Compliance – a quick history
In our legal system, we trust people to voluntarily do the right thing. When they don’t, we write laws requiring them to do so. In cybersecurity, the situation is similar. However, many people struggle to understand what that “right thing” is. So we’ve been creating compliance frameworks to go along with those laws (and industry requirements, and partnership agreements) to help. As security becomes more pervasive, though, we are seeing a convergence in those frameworks. The gaps are closing and they are becoming more similar each day. There are still differences based on the industry or type of information we are trying to protect, though. And there are even more differences in how they are created and enforced. Generally, compliance falls into four categories:
Government directed compliance
This is the easiest category to understand. Just as with other laws, a state government or the federal government direct compliance with security measures. Sometimes there is a framework involved, such as with HIPAA, FISMA (compliance required of the government by the government), or DFARS (compliance required of defense contractors by the Department of Defense). Other laws such as the Sarbanes-Oxley and Gramm, Leach, Bliley Acts require data protection in financial reporting, but don’t explicitly provide a framework of controls.
While most of these requirements are directed from the federal level, states have been getting in on the act in the last few years. All states now have some for of breach notification law. These vary in depth and severity from ones with vague terms requiring some type of notification within a subjectively specified timeframe to those with requirements to determine potential harm and specific timeframes for notification. Many of these states also require “reasonable protections” to reduce the risk of a successful cyber-attacks.
Recently, New York passed “Part 500“, a law that requires specific (but still pretty lenient) controls be put in place for financial and industry organizations operating within he state. Even more recently, Colorado enacted a stronger breach reporting law requiring notification within 30 days of breach discovery. It also adds a requirement for lifecycle management of personal information. Organization must establish a reasonable timeframe for data retention and delete the data when no longer needed.
Industry directed compliance
In addition to governments, certain industries are also driving security compliance. While not having the legal backing of the previous category, these requirements use more of a “pay to play” enforcement method. If you’ve ever heard of PCI-DSS (Payment Card Industry – Data Security Standard), or just PCI for short, you know an industry compliance framework.
PCI enforces these requirements by not allowing organizations to accept payment cards (e.g., credit cards, debit cards) if they can’t demonstrate compliance with the appropriate PCI framework. If the Visas and Mastercards of the world won’t let you accept cards, you are pretty much shut-out of that world. It’s not perfect, but it works well in this instance. It’s much harder to enforce, though, when there are more players in the game.
More and more industries are getting into this game, as well. The auto industry has recently published a set of controls for 3rd Party information security, too. Their new CS-1 document draws heavily from NIST and ISO frameworks. There’s no word, yet, on how they will enforce these requirements. Since this industry has so many players, we are interested to see how they do. Stay tuned…
Partnership directed compliance
This is, perhaps, the newest area of compliance and is very inter-personal. A company will require implementation of a framework or specific controls in another company where there is a partnership or vendor-client relationship. This allows the requiring company to tailor controls to closely fit their needs. In many cases these controls are just extensions of another control framework, such as HIPAA. More recently, businesses have begun creating custom frameworks. Companies typically see a legal liability and realize that shared security is a vital need in business.
These compliance frameworks are generally used where a business wants to demonstrate that it’s mature and trustworthy. ISO 27001 is the most prevalent compliance framework in this area. You’ll typically see this more with very large and multi-national businesses rather than smaller and local businesses. It can be costly to become compliant and even more costly to hire someone to verify your compliance.
What does that mean for you?
Fortunately, many of these government, industry, and partnership driven frameworks are beginning to coalesce. We’ve begun to rally around a core set of rules that help us better manage and reduce our risk. This simplifies and normalizes the work across industries and regulators.
If you are in an industry that is already regulated, you shouldn’t see much change in what’s required of you. If you are already comfortable implementing the checklists of controls, start looking at it from a truly risk management perspective. Learn more about the threats and the vulnerabilities so you can make informed decisions and turn compliance from box checking into true management of risk.
If you are yet to experience the fun of compliance, just wait. It’s coming your way. Start looking at how you handle sensitive information and how you protect it. Grab a copy of NIST’s Cybersecurity Framework and see how well you stack up against that. Don’t worry if you don’t stack up well, but start planning how you’d implement the Protect and Detect controls (two of the five functional control areas). This will give you an advantage when you are required to implement any control set.
Bottom line: It may seem overwhelming, but it’s not impossible. It doesn’t have to be cost prohibitive either. A little planning and forethought can go a long way to making the any compliance requirement into a good security program for your business. You just need the right problem solving and project management attitude… and a little cybersecurity expertise doesn’t hurt, either.
Need some help with you own compliance or security?
Visit our services page to see how we can help
Contact us today for a free and confidential consultation.