Compliance in Cybersecurity: A Matter of Forward Thinking
What is a compliance framework?
In order to accomplish a certain goal, it’s common to start laying out a game plan. Whether it’s becoming a doctor or buying a new car, we need to follow a series of steps to get there. That sounds obvious, but which series of steps should we follow? Are those steps based on experience or are they only based on simple intuition? Has someone else succeeded after following the same steps?
Let’s imagine that we want to have our own business and to do so, we need to ask for an initial loan. However, when we go to the bank, they ask us to fill out a bunch of documents to make sure that we qualify. Following this example, it’s probable that if you keep your finances in order, pay your bills and show a stable income source, there should be nothing keeping you from obtaining that loan. However, what rules should you follow to let people know that you keep your cybersecurity “in order?” This is where a compliance framework enters.
A cybersecurity compliance framework is, essentially, a system of standards, guidelines, and best practices to safeguard the integrity, confidentiality, and availability of electronically stored or transferred information.
Why should you care?
If you take a brief look at the news from this week, regardless of when you read this, chances are that you will find at least one related to a cybersecurity incident. Why? That’s because with the rise of information technology, the value of data increases, along with the probability of someone else wanting to get their hands on it.
Based on the current data, there’s a really high chance that we’re all going to experience a cybersecurity incident once in our lifetime, so the issue is not how can you avoid it, but how can you be prepared for when it happens.
Would you trust your data to someone who’s not prepared for a data breach? We guess you wouldn’t, but how can you be sure if a business is actually prepared for that? Short answer: if it follows a certain cybersecurity compliance framework. With a framework in place, that business has at least defined the processes and procedures that they must take to assess, monitor, and mitigate cybersecurity risk.
You want to be compliant, where should you start?
- First of all, start identifying what type of data you work with and your industry’s standards
- Then, even if you have a small IT department, appoint a Chief Information Security Officer (CISO). It doesn’t have to be a full-time responsibility at the beginning
- Make sure you start knowing your weak spots. Try conducting vulnerability assessments
- Once you know them, implement technical controls based on your industry requirements and your cybersecurity landscape
- Finally, build a cybersecurity aware organization by implementing policies, procedures, and process controls on all levels
What compliance framework should I follow?
General frameworks
ISO/IEC 27001
(Preyproject.com)
ISO 27001/27002, also known as ISO 27K, is the internationally recognized standard for cybersecurity. Briefly, it ensures an organization’s adherence to compliance in all technology environment levels — employees, processes, tools, and systems — a complete setup to protect customer personal data integrity and protection.
NIST Cybersecurity Framework
(Bitsight.com)
The NIST Cybersecurity Framework was established in response to an executive order by former President Obama. While this compliance is voluntary, NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations.
Industry-based
Health
(Bitsight.com)
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations, insurers, and third-party service providers to implement controls for securing and protecting patient data and conduct risk assessments to identify and mitigate emerging risks.
Energy
(Energy.gov)
The North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) is a set of cybersecurity standards designed to help those in the utility and power sector reduce cyber risk and ensure the reliability of bulk electric systems.
Consumer businesses
(Bitsight.com)
The General Data Protection Regulation (GDPR) mandates how businesses should collect and store the private data of European Union citizens. In the United States, the California Consumer Privacy Act (CCPA) and the Consumer Data Protection Act from Virginia follow a similar guideline.
Also, all consumer businesses that handle credit card payments must also follow regulations from the Payment Card Industry Security Council’s Data Security Standard (PCI DSS), which set the standards for securing cardholder data. (www.bitsight.com)
Government
(Bitsight.com)
The Federal Information Security Management Act (FISMA) is a cybersecurity framework that protects federal government information and systems against threats. FISMA is also applied to third parties and vendors who work on behalf of federal agencies.
Finance
(Bitsight.com)
In this case, the most common set of regulations are found in the Federal Financial Institution Examination Council handbook (FFIEC IT). It was recently updated to focus on continuous monitoring and business continuity management, both internally and across the supply chain.
Also, a common one is the Service Organization Control (SOC) Type 2 (SOC2). Developed by the American Institute of Certified Public Accountants (AICPA), SOC2 is a stringent trust-based cybersecurity framework that helps firms verify that third parties are securely managing client data.
“We’re compliant so… What’s next?”
It’s easy to think that becoming compliant is the final step in achieving a rock-solid cybersecurity level. Nonetheless, security is mainly a matter of culture and adaptability, so make sure you follow these suggestions:
- Don’t confuse budget with maturity. Identifying gaps and making plans to fill them are more important than investing a large amount of money on a tool or assessment that leaves your organization as vulnerable as before.
- Focus on awareness. Prevention over reaction, a prepared team has a better adaptability to overcome possible cybersecurity incidents.
- Combine manual and automated solutions. A penetration test once a year may give you a good snapshot of your organization’s cybersecurity risks, but technology changes continuously. So you need a way to monitor your systems and use your resources efficiently. At Red Sentry, we can help you perform fast and affordable manual pentests and find and prioritize your vulnerabilities continuously with our automated solution.
Discover more cybersecurity gems: Why MSPs Need to Think Like Dentists.