Learn How to Satisfy Guidelines

Learning Objectives

After completing this unit, you’ll be able to:

Identify your organization's capabilities to meet cybersecurity compliance and regulation challenges.
Describe how to conduct a cybersecurity compliance assessment.
Share an example of how to implement controls to satisfy multiple regulatory requirements effectively.

You’re Here to Help

What’s a video game without its controls? No matter the type of game you’re playing, each is made up of multiple components and capabilities to create an enjoyable, fun, and positive experience.

At your organization, you have the capabilities necessary to safely and securely store, archive, act on, and dispose of data. Let’s highlight just a few of the capabilities you can use to satisfy your cybersecurity compliance goals.

Compliance Goal	Your Capability	It Helps You...
Safeguard Assets	Implementing risk-based controls	Protect the confidentiality, integrity, and availability of information in accordance with the rules and requirements that apply to your industry.
Manage Cybersecurity Compliance	Leveraging common frameworks	Manage and monitor compliance for the range of IT regulations and standards that apply to your organization.
	Streamlining and automating information technology (IT) compliance	Consolidate and control data in a central repository.
	Understanding control statements and regulations	Reduce the time it takes for control testing, build confidence in your IT compliance, and stay up to date on regulations.
Reduce Risks and Vulnerabilities	Enforcing security policies	Maintain security compliance certifications, answer security questionnaires from business partners and auditors, and keep tabs on vendor compliance.
	Ensuring customer information is safe	Protect your organization’s reputation, maintain customer trust, and build customer loyalty.
	Maintaining clear consistent systems for managing sensitive data	Enable greater operational efficiency.

Using these capabilities, your organization can move up a level in cybersecurity compliance and regulation. Not only do these capabilities help you balance regulatory, security, and reporting concerns, but they also help you create your own solutions by customizing your compliance and regulation approach.

Assessing Cybersecurity Compliance

Now that you’re aware of your capabilities, let’s look at how you can successfully implement a cybersecurity compliance assessment at your organization. Here’s an example of the steps to assessing controls (different frameworks may use different steps, but the general process is the same).

Identify the regulations, frameworks, and standards your organization must adhere to.
Categorize systems according to the impact if their data were compromised.
Select a baseline of controls based on that categorization.
Select additional controls as needed based on additional requirements.
Implement controls.
Assess whether the controls are meeting their intention through evidence gathering, documentation review, and continuous monitoring.

Let’s meet Allen, a senior manager in Cybersecurity Assessments and Compliance at a financial institution.

Allen assesses the cybersecurity compliance posture of his financial institution, standing with a long list of rules with a shield and a magnifying glass at the top of it.

Allen starts by identifying what type of data his organization works with, and what requirements may apply. Because the company handles financial data, it is subject to the Payment Card Industry Data Security Standard (PCI-DSS). Allen looks carefully at what sort of protection the organization must offer customers and places safeguards in effect to minimize the chances of a breach of security. He knows that PCI-DSS requires special protections of customer credit card data. From a technological perspective, this means that the company must proactively prevent credit information from being compromised and respond quickly if a breach does occur.

PCI-DSS requires controls to be in place for those systems that store and process credit card data. Allen verifies that policies and procedures are in place to govern the activities of personnel who interact with those systems. He also ensures that personnel are trained on their responsibilities of protecting credit card information, so they understand how to properly perform their duties without potentially misusing the system, intentionally or not.

Implement Controls Effectively

Allen knows that he needs to think about more than just PCI-DSS. His organization is required to comply with Federal Financial Institutions Examination Council (FFIEC) requirements for the financial industry. These requirements emphasize continuous monitoring and business continuity management for financial services.

Allen’s director is also interested in using other cybersecurity frameworks to help improve the compliance posture of the bank, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security Critical Security Controls (CIS Controls). Allen outlines all the regulations and frameworks that impact the company, and then determines which security controls to implement to satisfy all the requirements effectively.

Allen knows there are often overlapping requirements built into different regulations and standards, so by breaking it down into pieces, he can reduce the amount of time and money he would otherwise spend and the duplicate effort of implementing competing systems.

Once Allen has selected and implemented the controls, he monitors their effectiveness and documents this information to inform internal discussions about control performance, and to provide to auditors and regulators to demonstrate the financial institution’s compliance.

Sum It Up

Using a cybersecurity assessment and a structured approach to identifying regulations and implementing controls, you’ve successfully created your own solution to meet cybersecurity regulations and to better safeguard customers against cybersecurity attacks. Pretty cool, right? So, what are you waiting for? Get out there and start your next cybersecurity regulatory compliance conversation. Interested in learning more about cybersecurity topics? Head on over to the Cybersecurity Learning Hub to explore more and hear from real security practitioners.