Cybersecurity compliance is the configuration and management of IT infrastructure in accordance with industry standards. These standards are developed so that customers, clients, and suppliers can expect a minimum level of protection for their sensitive information in the hands of your business.
Cybersecurity Compliance Standards
Every industry is operationally different and has different cybersecurity needs. The cybersecurity requirements used to keep hospital patient records confidential is not the same as the regulations for keeping bank customers’ personal information secure.
In many instances, cybersecurity regulations overlap across industries. Cybersecurity basics like encrypted data storage and transmission, breach response plans, etc. are fairly common across standards. But what systems and operations must be secured and how is specific to each standard.
Cybersecurity compliance is not just good business policy, for certain industries, it is the law. Certain industries that regularly deal with sensitive personal information such as healthcare and finance are highly regulated.
The cybersecurity standards we’ll review are far from exhaustive, although they are the most common. Standards vary by industry, country, region and may be required by law. Knowing what standards exist for your industry in all the places you operate can be difficult to discover and often requires consulting with a cybersecurity expert.
NIST and Cybersecurity Regulatory Compliance
The National Institute of Standards and Technology is a US government agency that produces standards for US industries and government. In addition to cybersecurity standards, NIST provides standards for health and safety, measurement and documentation, and more.
The NIST cybersecurity standards, like all NIST standards, are voluntary. That said, it’s not uncommon for vendors and clients to insist upon compliance with NIST standards, especially when it comes to cybersecurity governance.
Being voluntary doesn’t necessarily mean being optional, depending on your industry. In certain industries where work with the government is common, such as defense or election operations, bidding for a contract may require some level of NIST compliance.
ISO Cybersecurity Compliance Framework
The International Organization for Standardization, or ISO, is a non-governmental umbrella organization of the standards organizations from 165 countries. The ISO, like NIST, produces a set of voluntary standards for a variety of industries.
The most pertinent standard governing cybersecurity is the ISO/IEC 27000 family. This standard provides requirements for information security management systems. It enables organizations to manage the security of financial information, intellectual property, personnel information, and other third party information.
The ISO 27000 series is notoriously difficult to comply with. Operationalizing a cybersecurity profile according to these standards takes months to set up and a team of consultants.
PCI Data Security Standards
The PCI, or payment card industry, standards are developed by the PCI Security Standards Council. These standards are designed for any industry that uses payment card technology.
Many payment card-using businesses, particularly retailers and restaurants, don’t even know that the PCI standards exist. But after a hack, they wish they did.
For instance, the BBQ chain Dickey’s was the victim of a point-of-sale machine hack exposing the credit card information of 3 million customers. And that was a relatively small hack for a national chain. Target’s POS hack lost 40 million customer cards. Home Depot lost 56 million.
And this isn’t necessarily the work of a cybercriminal mastermind either. Forbes found that it was possible to hack into unsecured POS systems with a piece of equipment costing just $25.
HIPAA Compliance and Cybersecurity
The Health Insurance Portability and Accountability Act or HIPAA regulates the transfer and storage of protected patient information in the healthcare industry. Unlike the previous standards reviewed, complying with HIPAA is a legal requirement.
And it makes sense. Healthcare institutions are prime targets for identity thieves. Unlike credit card information, which changes at least with card expiration, personal health information, like social security numbers, past addresses, etc. never changes and can be used for more kinds of fraud.
Unlike with a credit card number, personal health information can be used for tax fraud, to take out false credit cards or loans, open fraudulent bank accounts, and a number of other activities that can cost your patients money and their credit score. As a result, health records go for as much as 40 times as much on the black market as a credit card number.
HIPAA was designed to protect this sensitive information. Complying with HIPAA is a necessary step for healthcare cybersecurity, but it should be viewed as a minimum standard. Many institutions in the healthcare industry employ additional standards such as NIST or ISO to further protect their cybersecurity.
Credit: Muhannad Ajjan
Learn more about Foresite's other cybersecurity solutions
Cybersecurity Compliance Certifications
Knowing what the standards are is only part of the battle against cybersecurity threats. How to comply with those standards is another story.
Many standards’ systems have associated certifications. ISO and PCI administer certifications themselves, while other standards systems such as HIPAA have certifications through independent certifying bodies.
While complying seems like an onerous cost, it pales in comparison to the cost of mitigating an ongoing breach, paying out settlements to customers, losing trust in your business, and sometimes paying fines incurred.
The new Foresite Integrated Risk Management (FIRM) solution, provides automated risk assessments tailored to an organization’s compliance needs, supporting around 200 compliance frameworks out of the box.
Whether you are looking to start your compliance journey or improve your current security posture FIRM can help your team get there faster and at a fraction of the cost.
To get started with Foresite’s cybersecurity offerings, contact us today for a free quote.