Information Security Compliance:
Which Regulations Relate To Us?
Assessing which rules and regulations apply to an organization is no easy feat. Often, organizations need to comply with multiple frameworks and regulations, many of which have overlapping qualities.
In this article, we attempt to demystify common cybersecurity frameworks and regulatory requirements to help organizations initiate discussions around achieving compliance.
Many fear information security as an amorphous issue that only the IT department handles. The reality is that the legal and reputational ramifications that ensue from a data breach affect the entire organization. That is why it is essential to create a security-centric culture, top to bottom, with a focus on complying with information security regulations
Regulations are in place to help companies improve their information security strategy by providing guidelines and best practices based on the company's industry and type of data they maintain. Non-compliance with these regulations can result in severe fines, or worse, a data breach. Most companies are subject to at least one security regulation. The difficulty comes in determining which ones apply and interpreting what policies and controls are required to reach compliance.
Part of that difficulty is because regulations are not written in a way that can be easily understood by the average person. Often, partnering with a security professional is necessary to decode relevant requirements and devise an implementation plan. These professionals have experience implementing systems, policies, and procedures to satisfy the requirements of various regulations and enhance the security of an organization. Many have obtained credentials, such as the HISP (Holistic Information Security Practitioner), that signifies they have a deeper understanding of the system controls required to reach compliance.
Assessing Which Compliance Regulations Relate to an Organization
Regardless if a company chooses to engage a trusted advisor, the first step of the process is to assess which laws and acts apply to them. Once completed, they need to organize their information security to address the boundaries put in place by those acts. This process requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.
Discussing specific legislation as it relates to individual companies can be vague. A cybersecurity assessment is a valuable tool for achieving these objectives as it evaluates an organization's security and privacy against a set of globally recognized standards and best practices. It provides a roadmap to improve data privacy, and the results can validate adherence to relevant standards.
Take for Example:
Think of a local hospital. This hospital is publicly traded and not a federal agency; therefore, it is not subject to the FISMA bill. It does deal with patients and other healthcare-related data, so it is subject to HIPAA.
With the regulation identified, the hospital must look carefully at what sort of protection it must offer patients and place safeguards in effect to prevent a breach of security. On the ground level, it cannot give away information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised.
These guidelines require controls to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of personnel who interact with those systems, and training needs to occur, so users understand how to properly perform their duties without potentially misusing the system, intentionally or not.
While the example of the local hospital only had to comply with one regulation, companies often find they must meet the requirements of many regulations. In such cases, the best method to approach the situation is to outline all of the regulations that will impact the company first, and then determine which security controls need to be implemented to satisfy all of the requirements effectively. There are often overlapping requirements built into different regulations, so by breaking it down into two phases, companies can reduce the amount of time and money they would otherwise spend by reducing the duplicate effort of implementing competing systems.
This table shows the different cybersecurity frameworks and regulations, what they regulate, and which corporations would be subject to the scope of the act.
There is an abundance of laws and bills on the books designed to protect information. However, it is not always clear to the average business decision-maker which regulations apply to their organization. That is where a security professional can significantly help a business make sense of such an area that grows more complex with each new regulation. Compliance is critical, and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.