Cybersecurity is not just something that a business does on its own. It has become a highly regulated endeavor, with fines, penalties—and even potential prison time—for those who cross the line. Security compliance requirements are now proposed in an array of frameworks by a variety of compliance organizations. Anyone who views, shares or retains certain types of data in certain geographical boundaries is expected to comply with the rules of many regulations that apply to many different industries. Here are a few security compliance standards that everyone should be familiar with.
PCI-DSS and PA-DSS
Payment Card Industry Data Security Standards (PCI-DSS) is a security framework that applies to the processing of debit and credit cards. As with other standards, the PCI Security Standards Council maintains a raft of documentation to support its many requirements. All businesses that accept payments must adhere to PCI-DSS in order to process, transmit, and store cardholder data. It’s worth noting that while PCI-DSS is not actually considered a “regulation,” it’s enforceable through contract language.
Paired with PCI-DSS is the Payment Application Data Security Standard (PA-DSS). This standard includes requirements for software developers working on payment applications that support PCI-DSS compliance. When producing code for PCI, software vendors must ensure that they satisfy 14 security requirements before they offer their application to customers. Among the requirements, these apps should not retain more data than necessary. They should protect stored cardholder data, and they should encrypt sensitive data over public networks. Programmers should take care to avoid common web application security flaws, such as injection or cross-site scripting.
GDPR
The General Data Protection Regulation Standard is a European Union (EU) standard adopted in 2016 and implemented in 2018. The purpose of the legislation is to protect the privacy and interests of EU residents. Protection of personal data is one of the values recognized in the Charter of Fundamental Rights of the European Union (CFR).
One of the key constituents of GDPR is the requirement for consent. That’s why European websites now ask website users whether it’s ok to use cookies on the site. In the past, it was recognized as implied consent just to use a website. Now users must opt in when anyone is capturing their data. Privacy by design is at the heart of web development in the EU. It’s all part of an effort to provide equal access and treatment for everyone who uses the internet. The law comes with harsh penalties—primarily hefty fines—for businesses who do not comply with the standard. (Up to 4% of a company’s global revenue!)
HIPAA
If you’ve ever spent much time around nurses or other hospital employees, you’ve probably heard them refer to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is serious business, which everyone working in patient care knows full well. Signed into U.S. law in 1996, HIPAA was beefed up to include the Standards for Privacy of Individually Identifiable Health Information in 2002, also known as the Privacy Rule.
The Privacy Rule covers what is known as Private Health Information (PHI). According to HIPAA Journal, PHI is “considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity,” including a healthcare provider, a health plan or health insurer, a healthcare clearinghouse, or a business associate of a HIPAA-covered entity. PHI includes items like:
- the individual’s past, present or future physical or mental health or condition, including health records, health histories, lab test results, and medical bills, or
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual.
For the IT professional assisting health care providers, the HIPAA security rule is equally as important. As explained by the American Medical Association, “The HIPAA Security Rule requires physicians to protect patients' electronically stored, protected health information (known as ‘ePHI’) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.” All three safeguards are critical to provide adequate security for patient records.
When you as a patient go to your health care provider for services, any data that you share with them as well as all treatment-related information is confidential. Failure to comply with HIPAA can result in stiff fines for companies or loss of employment for individual professionals.
NIST
The National Institute of Standards and Technology (NIST) is a U.S. agency whose mission is to promote U.S. innovation and industrial competitiveness. NIST uses measurement and standards in its quest to improve U.S. commerce and production. NIST regulations extend to information security as well. All federal agencies must meet the requirements of the Federal Information Security Management Act (FISMA). These include the Federal Information Processing Standards (FIPS) and the Special Publications (SP) 800-series.
Integral to NIST information security standards is the NIST Cybersecurity Framework. The Framework Core includes five main functions, as shown in the diagram below:
The Cybersecurity Framework also includes a list of categories and subcategories under each of those functions. For example, under the function Identify (ID), the first category is Asset Management (ID.AM). And the first category under Asset Management is “ID.AM-1: Physical devices and systems within the organization are inventoried.”
Compliance with the NIST Cybersecurity Framework is mandatory for federal agencies. Use of the framework is voluntary for private sector organizations. As with any framework, organizations should work to continuously reassess alignment with the controls as needed to ensure gaps are closed where work has happened and new gaps are identified if opened since the last review.
Sarbanes-Oxley
The Sarbanes-Oxley (SOX) Act of 2002 came in response to financial scandals at the turn of the century, such as Enron and Worldcom. Sarbanes-Oxley created strict rules for corporations and financial professionals to provide more oversight to their activities. The law focuses on four principal areas:
- Corporate responsibility
- Increased criminal punishment
- Accounting regulation
- New protections
For IT professionals, Sarbanes-Oxley has important ramifications. Companies must maintain strict controls on how information is stored and transmitted. An article from the company Ipswitch highlights four key sections from the legislation that are important for the IT team:
- SOX Section 302: Keep Execs in the Loop
- SOX Section 404: Establish Controls to Support Accurate Financial Reporting
- SOX Section 409: Deliver Timely Disclosure
- SOX Section 802: Ensure Records Retention
ISO 27001/27002
ISO is short for International Standard for Organization, and it is based in Geneva, Switzerland. The organization has standards that apply to just about every industry. Organizations work on certification in ISO standards to demonstrate their conformity to international standards and to distinguish themselves in the marketplace.
ISO 27001 is all about an Information Security Management System (ISMS). An ISMS is a systematic approach to IT security. ISO 27001 focuses on managing risk through a governed program that follow the ISO 27001 controls. The framework consists of 114 controls organized into 14 control sets. For instance, the Access Control category includes 14 controls and deals with limiting access to information.
While ISO 27001 focuses on the organizational ISMS, ISO 27002 contains accompanying technical controls, and is much more verbose.
CCPA
The California Consumer Privacy Act (CCPA) just came out in 2018, and takes effect on January 1st, 2020. According to a press release from the state Attorney General, “The law provides consumers with groundbreaking new rights on the use of their personal information.” Businesses in California are required to disclose their data collection practices to consumers. Consumers can ask for their data to be deleted, and they can opt out of any sharing of their data. It also offers special protections for those under age 16.
Conclusion
The various implementations of these security compliance standards may be different, but they all have similarities. Businesses working toward compliance must first take stock and see what types of data they handle, and where the data originates from (this is something AaDya can help with). Compliance often includes regular training, audits, and continuous improvement. Security compliance is a critical component in addressing the many cybersecurity threats facing us, and businesses can no longer sit on the sidelines.
Is your business security compliant? AaDya can help you answer that question. Email inquiries@aadyasecurity.com to speak to an AaDya team member today!
The information above provided does not, and is not intended to, constitute legal advice; instead, all information, content, and materials are for general informational and educational purposes only.
