Organizations need to protect themselves from threats and risks coming from cybercriminals. For the same, there are a certain set of policies, standards, and compliance frameworks that need to be implemented for better resilience and threat evasion. These are put in place to ensure that all the security measures are deployed, that common attack vectors are investigated, and the impact of a cyberattack is minimized. Compliance is mandatory for organizations to have risk management and control in place. In this article, we have tried to address different cybersecurity policies, standards, and compliance frameworks.
Cybersecurity Policies, Standards, and Compliance Frameworks
NIST is a cybersecurity framework consisting of five elements- identify, protect, detect, respond, and recover. Every industry can adopt NIST, regardless of size or sector, enabling them to further comply with the Cybersecurity Act of 2015 and the Federal Information Security Management Act (FISMA).
Certain functions within each term can include:
- Taking actions such as establishing policies.
- Managing access controls and maintaining backups.
- Detecting threats via logs and thoroughly defined action items.
- Having a response plan in place.
One can review and download the NIST Framework V1.1 here.
PCI DSS stands for Payment Card Industry Data Security Standard (PCI DSS) and is a governing body established to regulate credit card information and payment information. To ensure customers’ safety, PCI DSS is mandatory for businesses that accept, store, and conduct online transactions; this includes merchant and financial services providers.
PCI DSS protects customer-sensitive information associated with the cards, and runs payments processes securely. PCI DSS was established by known entities like American Express, MasterCard, Visa, etc. They cover various solutions such as assessing card productions, internal security, PIN assessors, and PCI investigations, qualified software vendors, point-to-point encryptions etc.
HIPAA stands to protect PHI (Protected Health Information), such as medical records and servers storing health-related information of the users. Various devices such as digital watches and health apps are mandated to follow HIPAA along with hospitals, insurance industries, etc. HIPAA came into practice in 1996 and is specific to the United States.
HIPAA recently launched Security Risk Assessment Tool (SRA Tool), enabling professionals to conduct security risk assessment along with a workbook and guide. Further, individuals can register a complaint if they identify businesses violating HIPAA compliance, resulting in civil and criminal penalties.
The Indian government introduced a HIPAA equivalent in India called Digital Information Security in Healthcare Act (DISHA).
GDPR is General Data Protection Regulation and applies to all European Union (EU) residents. For all the services interacting with EU residents, GDPR mandates them to implement security measures and protect their personal information.
GDPR requires organizations with over 250 employees to get compliant. They must mandatorily keep data processing activities and seek consent from the users while acquiring their personal data. One can seek guidance through 99 articles presented and get GDPR compliant. A general checklist assessment can be found here.
Similarly, a legislation in India called the Personal Data Protection Bill (PDPB) is GDPR equivalent.
ISO 27001 is an information security compliance certification that organizations undergo to assess standard implementations. Getting ISO 27001 certified ensures risk mitigation, proactiveness, and data protection. Organizations can get ISMS (Information Security Management Systems) certification to demonstrate the security measures and best practices implemented through a third-party audit.
HITRUST provides solutions and approaches essential for risk management and compliance procedures. It offers a variety of solutions depending on the organization’s size. The HITRUST approach consists of a CSF consisting of a framework for security controls, an academy module for training and implementations, and an assessment platform (MyCSF) which is a SaaS-based tool.
Organizations of various sizes can seek guidance from HITRUST to get compliant for other auditory bodies through their SaaS platforms and RightStart program for startups.
Less Commonly Known Cybersecurity Policies and Compliance Frameworks
Center for Internet Security (CIS) provides a benchmark document indicating best practices. They target various technologies occurring as a part of digital infrastructure such as cloud providers (Alibaba, Amazon, Microsoft, IBM), desktop software (different browsers), operating systems (Debian, Fedora, IBM, Oracle, MacOS), networks (Sophos, Palo Alto, Fortinet), etc.
The COBIT framework was created by ISACA, who offer governance management objectives, overview, and diagnostics through a comprehensive toolkit. There exist different domains for compliance, such as Audit & Assurance, Privacy, Risk, or Information Security, and ISACA offers COBIT guides in selected languages and subjects for the same.
FedRAMP (Federal Risk and Authorization Management Program) is a US-based compliance program for cloud service offerings. There are already 308 organizations with over who are FedRAMP certified. To get the compliance certificate, organizations can approach an agency or Joint Authorization Board (JAB). This program aims to enable the use of modern cloud technologies integrated with security processes to protect sensitive information.
Towards the Conclusion
Here we conclude the topic of ‘Different cybersecurity policies, standards, and compliance frameworks’ and it needs to be highlighted that certain regulations are region and industry-specific. Businesses are mandated to be aware and remain updated about the existing or newly emerging compliances. These regulations can ensure that customer data is safeguarded and the infrastructure is protected.
Author Bio: This article has been written by Rishika Desai, B.Tech Computer Engineering graduate with 9.57 CGPA from Vishwakarma Institute of Information Technology (VIIT), Pune. Currently works as Cyber Threat Researcher at CloudSEK. She is a good dancer, poet and a writer. Animal love engulfs her heart and content writing comprises her present. You can follow Rishika on Twitter at @ich_rish99.