How to Get and Stay Compliant as Cybersecurity Regulations Evolve and Become More Complex
All organizations, regardless of size, are vulnerable to cyberattacks. And hackers are using increasingly sophisticated methods to launch these assaults and infiltrate an organization’s computer systems. Depending on your industry, you may be required to comply with specific security standards to prove you are safeguarding your critical assets. And if you don’t, you can be subject to steep fines and legal troubles if you suffer a system breach that exposes your data. So there’s significant pressure to stay on top of and compliant with these demanding regulations and standards, made more complex because they frequently change to address emerging threats.
It helps to understand what compliance means. Compliance is adhering to established rules and regulations, laws, or organizational standards of conduct. In the context of cybersecurity, this means following guidelines established to protect the security and privacy of an organization’s information system or enterprise.
To keep up with relevant regulations and standards so you can be compliant, here are some basic first steps.
1. Identify your industry-specific compliance standards and the type of data you process, store and/or transmit
Determine the cybersecurity rules and regulations that are specific to your industry. These frequently center around the type of data you process, store and or transmit. Depending on your line of business, this is pretty clear cut.
For example, health care-related organizations are required to follow the Health Insurance Portability and Accountability Act (HIPAA), which includes the HIPAA Security Rule designed to protect the confidentiality of people’s electronic personal health information that the organization creates, receives or uses. Businesses that work with the Department of Defense must abide by the Defense Federal Acquisition Regulation Supplement (DFARS) and protect confidential unclassified information, or CUI. Those in the financial sector must abide by the Sarbanes-Oxley Act (SOX), which requires all publicly traded companies as well as some privately held companies to implement and report internal accounting controls to the Securities and Exchange Commission. Those dealing with credit cards, debit cards, or other electronic transactions need to abide by the Payment Card Industry Data Security Standard (PCI DSS)[1]; it is designed to protect personal information during these types of data transactions.
2. Use cybersecurity frameworks
Many industry regulations are based on guidance put out by the National Institute of Standards and Technology (NIST). Other standards include International Organization for Standardization (ISO) 19600 and ISO/IEC 27001 and 27002, FISMA, and COBIT. This guidance is structured around frameworks that offer flexible, repeatable and cost-effective approaches and best practices to follow to implement a successful security program.
For organizations required to follow HIPAA regulations, NIST published a rule related to security standards for safeguarding electronic protected health information (EPHI)[2] and has a security rule tool kit that organizations can follow to understand the requirements. DFARS follows NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems.[3] The NIST Cyber Security Framework (CSF)[4] has a five-step process: identify, protect, detect, respond, and recover. It’s also possible to use CSF to manage SOX cyber security compliance.
3. Implement a risk management strategy that includes undergoing a risk assessment
A risk management strategy can help your firm keep up with your industry-specific compliance standards. And the best way to do this is to undergo a cybersecurity-related risk assessment. Many frameworks, such as NIST 800-30, have guides on how to conduct a risk assessment. Though it is possible to do this with your own resources, many IT staff are not trained on how to scope their networks and systems to determine what part handles the critical data; write acceptable policies and procedures; manage a POA&M process; establish an incident response plan; and handle many other details necessary to show compliance.
Some regulations, such as FedRAMP, the federal government’s requirement for organizations providing cloud services to federal agencies, require organizations to hire a third-party assessor organization (3PAO) to ensure they are actually compliant. Even if you are not required to hire an outside company, doing so can save valuable resources in the long run. 3PAOs, which must be certified to provide these services, quickly and effectively evaluate your compliance status and recommend how to mitigate any weaknesses. And a properly scoped boundary means you are only spending resources on protecting the parts that store, process, or transmit applicable data. Compare this to the hours inexperienced staff might spend doing this as well as the consequences if they don’t do it correctly, and hiring a risk management firm becomes a cost-effective option.
It can seem daunting to start the process of becoming compliant and then staying compliant with crucial cybersecurity regulations. Following these basic steps will put you on your way.
For more information, including tips and best practices on staying compliant with cybersecurity rules and regulations, email TalaTek at info@talatek.com.
1 https://www.pcicomplianceguide.org/
2 NIST: An Introductory Resource Guide for Implementing the HIPPA Security Rule (SP 800-66 Rev. 1). https://www.nist.gov/programs-projects/security-health-information-technology/hipaa-security-rule
