A cyber attack! [delay- a half minute] Again another one! Did you know there is a malicious attack every other 39 seconds?
In response to an increase in IT security breaches and recent technology trends, industry standards have become more complex—operational complexities have risen—and keeping everything on track has become grueling as countless measures are needed to be taken into account. That’s when cybersecurity compliance comes into play.
In general, compliance is defined as following rules and meeting requirements. In cybersecurity, compliance means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred. Compliance lives by the rule that states We Trust but Verify.
Since cybersecurity compliance is not based on a stand-alone standard or regulation, a number of frameworks have been designed to make this hassle easier. It’s hardly ever advisable for organizations to attempt to create frameworks for cybersecurity or regulatory compliance, from scratch. The time, effort, and resources required for doing so all militate against this approach. And past evidence suggests that attempting to reinvent the wheel in this manner rarely results in success.
With so many established and proven frameworks already in existence, the wisest option is to select the most appropriate framework available that cater to your needs and meet the compliance, cybersecurity, and other demands of your business environment. Frameworks can be general—independent of any niche or specific—applying to certain industries only.
Now, let’s discuss the most celebrated general cybersecurity frameworks of the industry at first. Then we will dive into the industry-specific regulatory standards later.
NIST stands for the National Institute of Standards and Technology and is a government-funded entity that has promulgated several different cybersecurity frameworks. There is the NIST Cybersecurity Framework (CSF), NIST 800-53, and NIST 171. While these three systems share most components in like manner, there are some minor contrasts in structure and controls depending on their particular use cases.
The NIST Cybersecurity Framework is the broadest of these frameworks and is intended to apply to any association hoping to construct a cybersecurity program. The security controls in the system are separated into 5 key functions. These functions are: Identify, Protect, Detect, Respond, Recover. As indicated by Tenable’s review of IT Professionals, 70% said they adopted the NIST CSF system since they think of it as a best practice.
Unless a specific framework is mandated by their industry or regulatory body, most companies should focus on following the NIST CSF. It is comprehensive, understandable, and meets many compliance requirements by default. By following the NIST Cybersecurity Framework you can be confident that you are adhering to cybersecurity best practices.
On the other hand, NIST 800-53 is a framework that is specifically designed to apply to U.S. Federal Government agencies. However, if you run a large enterprise and need a detailed standard for building a cybersecurity program, you really can’t do better. NIST 800-53 provides granular detail for each control that needs to be implemented to ensure that you have a comprehensive cybersecurity program your team can maintain.
ISO/IEC 27001 is an information security framework published as a joint framework by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The goal of the ISO/IEC 27001 is to provide requirements for an information security management system (ISMS). There are over a dozen standards in the ISO/IEC 27001 family and organizations use this framework to manage the security of assets such as financial information, employee details, intellectual property, and information entrusted by third parties. Organizations can be certified by the accreditation body following the successful completion of an audit.
GDPR stands for General Data Protection Regulation and is a set of data privacy regulations enacted by the European Union (EU) in 2018 to “harmonize data privacy laws across Europe.”
The obligations of GDPR apply to any organization that collects data or targets individuals in the EU, even if the business or organization is based elsewhere. The primary goal of the GDPR is to give individuals greater control over their personal data and to simplify the regulatory environment for international businesses by unifying regulations within the EU. The GDPR contains regulations relating to personal data privacy, data minimization, and security.
GDPR says their regulation is purposely large, far-reaching, and light on specifics. The GDPR can levy harsh penalties and fines against offenders and can charge penalties into the tens of millions of euros. This makes GDPR compliance a daunting project for small and medium-sized businesses operating under GDPR.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards from the major credit card companies. The PCI Standard is mandated by the credit card brands but administered by the Payment Card Industry Security Standards Council. The PCI DSS was created to increase controls and security around cardholder data to help reduce credit card fraud.
Basically, they want to ensure a minimum levels of security when businesses store, process, and transmit cardholder data. If your company accepts credit card payments it is vital that you meet PCI DSS compliance requirements. Otherwise, if your data is breached, your customer’s information could become compromised and your company will be held responsible. Unfortunately, 80 percent of businesses failed their initial PCI compliance assessment according to Century Business Solutions.
Sarbanes-Oxley (SOX) Act
SOX Act is a government act from 2002 that hit all financial organizations as a tidal wave that caused them to scramble to identify and implement internal controls to ensure the effectiveness of their financial statements and attestations. It established rules to protect the public from fraudulent or erroneous practices by corporations and other business entities. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company.
SOX compliance is not just a legal obligation but also a good business practice. It applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. Private companies, charities, and non-profits are generally not required to comply with all of SOX. However, private companies that are planning an Initial Public Offering (IPO) should prepare to comply with SOX before they go public.
HIPAA stands for the Health Insurance Portability and Accountability Act. This law was passed by Congress in 1996 and specifically includes regulations designed to ensure the confidentiality, integrity, and availability of Personal Health Information (PHI). HIPAA applies to healthcare providers, health clearinghouses, healthcare plans, and business associates handling PHI.
However, we should accept that compliance is only a point in time and is directly impacted by the ever-changing and always evolving rules and regulations which makes it quite challenging for organizations to maintain a sound compliance posture. The continuous expansion and extension of our production environments also add to the compliance difficulties we all face today. That’s why there seems a strong need to continuously readjust our security infrastructures and methodologies to cope with the ever-advancing threats and maintain a healthy security posture eternally.
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Practitioner by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.