Compliance and Frameworks
Last updated
Last updated
Organizations need to follow security frameworks to reach a minimum standard of security, and businesses operating in specific industries will also need to comply with other legislation and regulations. This lesson will cover what compliance is, commonly-followed frameworks and standards, and why it's important not just to protect the business, but also to maintain a high level of trust with clients.
Compliance is defined as following rules and meeting requirements for specified frameworks. Organizations operating in different industries will have specific compliance frameworks that they need to comply with. For example, businesses that process or store data on citizens of the European Union (EU) will need to comply with the General Data Protection Regulation (GDPR), while organizations that process card payments will need to meet the requirements of the Payment Card Information Data Security Standard (PCI DSS). We will cover both of these and more below.
Not only does following compliance frameworks increase trust between customers and partners, it is also often a legal requirement, and not complying would result in legal and regulatory fines. Following these frameworks ensures that the organization has a good level of security, making it better equipped to respond to security events and incidents, reducing risk and impact.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas, with the primary aim to give control to individuals over their personal data.
Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate). Data controllers must design information systems with privacy in mind, for instance, use the highest-possible privacy settings by default, so that the datasets are not publicly available by default, and cannot be used to identify a subject. No personal data may be processed unless this processing is done under one of six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest, or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.
Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA. Data subjects have the right to request a portable copy of the data collected by a controller in a common format, and the right to have their data erased under certain circumstances. Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
Validation of compliance is performed annually or quarterly, by a method suited to the volume of payment transactions handled:
Self-Assessment Questionnaire (SAQ) — smaller volumes
External Qualified Security Assessor (QSA) — moderate volumes
Firm-specific Internal Security Assessor (ISA) — larger volumes; involves issuing a Report on Compliance
Health Insurance Portability and Accountability Act (HIPAA) is a regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI). The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in its definition of a covered entity. HIPAA applies to companies that provide services that would use e-PHI such as suppliers or outsourced IT providers.
The primary goal of HIPAA is to protect ePHI which includes, name, dates such as birth, admission, discharge, death, telephone number, SSN, photographs, address, etc. Companies under this regulation will need to implement technical and procedural controls to protect this information and perform risk analysis on risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Technical controls include such things as encryption, authentication, password complexity, access auditing, segmentation, etc., and procedural controls include such things as password policies, incident response plans, contingency plans, and audit procedures.
specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following the successful completion of an audit.