Common Compliance Requirements and cybersecurity basics:
PCI DSS stands for the Payment Card Industry Data Security Standard. All merchants who accept credit cards are required to abide by this regulation which involves consumer privacy and financial institutions. PCI DSS consists of 6 goals, which can be accomplished by meeting 12 individual controls. The goals and requirements are as follows (Please note the sub-requirements are summarized using our language. To find the official text go to https://www.pcisecuritystandards.org):
- Build and Maintain a Secure Network
- Use a firewall and maintain a secure configuration to protect network traffic and cardholder data.
- Ensure you set unique, custom passwords. Do not use the default passwords set by vendors which increases your cybersecurity risk.
- Protect Cardholder Data
- Ensure that any stored data is adequately protected with security controls.
- Ensure that any cardholder data is transmitted using encryption.
- Maintain a Vulnerability Management Program
- Ensure that antivirus and other security software is used and routinely updated.
- Create and maintain secure I.T. systems and applications.
- Implement Strong Access Control Measures
- Prevent access to any stored cardholder data except on a need-to-know basis.
- Ensure that every computer user can be uniquely identified.
- Ensure that there are physical safeguards around data.
- Regularly Monitor and Test Networks
- Track and monitor all network activity and any real or potential access to cardholder data.
- Periodically test all security measures and associated processes.
- Maintain an Information Security Policy
- Maintain a set of policies and procedures that address security for all employees and contractors.
HIPAA Security Rule
HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA covers any entity that deals with PHI (personal health information) and their business associates (if you aren’t sure if you are covered, we recommend you speak with a qualified attorney). Within HIPAA is a cybersecurity rule mandating that organizations put in place protocols to protect sensitive health information. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (Electronic – Personal Health Information).
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect internal organization against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance from their workforce with physical security.
To meet these security requirements, HIPAA lays out a set of safeguards you must meet. These include controls that are divided into the following groups:
- Risk Analysis and Management
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Required and Addressable Implementation Specifications
- Organizational Requirements
- Policies and Procedures and Documentation Requirements
State Data Breach Notification Laws:
All 50 states have notification laws requiring companies to notify victims in the event of a data breach. A data breach is usually defined as the access or potential access to sensitive data by an unauthorized user. We highly recommend that you consult your particular state’s law to determine what requirements may apply to you even if you are a small business.
CMMC stands for the Capability Maturity Model Certification. This regulation was recently propagated by the U.S. Department of Defense to safeguard the information systems of our defense department and applies to organizations dealing with CUI (Controlled Unclassified Information). CMMC has five levels depending on the type of data your organization deals with and principally applies to Federal Contracting companies. Under CMMC, all organizations dealing with CUI require certification from an outside party to meet all requirements.
NYDFS Cybersecurity Regulation
NYDFS stands for the New York Department of Financial Services. In 2018 NYDFS promulgated a regulation requiring financial institutions that deal with sensitive information to implement specific cybersecurity requirements. NYDFS requirements fall under the following broad categories:
- Maintaining a cybersecurity program
- Maintaining cybersecurity policies
- Appointing a qualified Chief Information Security Officer
- Conducting regular penetration testing and vulnerability assessments
- Ensuring that there is an audit trail
- Ensuring appropriate access privileges
- Application security (documented Software Development Life Cycle [SDLC])
- Cybersecurity and personnel intelligence
- Third-party service provider security policy
- Multi-factor authentication
- Limitations on data retention
- Training and monitoring
- Encryption of nonpublic information
- Incident response plan
- Notices to superintendent
For more information on compliance requirements, and a list of quick wins that can leave you significantly safer at an extremely affordable investment.
GDPR stands for General Data Protection Regulation, a set of data privacy regulations enacted by the EU in 2018. The EU enacted GDPR regulations to “harmonize data privacy laws across Europe.” The GDPR addresses EU member states and the European Economic Area (EEA). GDPR also addresses the transfer of personal data outside of the EU and EEA areas. Because of this, GDPR applies to any organization that collects data or targets individuals in the EU, even if the business or organization is based outside the EU in the US for example. The GDPR has the goal of giving individuals greater control over their personal data and simplifying the regulatory environment for international businesses by unifying regulations within the EU. The GDPR contains regulations relating to personal data privacy, data minimization, and security for EU and international organizations.
GDPR 7 PRINCIPALS:
- Fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (Security)
GDPR RIGHTS FOR INDIVIDUALS:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Automated decision making and profiling
The GDPR says their regulations are intentionally large, far-reaching, and light on specifics. The GDPR can place hefty penalties and fines against offenders and can charge penalties into the tens of millions of euros. GDPR compliance can be a daunting process for small and medium-sized businesses that may fall under GDPR. If you are unsure if the GDPR requirements apply to you, or need help to implement GDPR regulations in your business we recommend that you consult with a licensed attorney or cybersecurity professional with experience in regulatory compliance.
Frameworks and Standards
Cybersecurity can be pretty complicated. Fortunately, numerous organizations have published cybersecurity frameworks you can use as a general guide on how to implement best practices cost-effectively. Using a framework allows you to manage your cybersecurity program holistically and coherently. Most compliance requirements are created by taking various controls from frameworks and applying them in a way that makes sense for that industry. The main ones are as follows:
NIST Cybersecurity Framework
The NIST Cybersecurity Framework is the ubiquitous information security standard for the United States. NIST stands for the National Institute of Standards and Technology. Their framework is comprehensive and easy to understand with clear guidelines, even for I.T. professionals who may not have extensive knowledge of or experience in cybersecurity. The framework is broken down into five main components:
Most cybersecurity compliance requirements and all frameworks require risk assessments to be routinely conducted. Risk is characterized by the following formula:
Threat x Vulnerability x Impact.
By assessing risk, your organization can prioritize its most vulnerable and most valuable assets and take immediate steps to mitigate potential risk.
By conducting a Risk Assessment, you also gain intimate knowledge of where your data is stored, how sensitive it is, and what protections you already have in place around it. After your Risk Assessment is completed, you can use the lessons learned to begin improving your cybersecurity program efficiently and logically.
Compliance can seem overwhelming, but it’s not. All it requires is to align people, processes, and technology with controls (both technical controls and organizational controls) to begin moving towards compliance. Implementing threat intelligence can be as simple as consuming an open-source threat intel feed and comparing results against network traffic. In some cases, you may be able to meet multiple controls with one piece of software.
Maintaining a firewall configuration simply means implementing and monitoring an enterprise-grade firewall, while keeping it up to date against potential threats. At Cyberopz, we know that looking at hundreds of controls can feel daunting – you may feel you can never achieve adequate cybersecurity, but that is not the case. We recommend you begin with the most accessible controls (or the ones you already have!) Some examples of these might be:
- Keeping systems patched and up to date
- Maintaining antivirus software
- Maintaining policies and procedures mandating best practices in cybersecurity for employees
- Monitoring network traffic
Once you have met the controls for your specific regulation or compliance programs, you should perform an internal audit to ensure that everything regarding critical security is up to scratch and that you feel confident you have satisfactorily met the controls. If you are in a situation in which you aren’t sure, bringing in an outside cybersecurity company to test your controls may be a good idea.