The industries of finance, healthcare, and retail are examples of sectors that have to be in compliance with cybersecurity regulations. Whether they’re regulations or contractual agreements, the aim of compliance is to prevent non-public personal information (NPPI) such as medical records, financial records, credit card numbers, etc., from being disclosed and/or compromised. A big challenge when assessing whether you are in compliance is figuring out exactly what you are required to do.
The main purpose of cybersecurity compliance and the audit process is to recognize that your company can create a common sense cybersecurity framework — a matter of security and executive management best practices.
What is a Compliance Assessment?
Our seasoned IT staff performs compliance assessments as a means of identifying gaps between your existing environment and what is required. A compliance assessment identifies gaps that may or may not correlate to risk exposure. In essence, cybersecurity compliance for your organization is about categorizing important and sensitive information and establishing a methodology for protecting each category against internal vulnerabilities and external break-ins.
The following describes cybersecurity compliance standards based on specific industry verticals:
Gramm-Leach-Bliley Act (GLBA): Financial institutions, banks, securities firms, insurance companies, as well as companies providing financial products and services to consumers, including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money.
Payment Card Industry Data Security Standard (PCI DSS): Applying to any entity that stores, processes, or transmits cardholder data. If a business accepts or processes payment cards, it must comply with the PCI DSS.
Health Insurance Portability and Accountability Act (HIPAA): This compliance standard applies to healthcare providers, health plans, health clearinghouses and entities that perform claims processing, data analysis, quality assurance, billing, benefits management, etc.
Federal Information Security Management Act (FISMA): This policy explicitly emphasizes a risk-based policy for cost-effective security. The updated modifications to this policy have resulted in less overall reporting, emphasizing the use of continuous monitoring in systems, increased focus on the agencies for compliance, and reporting that is more focused on the issues caused by security incidents.
Compliance Assessment Guidance
Flexibility is built into the language of many of these requirements because organizations who have to comply come in a wide range of size and complexity. For this reason, the same exact rules cannot be applied to every organization. This creates a challenge for an organization because they need to know themselves very well in order to understand what controls are appropriate for their organization’s size and complexity. It’s important that controls they have (or are putting) in place will protect the patients, customers, etc., but that they can also realistically implement and manage the control.
Since regulations often leave a range of possible control practices available to meet the requirements, there are many sources of guidance that we consider when assessing compliance:
- FFIEC Information Technology Examination Handbooks
- Financial Institution Letters
- NIST Special Publications
A significant number of the biggest breaches have involved companies that were compliant, but not secure.
Thus, when your company is considering taking on a compliance assessment, you should think about adding a risk assessment to the equation. We recommend running a security program rather than a compliance program. Security and best practice often go further than meeting compliance standards, and can help strengthen your cyber defense strategy. Contact us today to learn more.