One of the fastest-growing sectors in the information security field is compliance. Compliance means ensuring that your organization obeys internal policies, as well as any applicable laws or other regulatory requirements.
Regulatory requirements are the laws enacted by the federal government and individual states to establish what is acceptable in business.
The United States lacks a single federal law or regulation that covers all aspects of cybersecurity and denotes what is acceptable behavior regarding data and customer information. You will find that your security program, in conjunction with the security technologies supporting it, are critical to ensuring compliance with a growing number of regulations.
The following are some of the regulations and laws that address network security and/or data protection:
1. Health Insurance Portability and Accountability Act (HIPAA)
Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. HIPAA is best known for its data protection rules that address the security and privacy of protected health information (PHI).
PHI is any individually identifiable information about a person’s health. Of the major rules under HIPAA, the Security Rule has direct implications on network security, requiring layers of administrative, physical, and technical safeguards.
The administrative safeguards include adopting a written set of privacy procedures, restricting employee access to electronic protected health information (EPHI), performing internal audits for HIPAA compliance, and implementing procedures for addressing and responding to security breaches.
Physical safeguards include implementing physical access controls to facilities, along with maintaining related records and visitor records.
Technical safeguards include implementation of information systems that deter intrusion, ensuring the confidentiality and integrity of EPHI, requiring authentication of all system users, and monitoring system access, among others.
2. HITECH Act
Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act expanded the scope of privacy and security protections available under HIPAA and motivated the widespread adoption and standardization of health information technology.
Originally, providers that sought to adopt electronic health record (EHR) systems could apply for monetary incentives to help pay for the transition to EHR platforms.
Those incentives expired in 2015. Under the HITECH Act, the Department of Health and Human Services (HHS) may directly require business associates to comply with HIPAA.
Compliance requires protecting protected health information (PHI), detecting breaches, and reporting violations of HIPAA to covered entities. Business associates are subject to HIPAA audits, and penalties can be levied for failing to comply with HIPAA Security and Privacy Rules.
3. Gramm-Leach-Bliley Act (GLBA)
The Safeguards Rule within the Gramm-Leach-Bliley Act (GLBA) is concerned with information security policies. Financial institutions must develop and comply with a comprehensive information security policy that includes safeguards for the handling of sensitive customer information.
The plan calls for regular monitoring and testing of the safeguards. Companies are also required to implement a continuous risk management program.
The program must initially identify potential risks to the company’s infrastructure and information. After the company meets GLBA’s initial risk identification requirement, risks must be reassessed should the firm’s business or technology change. The company must also update its written policies and procedures, if needed.
4. Sarbanes-Oxley (SOX)
The Sarbanes-Oxley (SOX) Act of 2002 was created to protect investors by requiring publicly traded companies to validate controls securing financial data. SOX accomplishes this by imposing harsh penalties and making corporate officers personally responsible for the disclosures.
Two sections of the Act place significant constraints on IT security.
- Section 302, “Corporate Responsibility for Financial Reports,” requires the chief executive officer (CEO) and chief financial officer (CFO) to personally certify the accuracy of financial reports. They must also ensure that internal controls are followed, assessed, and reported every quarter.
- Section 404, “Management Assessment of Internal Controls” requires the company to prove that controls are effective. This occurs through assessment and an audit by a public accounting firm.
The results must be published in the company’s annual report. SOX affects IT departments in the form of record retention policies and access to an organization’s electronic records, such as email and accounting system data.
5. Family Educational Rights and Privacy Act (FERPA)
Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student information. FERPA applies to the data maintained by educational institutions that accept federal funding.
Those schools must implement security controls in IT systems to protect the privacy of electronic student records.
6. Payment Card Industry Data Security Standard (PCI-DSS)
The Payment Card Industry Data Security Standard (PCI-DSS) ensures the confidentiality, integrity, and availability of cardholder data and transaction-processing functions. The latest PCI-DSS standard addresses numerous security matters and PCI compliance requirements.
Each requirement addresses specific controls for securing IT infrastructures, such as installing firewalls, using encryption, implementing anti-malware, performing ongoing security risk assessments, security testing, and much more.
Although the above regulations are governmental controls, PCI-DSS is an industry standard and control.
The power of the council that developed it and the threat of compliance is that if a company fails to comply, the ability to accept credit card transactions can be ended permanently. The council, comprised of the largest credit card–issuing companies, established the standard in an attempt to ward off governmental control in credit card usage.
7. General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that protects citizens’ privacy and information. Like HIPAA, noncompliance can result in financial penalties. GDPR applies to countries in the EU, as well as companies that handle data from EU organizations or EU citizens.
One of the biggest changes GDPR introduced to information security is the explicit opt-out, where all citizens are automatically opted out of marketing and soliciting campaigns, and they automatically elect not to have data stored unless it is in a manner outlined for a requirement described in the regulation.
Otherwise, the person must explicitly opt in, meaning they elect to receive solicitations and have their protected information stored.
Data sovereignty, the concept that data is subject to the laws of a country in which it is stored, is becoming a challenge for businesses as their operations move to the cloud.
You may also know:
Under HIPAA, covered entities may use PHI in certain ways. A covered entity may be a health plan, healthcare clearinghouse, or any healthcare provider that transmits PHI in an electronic form. HIPAA also applies to the business associates of covered entities. A business associate is an organization that performs a healthcare activity for a covered entity, such as a lab processing a blood sample.
Although compliance with regulations affects different groups within an organization, IT departments are responsible for implementing compliance controls.
Therefore, IT staff should stay up to date on the latest regulations. However, a sound governance, risk management, and compliance program within organizations can make the process much more efficient and effective.