Cybersecurity Compliance means adhering to the standards and regulatory requirements set forth by some agency, law, or authority group. Organizations must achieve compliance by establishing risk-based controls that protect the confidentiality, integrity, and availability (CIA) of information. The information must be protected, whether stored, processed, integrated, or transferred.
Achieving compliance within a regulatory framework is an ongoing process. Your environment is always changing, and the operating effectiveness of a control may break down. Regular monitoring and reporting is a must, and guidance on exactly what “regular monitoring” entails is also outlined within each framework.
These are some of the compliance and regulatory frameworks your organization may need to adhere to:
Health Insurance Portability and Accountability Act (HIPPA)
The HIPPA Act of 1996 (HIPAA or the Kennedy–Kassebaum Act[1][2]) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996.[3] It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage.[4] It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent.
- Why does it exist? Enforces security to protect Personal Health Information (PHI).
- What type of organizations leverage this framework? Anyone who is collecting, storing or processing personal health information (PHI), including hospitals, medical providers, and insurance companies.
Federal Trade Commission (FTC) Safeguards Rule
As the name suggests, the purpose of the FTC’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.
- Why does it exist? Ensures that entities covered by the Rule maintain safeguards to protect the security of customer information.
- What type of organizations leverage this framework? Mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
General Data Protection Regulation (GDPR)
GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
- Why does it exist? To protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data.
- What type of organizations leverage this framework? Any company that stores or processes personal information about EU citizens within EU states comply with the GDPR, even if they do not have a business presence within the EU.
Sarbanes-Oxley (SOX)
The Sarbanes-Oxley Act (SOX) was passed by the Congress of the United States in 2002 and is designed to protect members of the public from being defrauded or falling victim to financial errors on the part of businesses or financial entities. SOX compliance is both a matter of staying in line with the law and making sure your organization engages in sound business principles that benefit both the company and its customers.
- Why does it exist? To protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures.
- What type of organizations leverage this framework? Publicly traded companies headquartered in the United States, as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also applies to any third parties that a publicly traded company outsources financial work to.
Payment Card Industry Data Security Standard (PCI/DSS)
The PCI DSS is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
- Why does it exist? PCI DSS compliance helps protect the cardholder data that customers share with you during payment or for management. As cyber threats evolve, it's your responsibility as a business that handles cardholder data to implement the necessary security measures to keep this data secure.
- What type of organizations leverage this framework? The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Service Organization Control (SOC)
SOC compliance refers to a type of certification in which a service organization has completed a third-party audit that demonstrates that it has certain controls in place. Generally, this refers to SOC 1, SOC 2, or SOC 3 compliance.
- Why does it exist? To demonstrate that an organization has certain controls in place.
- What type of organizations leverage this framework? SOC reports apply to organizations that provide services or software. E.g., financial services, payroll, healthcare, and data centers. It also applies to third-party service providers like web hosting, cloud storage, and software-as-a-service (SaaS) companies.
International Organization for Standardization (ISO) 27001
ISO 27001 certification demonstrates that your organization has invested in the people, processes, and technology (e.g., tools and systems) to protect your organization’s data and provides an independent, expert assessment of whether your data is sufficiently protected.
- Why does it exist? ISO 27001 is the global standard for effective information management. It helps organizations avoid potentially costly security breaches. ISO 27001-certified organizations can show customers, partners and shareholders that they have taken steps to protect data in the event of a breach.
- What type of organizations leverage this framework? ISO 27001 certification applies to any organization that wishes or is required to formalize and improve business processes around information security, privacy and securing its information assets.
Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is an assessment standard designed to ensure that defense contractors are in compliance with current security requirements for protecting sensitive defense information.
- Why does it exist? To assess and enhance the cybersecurity posture of contractors who serve the DOD.
- What type of organizations leverage this framework? CMMC applies to all third parties within the defense supply chain, including contractors, vendors, and any other contracted third parties related to the support of the department of defense (DoD). All civilian organizations that do business with the DoD must comply with CMMC.
National Institute Standards and Technology (NIST)
NIST is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. Its mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement.
- Why does it exist? The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
- What type of organizations leverage this framework? Any company that does business with the United States government should comply with NIST. This includes agencies within the U.S. government, as well as businesses and individuals that the government may hire to perform work on projects.
Center for Internet Security (CIS)
CIS Controls are designed to help organizations protect themselves against the most common and successful cyberattacks. They are a set of best practices and recommendations, developed over many years and based on the experiences of cybersecurity experts around the world.
- Why does it exist? The CIS framework is of paramount importance for organizations aiming to improve their security posture.
- What type of organizations leverage this framework? CIS Controls are used primarily for tactical improvements to an organization's cybersecurity defenses.
Ready to get started? Contact Taktical Tek today!