A Definitive List Of Various Compliances And What They Mean

scott graham 5fNmWej4tAA unsplash 1

Cyberattacks have been very prominent in the last decade. Just last week, social media giant Twitter fell prey to it wherein accounts of prominent personalities, like Elon Musk, Bill Gates, former U.S. President Barack Obama, and others were hacked. While we cannot stop these attacks completely, there are certain rules and regulations that, if followed, will significantly reduce the risks. Many times, organizations need to comply with many such rules and regulations which have overlapping qualities. 

This article will focus on these information security compliances, in brief, to provide you with a general overview of them.

Compliance

General Data Protection Regulation (GDPR)

What is GDPR?

The General Data Protection Regulation (GDPR) 2016/679 is a regulation on data privacy and protection in the European Union (E.U.) and the European Economic Area (EEA). Organizations around the world must be GDPR compliant by 25th May 2018.

What does it state?

GDPR protects E.U. residents’ data regardless of the geographic location of the organization of the data. GDPR states 7 fundamental principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Furthermore, GDPR also talks about 8 rights for individuals:

  1. The right to be informed 
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights concerning automated decision making and profiling.

The main key point of GDPR is that E.U. residents’ data should be processed in a manner that will ensure data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Is GDPR mandatory?

Yes, it is mandatory for any company that does business in the European Union or handles the data of an E.U. citizen.

Are there any penalties?

Yes, failure to ensure GDPR compliance would result in fines of up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher.

National Institute of Standards and Technology (NIST)

What is NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Government founded in 1901 that produces technology, standards, and metrics to drive innovation in the U.S. science and technology sectors. 

What does it state?

In a previous article, I spoke about NIST. NIST publishes the Special Publication 800-series, which provides guidance documents and recommendations. They published Special Publication 800-53 as part of the above series, which catalogs 20 security and privacy control groups. NIST recommends that organizations in their risk management strategies should implement these security and privacy controls. These controls talk about access control, training for security awareness, incident response plans, risk assessments, and continuous monitoring. NIST combines existing standards, guidelines, and best practices in its guide. The key benefit associated with NIST compliance is it helps to make your organization’s I.T. infrastructure secure. It is also a foundation protocol for companies when achieving HIPAA or FISMA compliance.

Is NIST mandatory?

While NIST is globally used, it is a voluntary framework. However, it is mandatory for all U.S. federal agencies.

What companies are affected?

NIST is not industry-specific. Any organization that wants to reduce its overall security risk should implement NIST.

Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard administered by the Payment Card Industry Security Standards Council, headquartered in Wakefield, Massachusetts, USA. The PCI DSS standard is for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The Payment Card Industry Security Standards Council was originally formed by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. on 7 September 2006, to manage the ongoing evolution of the Payment Card Industry Data Security Standard.

What does it state?

PCI DSS requirements are updated often to keep up with the latest threat landscape. My colleague, Sreeja Sinha, has written a detailed article on PCI compliance which you should read. PCI DSS states 12 regulations that are designed to reduce fraud and protect credit card information of customers.

PCI Compliance requirements

Is it mandatory?

Yes, PCI DSS is mandatory for companies handling credit card information.

What are the penalties?

Failure to comply with PCI DSS will result in fines of up to $100,000 per month or even suspension of card acceptance.

Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law enacted by the 104th U.S. Congress and signed by President Bill Clinton. HIPAA states the requirement to create national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

What does it state?

HIPAA compliance is a living entity that most healthcare organizations must implement into their business to protect the security, privacy, and integrity of protected health information. HIPAA’s regulatory standards were created to establish the legal use and disclosure of personally identifiable electronic protected health information (ePHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for the Civil Rights (OCR) enforces compliance. HIPAA has two parts.

  1. Title I protects the healthcare of people who are transitioning between jobs or are laid off. 
  2. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. 

For more information, check out my colleague Udit Agarwal’s article on HIPAA Compliance.

Is HIPAA mandatory?

Yes, HIPAA compliance is mandatory for any organization handling healthcare data.

Who does it affect?

HIPAA compliance is necessary for any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.

What are the penalties?

Failure to implement HIPAA compliance would result in fines of up to $50,000 per violation, with an annual maximum of $1.5 million and/or prison terms of up to ten years.

Federal Risk and Authorization Management Program (FedRAMP)

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments.

What does it state?

FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments. 

Is it mandatory?

Yes, FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.

Federal Information Security Management Act (FISMA)

What is FISMA?

The Federal Information Security Management Act (FISMA) of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security in the United States’ economic and national security interests.

What does it state?

FISMA requires federal agencies to develop, document, and implement an information security program to safeguard their systems and data. In addition to government agencies, FISMA also applies to contractors and third parties that use or operate an information system on behalf of a Federal agency. FISMA stipulates categorizing types of data stored by the degree of the harm that would be caused were they to be compromised. It also directs federal agencies to periodically conduct risk assessments and reduce risk to an acceptable level by implementing appropriate controls.

Is it mandatory?

Yes, FISMA is mandatory for federal agencies and third parties or contractors that deal with federal government information.

What are the penalties?

Failure to comply with FISMA usually leads to budget cuts to the federal agency.

Center for Internet Security Controls (CIS)

What is CIS?

The SANS Institute partners with the Center for Internet Security (CIS) and industry professionals to maintain the 20 critical security controls. The CIS 20 are essential to protect the assets and data of an organization from known cyber-attack vectors. These controls should be implemented by companies that seek to strengthen their security in the Internet of Things (IoT) domain. The CIS 20 controls span across areas such as asset configurations (hardware and software), malware defenses, recovery, continuous monitoring and control, incident response plans and management, penetration tests, and Red Team exercises.

What does it state?

I have written an article on CIS and how it differs from NIST and ISO 270001. It would give you a detailed overview of CIS.

Is it mandatory?

The CIS 20 Security Controls are not mandatory or required by law. However, since it is such a comprehensive guide to online security, focusing on basic, foundational, and organization control levels that it is highly recommended that organizations implement them. 

International Organization for Standardization (ISO)

What is ISO?

Headquartered at Geneva in Switzerland, The International Organization (ISO) for Standardization is an international standard-setting body composed of representatives from various national standards organizations.

What do they state?

ISO has two essential families of standards – ISO 27000 and ISO 31000. The following infographic summarizes what each family contains.

ICO Compliance

Is it mandatory?

No, but like CIS 20, they are highly recommended.

Sarbanes–Oxley Act (SOX)

What is SOX?

Named after the co-sponsors of the bill, the SOX Act is a U.S. federal law that was passed in response to the accounting scandals that occurred at major corporations in 2001 and 2002, including the WorldCom and the Enron cases. 

What does it state?

SOX Acts stated the new or expanded requirements for all U.S. public company boards, management, and public accounting firms after the accounting scandals. Several provisions of the Act also apply to privately held companies, such as the wilful destruction of evidence to impede a federal investigation. The Sarbanes-Oxley Act (SOX) requires that publicly traded companies ensure their internal business processes are properly monitored and managed. Financial reporting processes are driven by I.T. systems, so I.T. needs to be configured securely and maintained properly. The Securities and Exchange Commission (SEC) has identified five areas that need to be addressed to meet SOX internal control requirements and support SOX compliance, two of which are risk assessment and monitoring. The Act makes it compulsory for companies to maintain financial records for up to seven years.

Is it mandatory?

Yes, the law is binding for all U.S. public company boards, management, and public accounting firms. They also apply to privately held companies.

What are the penalties?

Failure to adhere to SOX would make you eligible for penalties above $5 million in fines and 20 years in prison as per section 906.

REFERENCES :

[1] https://www.fedramp.gov/

[2] https://www.tcdi.com/information-security-compliance-which-regulations/

[3] https://lab.getapp.com/security-certifications-explained/

[4] https://gdpr-info.eu/

[5] https://www.pcisecuritystandards.org/pci_security/

[6]https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/nist-framework

[7] https://www.cisa.gov/federal-information-security-modernization-act