
• Updates are routinely completed 		• Spam filtering is in place on email systems
• Staff are trained regarding phishing
• MFA is enabled for all email accounts
Software Data Retention Vendors & Cloud
• All software used by the organisation is licensed
• Unsupported software is not utilised
• Software updates are completed routinely 		• Data older than the retention period is purged
• Defined retention categories exist 		• All suppliers are trustworthy
• All access to suppliers' facilities, both physical and electronic, are secured
• Supplier sites and cloud data centres are confirmed
Basic Cybersecurity Compliance Checklist
  • Multi-Factor Authentication wherever possible
  • Endpoint protection/Antivirus software
  • Firewall active
  • Devices being updated automatically
  • Restricted access for administrators
  • Secured remote access
IT Documentation & Policy Checklist
  • Password policy
  • Acceptable use policy
  • Backup policy
  • Incident response plan
  • BYOD policy (Optional)
  • Access control policy
  • Common Questions

Frequently Asked Questions

Basic controls for protection of data, controlling access to data, and reducing risks.

Yes, but they don't need to be complicated; Simple, easily repeatable procedures will work for the vast majority of businesses.

Cyber Security equals Protection Tools; Compliance equals Ensuring that Protection tools are utilised appropriately

At least Once Annually, Or Anytime There Are Changes to either Systems or Employees.

This will always be the Business Owner/Management, No Matter If They have Outsourced Their IT.

About This Guide

The Computer Support Centre produced this publication to improve small and medium-sized enterprises’ (SME’s) understanding of basic IT compliance concepts and why these concepts are key to protecting enterprise data and systems. SMEs today use emails, cloud services, file storage and other digital tools to operate every day and often do not have established policies and procedures for managing security and data protection.

This publication aims to present the fundamentals of IT compliance in layman’s terms and to identify five of the most critical areas for SMEs to concentrate on: Data Protection; Access Control; Device Security; Backup; and Employees’ Responsibilities. Additionally, this publication includes sample checklists and policy templates, which SMEs can utilise for evaluating the effectiveness of their current systems and identifying areas where risk exists for the organisation.

By implementing the best practices, as described in this guide, SMEs will be more capable of establishing strong security processes to protect their sensitive information and, in doing so, demonstrate that they are managing data in a responsible manner in accordance with relevant legislation such as UK General Data Protection Regulation (UK GDPR).

Conclusion

In this digital age, IT compliance is critical to operating a successful and responsible organisation. While even the smallest organisations may use basic technologies like email, cloud storage, and office software, they need to manage and protect their systems.

Businesses can greatly reduce their risk of data breaches or service disruptions by having established procedures for IT compliance (e.g., establishing clear policies for how data should be used; restricting access to sensitive information; implementing a reliable backup system; providing employee education on data security).

Regularly reviewing IT systems and compliance procedures helps all organisations maintain their readiness to deal with evolving security threats and regulatory compliance challenges.

Ultimately, IT compliance is about developing a secure, well-organised and trusted technology environment that will allow your organisation to achieve long-term growth and stability.