A Definitive List Of Various Compliance Standards And What They Mean
Cyberattacks have been very prominent in the last decade. Just last week, social media giant Twitter fell prey to it wherein accounts of prominent personalities, like Elon Musk, Bill Gates, former U.S. President Barack Obama, and others were hacked. While we cannot stop these attacks completely, there are certain rules and regulations that, if followed, will significantly reduce the risks. Many times, organizations need to comply with many such rules and regulations, called compliance standards, many of which have overlapping qualities.
This article will focus on these information security compliance standards and will provide you with a general overview of them.
General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation (GDPR) 2016/679 is a regulation on data privacy and protection in the European Union (E.U.) and the European Economic Area (EEA). Organizations around the world must be GDPR compliant by 25th May 2018.
What does it state?
GDPR protects E.U. residents’ data regardless of the geographic location of the organization of the data.
GDPR states 7 fundamental principles
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Furthermore, GDPR also talks about 8 rights for individuals
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights concerning automated decision-making and profiling
The main key point of GDPR is that E.U. residents’ data should be processed in a manner that will ensure data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
Is GDPR mandatory?
Yes, it is mandatory for any company that does business in the European Union or handles the data of an E.U. citizen.
Are there any penalties?
Yes, failure to ensure GDPR compliance would result in fines of up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher.
You can read more about the GDPR compliance standards here and refer to this infographic to understand the rights of an individual, according to GDPR.
National Institute of Standards and Technology (NIST)
What is NIST?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Government founded in 1901 that produces technology, standards, and metrics to drive innovation in the U.S. science and technology sectors.
What does it state?
In a previous article, I spoke about the NIST compliance standards. NIST publishes the Special Publication 800-series, which provides guidance documents and recommendations. They published Special Publication 800-53 as part of the above series, which catalogs 20 security and privacy control groups. NIST recommends that organizations in their risk management strategies should implement these security and privacy controls. These controls talk about access control, training for security awareness, incident response plans, risk assessments, and continuous monitoring. NIST combines existing compliance standards, guidelines, and best practices in its guide. The key benefit associated with NIST compliance is it helps to make your organization’s I.T. infrastructure secure. It is also a foundation protocol for companies when achieving HIPAA or FISMA compliance.
Is NIST mandatory?
While NIST is globally used, it is a voluntary framework. However, it is mandatory for all U.S. federal agencies.
What companies are affected?
NIST is not industry-specific. Any organization that wants to reduce its overall security risk should implement NIST.
Payment Card Industry Data Security Standard (PCI DSS)
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard administered by the Payment Card Industry Security Standards Council, headquartered in Wakefield, Massachusetts, USA. The PCI DSS standard is for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
The Payment Card Industry Security Standards Council was originally formed by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. on 7 September 2006, to manage the ongoing evolution of the Payment Card Industry Data Security Standard.
What does it state?
PCI DSS requirements are updated often to keep up with the latest threat landscape. My colleague, Sreeja Sinha, has written a detailed article on PCI compliance which you should read. PCI DSS states 12 regulations that are designed to reduce fraud and protect the credit card information of customers.
Is it mandatory?
Yes, PCI DSS is mandatory for companies handling credit card information.
What are the penalties?
Failure to comply with PCI DSS will result in fines of up to $100,000 per month or even suspension of card acceptance.
Health Insurance Portability and Accountability Act (HIPAA)
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law enacted by the 104th U.S. Congress and signed by President Bill Clinton. HIPAA states the requirement to create national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
What does it state?
HIPAA compliance is a living entity that most healthcare organizations must implement into their business to protect the security, privacy, and integrity of protected health information. HIPAA’s regulatory standards were created to establish the legal use and disclosure of personally identifiable electronic protected health information (ePHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for the Civil Rights (OCR) enforces compliance standards. HIPAA has two parts.
- Title I protects the healthcare of people who are transitioning between jobs or are laid off.
- Title II is meant to simplify the healthcare process by shifting to electronic data and protecting the privacy of individual patients.
For more information, check out my colleague Udit Agarwal’s article on HIPAA Compliance.
Is HIPAA mandatory?
Yes, the HIPAA compliance standard is mandatory for any organization handling healthcare data.
Who does it affect?
HIPAA compliance is necessary for any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.
What are the penalties?
Failure to implement HIPAA compliance would result in fines of up to $50,000 per violation, with an annual maximum of $1.5 million and/or prison terms of up to ten years.
Federal Risk and Authorization Management Program (FedRAMP)
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments.
What does it state?
FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.
Is it mandatory?
Yes, FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low, moderate, and high-risk impact levels. Private cloud deployments intended for single organizations and implemented fully within federal facilities are the only exception.
Federal Information Security Management Act (FISMA)
What is FISMA?
The Federal Information Security Management Act (FISMA) of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security in the United States’ economic and national security interests.
What does it state?
FISMA requires federal agencies to develop, document, and implement an information security program to safeguard their systems and data. In addition to government agencies, FISMA also applies to contractors and third parties that use or operate an information system on behalf of a Federal agency. FISMA stipulates categorizing types of data stored by the degree of the harm that would be caused were they to be compromised and directs federal agencies to periodically conduct risk assessments and reduce risk to an acceptable level by implementing appropriate controls.
Is it mandatory in compliance standards?
Yes, FISMA is mandatory for federal agencies and third parties or contractors that deal with federal government information.
What are the penalties?
Failure to comply with FISMA usually leads to budget cuts to the federal agency.
Center for Internet Security Controls (CIS)
What is CIS?
The SANS Institute partners with the Center for Internet Security (CIS) and industry professionals to maintain the 20 critical security controls. The CIS 20 are essential to protect the assets and data of an organization from known cyber-attack vectors. These controls should be implemented by companies that seek to strengthen their security in the Internet of Things (IoT) domain. The CIS 20 controls span across areas such as asset configurations (hardware and software), malware defenses, recovery, continuous monitoring and control, incident response plans and management, penetration tests, and Red Team exercises.
What does it state?
I have written an article on CIS and how it differs from NIST and ISO 270001. It would give you a detailed overview of CIS.
Is it mandatory?
The CIS 20 Security Controls are not mandatory or required by law. However, since it is such a comprehensive guide to online security, focusing on basic, foundational, and organization control levels that it is highly recommended that organizations implement them in their compliance standards.
International Organization for Standardization (ISO)
What is ISO?
Headquartered in Geneva in Switzerland, The International Organization (ISO) for Standardization is an international standard-setting body composed of representatives from various national standards organizations.
Is it mandatory?
Even though they are not mandatory, they are highly recommended.
Sarbanes-Oxley Act (SOX)
What is SOX?
Named after the co-sponsors of the bill, the SOX Act is a U.S. federal law that was passed in response to the accounting scandals that occurred at major corporations in 2001 and 2002, including the WorldCom and the Enron cases.
What does it state?
SOX Acts stated the new or expanded requirements for all U.S. public company boards, management, and public accounting firms after the accounting scandals. Several provisions of the Act also apply to privately held companies, such as the wilful destruction of evidence to impede a federal investigation. The Sarbanes-Oxley Act (SOX) requires that publicly traded companies ensure their internal business processes are properly monitored and managed.
Financial reporting processes are driven by I.T. systems, so I.T. needs to be configured securely and maintained properly. The Securities and Exchange Commission (SEC) has identified five areas that need to be addressed to meet SOX internal control requirements and support SOX compliance, two of which are risk assessment and monitoring. The Act makes it compulsory for companies to maintain financial records for up to seven years.
Is it mandatory?
Yes, the law is binding for all U.S. public company boards, management, public accounting firms, and privately held companies.
What are the penalties?
Failure to adhere to SOX would make you eligible for penalties above $5 million in fines and 20 years in prison as per section 906.
References
[1] https://www.fedramp.gov/
[2] https://www.tcdi.com/information-security-compliance-which-regulations/
[3] https://lab.getapp.com/security-certifications-explained/
[4] https://gdpr-info.eu/
[5] https://www.pcisecuritystandards.org/pci_security/
[6]https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/nist-framework
[7] https://www.cisa.gov/federal-information-security-modernization-act
Why Cloudanix?
We are doing out bit to build a product which is Effective, Affordable and Approachable. We have heard this argument many times that Security is hard, but using Security product is harder. We are attempting to make Security easy for “builders and operators”
Know more about:
- What is the difference between NIST, CIS/SANS 20, ISO 27001 Compliance Standards?
- As A Cloud User, Should I Be Worried About Cloud Compliance?
- A Practical Guide To Achieving HIPAA Compliance in AWS.