Regulatory Compliance Solutions: Software vs ServicesUnderstand gaps in available software or services when it comes to regulatory compliance By: SecureWorks
Regulatory compliance—conforming to specifications, policies, standards, laws and rules—may be mandatory. However, the Wikipedia regulatory compliance page states that “the definition of what constitutes an effective compliance plan has been elusive”. We couldn't disagree more. It seems this Wikipedia page could use an update.
You may find that many data and information security companies offer what is labeled as regulatory compliance solutions. A solution suggests an effective compliance plan and implementation. However, compliance solutions on the market consist of either software or services. Regulatory compliance usually requires the right combination of properly configured software, hardware appliances, staff following specific protocols and collection of evidence-proving compliance.
Regulatory Compliance Software
There is both industry specific and cross-industry regulatory compliance software that provides a general framework for people to follow. However, as progress into cloud computing and big data, we are seeing more information security compliance software hit the market that is focused on managing regulated data. These range from simple to robust. Most provide compliance audit trails. Some manage password usage and user access. Other regulatory compliance software tracks files throughout a network to classify, tag and makes sure they are being used appropriately depending on who is accessing them.
Where Compliance Software as a Solution Falls Short
Software only works where it is applied. Obviously there is a human element that must follow protocol. Large companies often work in siloes and lack an enterprise-wide view of compliance risks. With many access points to big data, the mere absence of one dedicated local compliance resource creates significant risk for the entire company. IT security compliance software can add a layer of cybersecurity, but this still leaves the same gaps where there is lack of awareness and staff protocol.
Where Regulatory Compliance Services Fill Gaps
The biggest challenge with regulatory compliance is that with so many rules, people throughout the organization inevitably do not know all the rules and protocol they must follow. A compliance service uses experienced security professionals to determine what compliance software and appliances are needed, how to properly set them up, processes to follow and training as needed.
Getting your entire organization up to national, industry or global compliance standards generally require some initial compliance services that fall under security risk consulting. Once compliance has been met, you may desire ongoing regulatory compliance management. Alternatively, you may only want periodic assessments and gap analyses.
Regulatory Compliance for United States
Security Exchange Commission OCIE Cybersecurity Initiative and Exam
The U.S. Security Exchange Commission Office of Compliance, Inspections and Examinations (OCIE) announced a Cybersecurity Initiative (PDF) that the OCIE will examine at random the cyber security practices of more than 50 regulated investment management firms to evaluate how they are protecting their firms and investors in five specific areas from cyber security threats. The exam is to gain an understanding of any areas where the SEC and the investment management industry can collaborate to help ensure overall protection from cyber threats, intrusions and breaches.
SecureWorks has a deep understanding of the United States SEC OCIE and helps investment firms build a strong security program, meet OCIE requirements and prepare for exams.
GLBA/FFIEC Compliance - IT Security for Financial Institutions (Banks/Credit Unions)
GLBA and FFIEC are the main sources of what is commonly called financial compliance. Established by the Gramm-Leach-Bliley Act (GLBA) of 1999, all Financial Institutions in the United States are required to create an information security program that secures customer financial information data, protects the financial information from security threats, and denies any unwarranted access to the financial data. The Federal Financial Institutions Examination Council (FFIEC) assists the GLBA by creating constantly changing, extensive compliance guidelines. SecureWorks regulatory compliance services assist through the regulatory process and provide audits to meet compliance and avoid high penalties.
HIPAA Compliance - Healthcare Network Security Solutions
HIPPA has become a popular standard of information security adapted by businesses of all sizes in order to meet a basic, well-known level of cybersecurity. However, the Health Insurance Portability and Accountability Act (HIPAA) was originally created to assist in the simplification of administrative processes and the protection of personal identifiable information of healthcare organizations. There are specific information security standards set by HIPAA that require policies and procedures to handle personal information to meet compliance requirements. SecureWorks has many years of experience in assisting healthcare organizations and can create a specialized information security package to meet your needs.
PCI Compliance - Retail, Financial & Insurance Payment Card Industry Compliance Solutions
If you handle any form of payment card data, you are required to meet Payment Card Industry (PCI) Compliance regulations throughout the year and prove PCI requirements have been met for the entire year. These are sometimes referred to PCI DSS (Data Security Standards) requirements. All organizations are required to protect the privacy and confidentiality of the data and must have policies and procedures in place to do so. SecureWorks provides several PCI regulations solutions for all industries with services to manage PCI compliance or meet PCI compliance, such as PCI Readiness Assessment, PCI Gap Analysis, PCI Mock Audits and also assistance with PCI SAQ (Self-Assessment Questionnaire). If your organization has a large transaction volume, as a PCI Qualified Security Assessor (QSA), SecureWorks can even conduct your PCI Report on Compliance (PCI ROC).
NERC-CIP Compliance- Utilities and Energy Industry Cyber Security Solutions
The North American Electric Reliability Corporation (NERC) maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system and include Critical Infrastructure Protection (CIP) that ensures information security of the bulk electric systems in the US. SecureWorks Managed Security Services align with NERC CIP compliance requirements and can even exceed industry standards for utility providers.
EI3PA Compliance - Experian Independent Third Party Assessment for Resellers
Organizations that transmit, store, processe or provide consumer credit information from Experian is required to meet EI3PA Compliance guidelines and are subject to regulatory compliance audits by a third party Qualified Security Assessor (QSA). As a PCI QSA and ASV, SecureWorks can assist organizations meet EI3PA Compliance and avoid any penalties.
SO 27001/27002 Certification for ISMS
Considered global regulatory compliance, ISO 27001/27002 is International Code of Practice for information security management systems and offers standards to meet certification. Organizations certified to these standards have demonstrated that their ISMS are recognized globally to be following best practice procedures. SecureWorks provides network security services to assist organizations become certified.
FISMA Compliance – Information Security Services for Federal Agencies and their Affiliates
The Federal Information Security Management Act of 2002 was developed to protect government information, operations and assets against security threats. Each agency is responsible to ensure information security in the federal government. The act requires annual reviews of information security programs that can be assisted by several of services under an MSSP.
Global Regulatory Compliance
Aside from ISO 27001 and 27002, the most commonly needed regulatory compliance across the world is for PCI regulations. With offices in Edinburgh and London, SecureWorks specializes in PCI compliance for UK. SecureWorks office in Sydney provides PCI compliance for Australia, and is in the loop with upcoming data breach legislation. SecureWorks also has regional offices that specialize in PCI compliance for Germany, France and Japan—as well as the full suite of managed security services.