- Achieving regulatory compliance is simplified when you understand the complexities and pitfalls
- Cybersecurity products and services each play a specific role in furthering compliance efforts
- Employees correctly following protocols will make or break your security compliance program
- Secureworks® can help you plot a course forward to move along the security maturity continuum
Regulatory compliance—conforming to specifications, policies, standards, laws, and rules, often with civil or criminal penalties—is mandatory for many industries, especially those in finance, healthcare, and government. However, Wikipedia’s regulatory compliance page states, “The definition of what constitutes an effective compliance plan has been elusive.” We couldn't disagree more and urge the adoption of an updated definition that makes compliance achievable with a properly informed strategy.
Many information security companies offer regulatory compliance solutions. A “solution” suggests an effective compliance plan plus an effective implementation; however, many offerings consist of disjointed software or services. Properly configuring software and infrastructure to achieve regulatory compliance takes expertise. Staff must also follow specific protocols to facilitate the necessary evidence collection and demonstrate compliance.
Regulatory Compliance Software
Industry-specific and cross-industry regulatory compliance software can provide a general framework for organizations to follow. However, as cloud computing and big data continue to dominate organizational data management, we see more information security compliance software hit the market focused on managing regulated data. These solutions range from simple to robust. Most provide compliance audit trails. Some manage password usage and user access. Other regulatory compliance software tracks files throughout a network to classify, tag, and ensure appropriate use based on who is accessing them.
Where Compliance Software as a Solution Falls Short
Software only works where it is applied correctly and where fallible human beings follow protocols correctly. Large companies often operate in silos and lack a coordinated, enterprise-wide view of regulatory compliance risks. With many access points to big data, the mere absence of one dedicated local compliance resource creates significant risk for the entire company. IT security compliance software can add a layer of cybersecurity protection, but still leave gaps where there is lack of awareness and adherence to protocols.
Where Regulatory Compliance Services Fill Gaps
The biggest challenge with regulatory compliance is that with so many rules—and in this era of continuous staff turnover—people within the organization inevitably do not know all the rules and protocols they must follow. A compliance service uses experienced security professionals to determine what compliance software and infrastructure are needed, how to properly set them up, the processes to follow, and training as needed.
Getting your entire organization up to compliance standards—national, industry specific, or global—generally requires some initial compliance services that fall under security risk consulting. Once compliance has been met, you may desire ongoing regulatory compliance management or periodic assessments and gap analyses.
Regulatory Compliance for United States
- NIST Compliance – General Cybersecurity Best Practices and Government Compliance
Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity (Feb 2013), mandated NIST work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructure. NIST’s cyber standards-setting role was further reinforced by the Cybersecurity Enhancement Act of 2014.
The voluntary NIST-CSF Framework was created via an industry-government collaboration and consists of cybersecurity standards, guidelines, and practices to promote the protection of critical infrastructure. The Framework provides a flexible, repeatable, and cost-effective approach that helps owners and operators of critical infrastructure identify and prioritize their cyber risk.
NIST Special Publication 800-171 combines security requirements of FIPS 200 for Federal Information Systems and NIST SP 800-53 Security and Privacy Controls for businesses into 110 discrete security controls across 14 administrative and technical categories, each with specific compliance requirements.
- Security Exchange Commission OCIE Cybersecurity Initiative and Exam
The U.S. Security Exchange Commission Division of Examinations (formerly OCIE) announced a Cybersecurity Examination Initiative (PDF) that the Division will examine, at random, the cybersecurity practices of more than 50 regulated investment management firms to evaluate how they protect their firms and investors from cybersecurity threats in five specific areas . The exam helps regulators and industry partners gain an understanding of any areas where the SEC and the investment management industry can collaborate to help ensure overall protection from cyber threats, intrusions, and breaches.
- GLBA / FFIEC Compliance – IT Security for Financial Institutions (Banks and Credit Unions)
GLBA and FFIEC are the main sources of financial compliance regulations. Established by the Gramm-Leach-Bliley Act (GLBA) of 1999, all Financial Institutions in the United States must create an information security program that secures customer financial information, protects the information from security threats, and denies any unwarranted access to the information. Federal Financial Institutions Examination Council (FFIEC) augments GLBA with a set of extensive and evolving compliance guidelines.
- HIPAA Compliance – Healthcare Network Security Solutions
HIPAA has become a popular information security standard adopted by businesses of all sizes to meet a basic, well-known level of cybersecurity. However, the Health Insurance Portability and Accountability Act (HIPAA) was originally created to simplify administrative processes and protect the Personal Identifiable Information (PII) of healthcare organizations. Specific information security standards set by HIPAA require policies and procedures to safeguard PII to meet compliance requirements.
- PCI Compliance – Retail, Finance & Insurance Payment Card Industry Compliance Solutions
If you handle any form of payment card data (i.e., credit, debit cards), you are required to meet Payment Card Industry (PCI) Compliance regulations throughout the year and to prove PCI requirements have been met for the entire year. These are sometimes referred to PCI DSS (PCI Data Security Standards) requirements. All organizations are required to protect the privacy and confidentiality of the payment card data and must have defined and implemented specific policies and procedures to do so.
- NERC-CIP Compliance – Utilities and Energy Industry Cyber Security Solutions
The North American Electric Reliability Corporation (NERC) maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system and include Critical Infrastructure Protection (CIP) that ensures information security of the bulk electric systems in the US.
- EI3PA Compliance – Experian Independent Third-Party Assessment for Resellers
Organizations that transmit, store, process, or provide consumer credit information from Experian are required to meet EI3PA Compliance guidelines and are subject to regulatory compliance audits by a third-party Qualified Security Assessor (QSA).
- ISO 27001 / 27002 Certification for ISMS
Considered global regulatory compliance, ISO 27001 / 27002 represent the International Code of Practice for Information Security Management Systems (ISMS) and define specific standards to meet certification. Organizations certified to these standards have demonstrated that their ISMS are recognized globally to be following best practice procedures.
- FISMA Compliance – Information Security Services for Federal Agencies and their Affiliates
The Federal Information Security Management Act of 2002 was developed to protect government information, operations, and assets from security threats. Each agency is responsible for ensuring their information security within the federal government and the Act requires annual compliance reviews.
Global Regulatory Compliance
Aside from ISO 27001 and 27002, the most common regulatory compliance requirement worldwide is for General Data Protection Regulation (GDPR) and PCI regulations.