Assessing which rules and regulations apply to an organization is never an easy endeavor. More often than not, companies need to comply with multiple regulations, many of which have overlapping stipulations. Understanding compliance regulations and the acceptable requirements for developing a strong cybersecurity standard is key for any business. Here’s a list of existing compliance regulations and requirements which may apply to your organization.
Understanding Compliance Regulations
Compliance is a critical component of any security program. It enables companies to secure their IT systems and observe best practices for protecting data. Regulations provide guidelines and best practices based on a company’s industry and the type of data they maintain. Every organization is subject to at least one security regulation, the difficulty being in determining which regulations applies and interpreting which policies and controls are required to be compliant.
Most compliance regulations are mandatory, and non-compliance leads to severe penalties. Some, such as the GDPR, may result in fines worth millions of dollars.
A List of Existing Compliance Regulations
Developed by major credit card companies (American Express, Visa, MasterCard, Discover etc.), Payment Card Industry (PCI) Data Security Standards (DSS) is a compliance regulation designed for organizations that handle credit cards, such as online stores, utility companies or ticketing stores. The compliance standard provides precise security guidelines and clearly specifies how merchants and acquirers must protect cardholder data.
PCI-DSS impacts any business that processes credit cards and requires owners to input sensitive information in online platforms.
Implemented in 2018, General Data Protection Regulation (GDPR) requires organizations to implement sufficient security protocols to secure personally identifiable information belonging to EU citizens. Under GDPR, a company can be fined for a data breach caused by insufficient security processes. GDPR encourages businesses to implement and maintain mechanisms for securing personal data, including encryption, password protection, and access control measures.
GDPR provisions apply to all organizations handling and processing data belonging to EU citizens.
The NIST (National Institute of Standards and Technology) 800-53 framework provides federal agencies and their contractors with guidelines they can implement to ensure they comply with FISMA regulations. Basically, it gives federal agencies guidelines for securing their information systems. Some of the security controls recommended in the compliance regulation include access control, awareness and training, audit and accountability, configuration management, contingency planning, incident response, personnel security, identification and authentication, and system and communications protection.
A part of the larger E-Government Act of 2002, introduced to improve the management of electronic government services and processes, the Federal Information Systems Management Act (FISMA) was developed to enable federal agencies to secure their information systems. The regulation applies to all partners or contractors that conduct any business with federal agencies.
Anyone accessing information or the federal information systems information must prove that they have completed the training course and fully understand the course material.
HIPAA (Health Insurance Portability and Accountability Act) is a regulation for securing health data in organizations across all industries.
Companies affected: Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.
SOX (Sarbanes-Oxley Act)
The Sarbanes-Oxley Act of 2002 (SOX) was passed by the United States Congress to protect the public from fraudulent or erroneous practices by corporations or other business entities. The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures.”The regulation has the added benefit of helping organizations keep sensitive data safe from insider threats, cyber-attacks, and security breaches.
Companies affected: U.S. public company boards, management, and public accounting firms.
The CIS Controls (Center of Internet Security) are a set of guidelines for securing a range of systems and devices. CIS Benchmarks are guidelines for specific operating systems, middleware, software applications, and network-connected devices, with a strong emphasis on proper configuration. This includes proper security settings for hardware and software on mobile devices, laptops, workstations, and servers.
Companies affected: Companies that are looking to strengthen security in the internet of things (IoT).
ISO 27001 is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO 27000 family regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for the assessment of their cybersecurity practices. Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory.
These are just a few of the existing compliance regulations. Information security should not be seen as an issue that only the IT department handles and understanding which regulations apply to your business can save you or your company a lot of money. Creating a security-centric culture is key to a healthy organization.