Many organizations have heard of cybersecurity compliance but have no idea what it really entails.
There are a few essentials of cyber security compliance:
First, the organization must meet a set of agreed-upon rules regarding the way sensitive information and customer data are protected. These rules can be set by law, regulatory authorities, trade associations or industry groups.
Second, you must identify the cyber security compliance standard that fits best for your organization:
Every organization in each industry is operated differently and has different cyber security needs based upon their environments.
Industries that deal with sensitive personal information like health care and finance are highly regulated.
In many cases, cyber security regulations overlap across industries.
Security basics like risk assessments, encrypted data storage, vulnerability management, and incident response plans are fairly common across the standards:
In order to do risk assessment on a web-based application platform (which most companies have), a true vulnerability scan should be performed on a systematic basis, ideally every 72 hours. This is to identify any outstanding pre-existing vulnerabilities.
Organization-defined remediation time frames should be adopted, and possibly customized to ensure it fits the organization’s environment. Time frames can vary based upon the business needs, staffing involved and the type of data the organization is responsible for as far as safety assurance.
ISO 27001 is the standard for best practice in an Information Security Management system to manage the security of financial information, intellectual property, personnel information, and other third-party information.
This best practice is not a legal requirement by default. However, many large corporations or government agencies will only work with companies that are ISO Certified. It’s also a good way to demonstrate publicly that the business is committed and working diligently when it comes to Information Security, and that necessary steps are taken to keep the shared data secure.
Typically, third-party auditors validate that organizations have implemented all the relevant best practices within the ISO standard.
It’s up to organizational leadership to decide what’s within the company's scope and implement the framework. Auditors will then use their discretion to evaluate each individual case.
ISO 27001 is largely about risk assessment and risk management; risks are not static. Rather, they evolve as new cyber threats emerge.
PCI DSS (Payment Card Industry Data Security Standard) was developed by the PCI Security Standards Council. The standards regulate major brands like credit card companies and other such vendors who store, process, and/or transmit cardholder data.
In theory, anyone who processes card payment transactions needs PCI DSS.
HIPAA (Health Insurance Portability and Accountability Act) regulates the transfer and storage of patient data in the U.S. healthcare industry whereby compliance is a legal requirement.
HIPAA compliance requires a risk management plan with security measures adopted and approved that are sufficient, designed to reduce risk reasonably and at an appropriate level.
Although HIPAA doesn’t specify the methodology to be used, vulnerability scans and penetration tests are highly recommended and should be integral components of any risk analysis and management process.
Compliance doesn’t have to mean complexity. True it can seem very labor-intensive and expensive. However, this will mostly pale in comparison to the cost of fixing a security breach, paying settlements to customers for the lack of due diligence, or losing the company’s reputation industry-wide.