Information Security Compliance
After reading this article, you will have a better understanding of:
- Different compliance regulations;
- What they regulate; and
- Which companies / industries are affected.
Assessing which rules and regulations apply to an organization is no easy feat. Often, organizations need to comply with multiple frameworks and regulations, many of which have overlapping qualities.
In this article, we attempt to demystify common cybersecurity frameworks and regulatory requirements to help organizations initiate discussions around achieving compliance.
This entry is part of a series of information security compliance articles. In subsequent articles we will discuss the specific regulations and cybersecurity frameworks, describing their precise applications. These include, but are not limited to:
- NIST (National Institute of Standards and Technology)
- CIS Controls (Center for Internet Security Controls)
- ISO (International Organization for Standardization)
- HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
- PCI-DSS (The Payment Card Industry Data Security Standard)
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- AICPA (American Institute of Certified Public Accountants)
- SOX (Sarbanes-Oxley Act)
- COBIT (Control Objectives for Information and Related Technologies)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- FedRAMP (The Federal Risk and Authorization Management Program)
- FERPA (The Family Educational Rights and Privacy Act of 1974)
- ITAR (International Traffic in Arms Regulations)
- COPPA (Children’s Online Privacy Protection Rule)
- NERC CIP Standards (NERC Critical Infrastructure Protection Standards)
Many fear information security as an amorphous issue that only the IT department handles. The reality is that the legal and reputational ramifications that ensue from a data breach affect the entire organization. That is why it is essential to create a security-centric culture, top to bottom, with a focus on complying with information security regulations.
Regulations are in place to help companies improve their information security strategy by providing guidelines and best practices based on the company’s industry and type of data they maintain. Non-compliance with these regulations can result in severe fines, or worse, a data breach. Most companies are subject to at least one security regulation. The difficulty comes in determining which ones apply and interpreting what policies and controls are required to reach compliance.
Part of that difficulty is because regulations are not written in a way that can be easily understood by the average person. Often, partnering with a security professional is necessary to decode relevant requirements and devise an implementation plan. These professionals have experience implementing systems, policies, and procedures to satisfy the requirements of various regulations and enhance the security of an organization. Many have obtained credentials, such as the HISP (Holistic Information Security Practitioner), that signifies they have a deeper understanding of the system controls required to reach compliance.
Assessing Which Compliance Regulations Relate to an Organization
Regardless if a company chooses to engage a trusted advisor, the first step of the process is to assess which laws and acts apply to them. Once completed, they need to organize their information security to address the boundaries put in place by those acts. This process requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.
Discussing specific legislation as it relates to individual companies can be vague. A cybersecurity assessment is a valuable tool for achieving these objectives as it evaluates an organization’s security and privacy against a set of globally recognized standards and best practices.
Take for Example:
Think of a local hospital. This hospital is publicly traded and not a federal agency; therefore, it is not subject to the FISMA bill. It does deal with patients and other healthcare-related data, so it is subject to HIPAA.
With the regulation identified, the hospital must look carefully at what sort of protection it must offer patients and place safeguards in effect to prevent a breach of security. On the ground level, it cannot give away information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised.
These guidelines require controls to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of personnel who interact with those systems, and training needs to occur, so users understand how to properly perform their duties without potentially misusing the system, intentionally or not.
While the example of the local hospital only had to comply with one regulation, companies often find they must meet the requirements of many regulations. In such cases, the best method to approach the situation is to outline all of the regulations that will impact the company first, and then determine which security controls need to be implemented to satisfy all of the requirements effectively. There are often overlapping requirements built into different regulations, so by breaking it down into two phases, companies can reduce the amount of time and money they would otherwise spend by reducing the duplicate effort of implementing competing systems.
This table shows the different cybersecurity frameworks and regulations, what they regulate, and which corporations would be subject to the scope of the act.
|The Act||What it Regulates||Company Affected|
(National Institute of Standards and Technology)
|This framework was created to provide a customizable guide on how to manage and reduce cybersecurity related risk by combining existing standards, guidelines, and best practices. It also helps foster communication between internal and external stakeholders by creating a common risk language between different industries.||This is a voluntary framework that can be implemented by any organization that wants to reduce their overall risk.|
|CIS Controls |
(Center for Internet Security Controls)
|Protect your organization assets and data from known cyber attack vectors.||Companies that are looking to strengthen security in the internet of things (IoT).|
|ISO 27000 Family (International Organization for Standardization)||This family of standards provide security requirements around the maintenance of information security management systems (ISMS) through the implementation of security controls.||These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.|
|ISO 31000 Family (International Organization for Standardization)||This set of regulations governs principles of implementation and risk management.||These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.|
|HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule||This act is a two part bill. Title I protects the healthcare of people who are transitioning between jobs or are laid off. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. This was further expanded through the HITECH / Omnibus Rule.||Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.|
(Payment Card Industry Data Security Standard)
|A set of 12 regulations designed to reduce fraud and protect customer credit card information.||Companies handling credit card information.|
(General Data Protection Act)
|This regulates the data protection and privacy of citizens of the European Union.||Any company doing business in the European Union or handling the data of a citizen of the European Union.|
(California Consumer Privacy Act)
|Privacy rights and consumer protection for the residents of California.||Any business, including any for-profit entity, that does business in California and collects consumers’ personal data.|
(American Institute of Certified Public Accountants) SOC2
|The security, availability, processing integrity, and privacy of systems processing user data and the confidentiality of these systems.||Service organizations that process user data.|
|This act requires companies to maintain financial records for up to seven years. It was implemented to prevent another Enron scandal.||U.S. public company boards, management, and public accounting firms.|
(Control Objectives for Information and Related Technologies)
|This framework was developed to help organizations manage information and technology governance by linking business and IT goals.||Organizations that are responsible for business processes related to technology and quality control of information. This includes, but is not limited to, areas such as audit and assurance, compliance, IT operations, governance, and security and risk management.|
|This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers.||This act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”|
(Federal Information Security Modernization Act of 2014)
|This act recognizes information security as a matter of national security. Thus, it mandates that all federal agencies develop a method of protecting their information systems.||All Federal agencies fall under the range of this bill.|
(Federal Risk and Authorization Management Program)
|Cloud services across the Federal Government.||Executive departments and agencies.|
(The Family Educational Rights and Privacy Act of 1974)
|Section 3.1 of the act is concerned with protecting student educational records.||Any post-secondary institution including, but not limited to, academies, colleges, seminaries, technical schools, and vocational schools.|
(International Traffic in Arms Regulations)
|Controls the sale of defense articles and defense services (providing critical military or intelligence capability).||Anyone who produces or sells defense items and defense services.|
(Children’s Online Privacy Protection Rule)
|The online collection of personal information about children under 13 years of age.||Any Person or entity under U.S. jurisdiction.|
| NERC CIP Standards |
(NERC Critical Infrastructure Protection Standards)
|Improve the security of North America’s power system.||All bulk power system owners and operators.|