Due to the increasing number of cybersecurity-related laws, regulations, and standards, many companies might discover that they now need to comply with one or more of them. Here is what you need to know if your business makes that discovery.
When the European Union’s (EU’s) General Data Protection Regulation (GDPR) first took effect, it was touted as the most important change in data-privacy regulations in the last 20 years. GDPR has lived up to the hype. It has prompted many other governments around the world to follow suit.
More than 130 countries and territories now have comprehensive data-protection and data-privacy laws. For example, in the United States, California, Virginia and Colorado have laws to safeguard citizens’ personal data and protect their data-privacy rights. These laws are in addition to all the other cybersecurity-related regulations and standards developed by industry groups, regulatory authorities, and other groups.
Due to the increasing number of cybersecurity-related laws, regulations, and standards, many companies might find that they need to comply with one or more of them. Adhering to laws, regulations, and standards that deal with data protection, data privacy, and other cybersecurity mainstays is often referred to as cybersecurity compliance.
Why Cybersecurity Compliance Is a Good Idea
Cybersecurity compliance is beneficial for businesses several ways. For starters, it reduces the risk of incurring a data breach (or another type of cyberattack) because the systems and controls needed to safeguard the network and data are in place. And being breach-free demonstrates that a company cares about its customers and is able to protect their data. This strengthens the company’s reputation and helps the business earn customers’ trust and loyalty.
In some cases, complying with cybersecurity-related laws, regulations, or standards is more than just a good idea — it is mandatory. For example, all US healthcare providers, healthcare clearinghouses, and health plan providers must comply with the US Health Insurance Portability and Accountability Act (HIPAA). Non-compliant healthcare entities might face fines, penalties, and lawsuits if they experience data breaches. In addition, they might incur other expenses, such as the cost of providing free credit-monitoring subscriptions for victims. Further, a data breach might damage their reputation, resulting in lost customers and lost business opportunities.
Achieve Cybersecurity Compliance Using Frameworks
To help achieve cybersecurity compliance, companies can use cybersecurity compliance frameworks. There is no set format or formula for these frameworks, so their content varies widely.
Some cybersecurity compliance frameworks provide a high-level overview of how to design, implement, and manage a compliant system or operation. They present best practices, guidelines, and recommendations, but they do not dictate how the system or operation must be designed or which specific controls must be included. These frameworks are not associated with any specific law, regulation, or standard.
Other frameworks take the opposite approach. They list in great detail all the requirements that must be met for the system or operation to be deemed compliant for a specific law, regulation, or standard.
Frequently Used Frameworks
Many cybersecurity compliance frameworks are available. Here are a few examples of popular ones:
NIST Cybersecurity Framework. The US Department of Commerce’s National Institute of Standards and Technology (NIST) offers several frameworks, the most popular of which is the NIST Cybersecurity Framework. This framework covers the basics on how to understand, manage, and reduce cybersecurity risk and how to protect networks and data. It is not associated with any specific law, regulation, or standard. Companies often use this framework to learn about and implement cybersecurity best practices.
CIS Critical Security Controls. The Center for Information Security (CIS) provides the CIS Critical Security Controls (aka CIS Controls). The prioritized controls provide a starting point for businesses that want to improve their cybersecurity defenses. The CIS Controls map to most major compliance frameworks, including the NIST Cybersecurity Framework and PCI DSS. It is not associated with any specific law, regulation, or standard.
PCI DSS framework. The Payment Card Industry Security Standards Council administers the Payment Card Industry Data Security Standards (PCI DSS), a series of data security standards for organizations that accept American Express, Discover, JCB International, Mastercard, UnionPay, and Visa payment cards. The PCI DSS framework specifies 12 requirements that must be met to achieve compliance with these standards. The PCI DSS framework also helps organizations create a secure environment in which to process, store, and transmit cardholder data.
ISO/IEC 27001:2013. ISO/IEC 27001:2013 is an information security framework developed by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). It specifies requirements that define how to implement, monitor, maintain, and continuously improve an information security management system (ISMS). Companies interested in achieving certification to one of the ISO/IEC 27000 standards can use this framework to create a compliant ISMS. However, certification is optional. Some companies simply use the framework to learn ISMS best practices.
Cybersecurity Compliance Is Worthwhile but Often Confusing
Achieving cybersecurity compliance is a worthwhile but often confusing endeavor for companies. Fortunately, cybersecurity compliance frameworks are available to guide you. Contact Xantrion, we can also help your business implement the systems and controls needed to adhere to one or more cybersecurity-related laws, regulations, or standards.