Knowing what expertise is available and which standards are relevant to your sector are the first steps to ensure organizations are regulation compliant.
In our previous article we introduced some terminology and fundamental concepts on data security regulation compliance. The opportunities presented by compliance and the penalties involved for non-compliance were discussed. The article also listed a number of general regulations and some specific ones related to different sectors, such as healthcare, finance and education.
Now, we delve a little deeper into compliance and lay out a roadmap for organizations on what will most likely be a non-linear journey.
- Before You Begin
Regulations are written by legal experts, and must be crafted in such a manner to allow them to be debated robustly by teams of experts in a court of law. That is, they are rarely technical documents with step-by-step instructions — similar to content we may use in the IT world.
The first question an organization must ask, then, is: Do we have the expertise to interpret and apply these regulations to our practices? If the competences required are not in-house, or if you think the in-house resource(s) would benefit from additional help, then it may be best to sub-contract an external consultant.
For organizations whose core function does not justify full-time data security experts, hiring an outside professional will be money well spent. Many security companies supply assessment services against recognized standards and best practices. Often, they will provide advice to improve security and data privacy and the documented results can be used to validate the organization’s performance.
- Identify General & Sector-Specific Regulations
Once the expertise has been engaged (in-house or otherwise), work can begin on identifying regulations relevant to the organization. Start with the most general ones:
- Federal Information Security Management Act (FISMA), U.S.: FISMA requires federal agencies to provide security programs for the information and systems that support their operations and assets, including those provided or managed by another agency, contractor or other source.
- Security of Network and Information Systems (NIS Directive), Europe: The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU, such as requiring member states to be “appropriately equipped to implement security measures; cooperate with other member states; and, ensure a culture of security across sectors and in particular among operators of essential services.”
- General Data Protection Regulation (GDPR), Europe: GDPR replaces the Data Protection Directive 95/46/EC and seeks to harmonize data privacy laws across Europe. It protects and empowers all EU citizens’ data privacy and reshapes how organizations across the region approach data privacy.
You can then begin focussing on regulations specific to your organization’s sector, be it finance, healthcare, etc. Bear in mind that the geographic jurisdiction(s) where you operate will dictate what regulations apply. For example, if you are based in Canada but carry out work in France, then you may be liable to comply with French as well as Canadian regulations. It is beyond the scope of this article, but the use of Cloud computing resources for storing and processing data must also be considered. Discussions on geographic — and therefore, lawful — jurisdiction for Cloud providers are an ongoing issue.
- Link to Standards
Understanding the Difference Between Regulations & Standards
Conforming with information security-related standards can significantly assist an organization on the path to regulatory compliance. But what’s the difference between standards and regulations? The main distinction lies in compliance: complying with standards is voluntary, but complying with regulations is mandatory.
Standards are guidelines, often drawn up by industry actors and agreed upon via a consensus process, that are then approved by a recognized (or standardization) body.
Regulations are legal and/or industry requirements, laid down by government or statutory authority, that can be used to force organizations to carry out certain security measures or impose penalties if measures are not carried out.
How Standards Can Help You Reach Compliance
Correlation exists between organizations that fully conform with standards and those that are compliant with regulation. In other words, the first step towards compliance is conforming with relevant standards. Mirroring the regulation environment, there are general standards and sector-specific standards. Here are two well-established international standards:
- ISO 27000: A family of more than a dozen standards to help manage the security of assets such as financial information, intellectual property, employee details or information entrusted to them by third parties. The level of specificity can be seen in the examples below:
- 27002: Code of practice for information security controls
- 27005: Information security risk management
- 27010: Addressing inter-sector and inter-organizational communications
- PCI-SSC: The Payment Card Industry Security Standards Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa. They are relevant for organizations that work with payment cards, including financial institutions, point-of-sale vendors, and hardware and software developers who create infrastructure for processing payments. Their core work involves the PCI Data Security Standard (PCI DSS) — a framework to develop a payment card data security process, including prevention, detection and appropriate reaction to security incidents
Standards are not legal documents, and various bodies publish guidelines that may be useful to particular organizations. For example, the Cloud Security Alliance (CSA) provides a Cloud Control Matrix (CCM), that “rests on a customized relationship to other industry-accepted security standards, regulations and controls frameworks such as the ISO 27001/27002.” The CCM contains principles for Cloud vendors to assist prospective customers in assessing the overall security risk of a Cloud provider.
Before going too far into any particular set of standards or guidelines, organizations should remember a simple rule of thumb: the more recognised the standard you conform with, the closer you get to complying with regulation. Finally, note that some standards documents are protected by copyright law, and are not always freely available.
- Make a Plan to Implement Standards
After relevant regulations and supporting standards have been identified, you must assess how much work will be involved to implement the standards. Consider the following: changes to existing work practises, staff training, additional resources (e.g., online storage), gathering and storing of accompanying evidence. Additionally, how many of your practices are already falling within the standards?
Use these primer questions to develop a cost-benefit analysis. Would the costs outweigh the benefits for some non-core standards that are perhaps not fully relevant to the organization?
When target standards have been identified and existing practices mapped to them, organizations will have already begun building their bank of evidence. This set of data will demonstrate to standardization bodies that relevant standards are being implemented. If and when required, it will also help demonstrate that regulations are being followed.
After the initial compliance data are in place, the next step is to ensure they are updated regularly by building compliance into the organization’s risk management program.
- Incorporate Compliance Into Risk Management
While they may vary in detail, most strategies for organizational risk management are built on a continuum: identify, analyze, evaluate, treat and monitor. If organizations have followed the preceding steps, then they have gone some way towards managing risk related to data security. Compliance risk assessment can now run concurrently with the wider risk assessment of the organization.
In contrast to other headline risks within an organization — such as financial, operational and strategic — compliance risks can be interpreted as being externally driven. Identifying laws that the organization must comply with, as in Step 2 above, is the first part of assessing compliance risk. However, best practices (standards) and initial compliance should be stress-tested at the risk management stage. How far inside the boundary of standards are everyday operations and practices? If pushed, would they drop outside the safety zone? How close would they then come to non-compliance?
Regular analysis of compliance must be given due attention in the organization’s overall risk management program. Responsibility must be assigned to the appropriate person, who will consider compliance in legal terms but also separately at operational and reputational levels.
- Audit for Compliance
The final piece of the compliance jigsaw is auditing, or to verify an organization’s compliance. And should it be done be internally, externally or both?
Compliance data itself and documenting risk assessment related to compliance are both audit materials. From here, the compliance expertise engaged at Stage 1 above (in-house or external) should guide the internal audit process. As with risk assessment, auditing for data security compliance requires its own position within the wider, internal auditing procedure. If risk assessment is carried out thoroughly, then internal auditing will be a straightforward follow-on task.
External audits should augment and validate internal ones. People outside the organization who can audit for data security include standards bodies and national commissioners or regulators — often a government or industry-appointed agency. Numerous private companies also offer their auditing services, and will use regulations and standards as the metrics for their work. External auditing will involve a financial outlay for organizations, and a cost-benefit analysis will again be required. The following differences between internal and external audits may be useful:
|Responsibility||Management||Customers and general public|
|Reports||Specific to organization||General and allow comparison to similar organizations|
|Scope||Narrow, possibly department level||Wide, organization level|
|Timeliness||Regular, flexible||Given times of year, but on-request may be possible|
|Carried out by:||Organization employees||Recognized industry firms|
Risk Management, NIST
The Directive on security of network and information systems (NIS Directive), European Commission
GDPR Overview, EU General Data Protection Regulation
PCI Security, Security Standards and Council
Cloud Controls Matrix Working Group, Cloud Security Alliance
The difference between internal and external audits, Accounting Tools