Security compliance regulations are designed to ensure that companies are following proper security protocol. Some of these regulations come in the form of laws (e.g. HIPAA) while others are required as part of private industry requirements (e.g. PCI). There are even compliance regimens that are voluntary, such as the CIS Critical Security Controls (CIS-CSC). However, they all have the same end-goal - to ensure that security best-practices are followed in your organization.
Compliance programs, regardless of their origin, typically start with a long-form document (or possibly legislation) that explains the purpose of the program and may go into details on the requirements. From this longer document, requirements are derived that, when you meet those requirements, you are "compliant" with the security program. (Note: Some programs require external audits prior to being considered compliant.)
One of the challenges with compliance is that a single rule can have a broad impact on your organization. For example, if the compliance program requires 14 character passwords, that rule apples to your computers, email, websites, network devices, and everything else that's in-scope.
Another challenge is determining what is "in-scope." Not everything in your organization may be fully assessed under your compliance program. For example, the PCI Counsel regulates credit card security compliance. Being PCI-compliant requires an organization to follow all the PCI rules, but ONLY where data is stored, processed, transmitted, or otherwise secured. If, for example, you use an outsourced credit card point-of-sale terminal that doesn't communicate with anything else in your network, you're scope is only that POS terminal (and typically whatever else it touches). On the other hand, if your terminal connects to your inventory management system, send emails from your mail server, and so on, your scope is much larger.
Popular Compliance Frameworks
-
New York State Department of Financial Services regulation (23 NYCRR 500)
-
Health Insurance Portability and Accountability Act (HIPAA) (External Link)
-
Payment Card Industry Data Security Standard (PCI-DSS) (External Link)
-
Service Organization Control (SOC) (External Link)
-
NIST 800-171 for Protection of Controlled Unclassified Information (CUI) (External Link)
-
NIST Cybersecurity Framework (CSF) (External Link)
Getting Started
A security compliance program is a long-term investment in the security and regulatory compliance of a company. The following is an abbreviated list to help you get started, but we recommend you find a consultant to assist with full roll-out.
-
Determine what compliance program you must follow
-
Obtain and read the regulations to understand the intent and scope of the program
-
Determine your scope and segment your in-scope assets and data away from the rest of your network to the greatest degree possible.
-
Obtain or develop a spreadsheet of all requirements needed to comply with the regulation.
-
Create projects that, when completed, will achieve the compliance objectives - track and document diligently.
-
Audit the compliance of your organization (or outsource if desired or required)
-
Continuously monitor changes, plan an annual audit, and prepare to be continuously compliant.
Conclusion
As you can see, achieving compliance isn't a terribly difficult concept, but it can be very time consuming and resource intensive. While working to achieve compliance, it's important to remember why this is being done - you're protecting sensitive and critical data that must be protected. Don't take shortcuts just to check a box; do the hard work and come out more secure from it.
For more information on this topic or any other, please reach out to us; We’re here to help!