Learn Compliance and Regulatory Fundamentals
Learning Objectives
After completing this unit, you’ll be able to:
- Describe compliance and regulation's role in cybersecurity.
- Identify regulatory agencies in cybersecurity.
- List common regulations in cybersecurity.
Get Out That Rule Book
Rules, rules, rules. Every video game has its own set of rules. It doesn’t matter whether you follow the game’s instruction manual or make up your own set of rules. So long as everyone agrees to them ahead of time, you’re in for an exciting experience and a level playing field.
Much like video games, our lives are filled with rules. No matter what industry you work in, cybersecurity regulatory compliance—or the rules organizations are legally required to follow when it comes to protecting sensitive data—is surely a big focus.
What Is Cybersecurity Compliance?
Cybersecurity compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Regulatory compliance is when an organization follows local, state, federal, and international laws and regulations relevant to its business function.
Compliance and regulatory frameworks are sets of guidelines and best practices that give organizations a common language or standard they can use anywhere from the server room to the boardroom to strengthen security.
Compliance is a critical component of any security program, and it’s no longer a matter limited to highly regulated industries. It’s become an increasingly important part of cybersecurity programs for every business and organization. That’s because cyberattacks continue to evolve in scope and scale, and bad actors target new industries.
Compliance requirements vary and can be imposed by law, regulatory bodies, and private industry groups. One important distinction is that there are other cybersecurity frameworks that aren’t codified in law but rather created or enforced by nongovernmental entities. For example, the National Institute of Standards and Technology (NIST) or International Organization for Standardization (ISO) 27001 cybersecurity frameworks are both widely used standards in many industries and government organizations. Companies might be required to comply with these frameworks by industry dynamics or by organizational partnerships with government or other entities.
The Purpose of Legislation and Regulations
In the interest of protecting sensitive data, lawmakers enact cybersecurity and privacy legislation. Oftentimes lawmakers create new legislation in response to a problem, such as a privacy breach. Following this legislation, regulatory bodies put in place regulations—providing guidelines and best practices based on the industry and type of data—to help organizations improve their information security strategy. Regulatory bodies also enforce compliance with these regulations through fines and other measures.
The Cybersecurity Compliance Puzzle
Depending on your industry, you may be subject to thousands of regulations and compliance requirements. This can create confusion when organizations are unsure of what compliance measures they need to attain. Cybersecurity compliance isn’t easy. There are dozens of acronyms, hundreds of controls, and many organizations find themselves completely overwhelmed. The difficulty comes in determining which ones apply, and interpreting what policies and controls are required to obtain compliance.
What’s more, achieving compliance within a regulatory framework is an ongoing process. Your environment is always changing, and the operating effectiveness of a control may break down. Regular monitoring, remediating, and reporting is a must, and each framework outlines guidance on exactly what regular monitoring entails. Part of compliance is documenting evidence of how your organization has implemented stated policies, standards, laws, regulations, and so forth, in order to issue the proper attestations as required.
Regulatory Agencies in Cybersecurity
Although computer security as a concept has been around since the 1970s, it was in the 1990s and early 2000s that more and more of the world came online, email proliferated, files were shared, and the number and impact of new viruses and malware exploded. In response, legislators across the globe created a variety of cybersecurity regulations to mandate protections for healthcare organizations, financial institutions, and government agencies to help protect the sensitive data they gathered, collected, stored, and processed.
In addition, a variety of organizations have enacted laws, imposed fines/penalties, and created frameworks to improve cybersecurity risk management practices. Here’s who leverages these compliance and regulatory standards.
- Internal auditors and other internal stakeholders to evaluate the controls in place within their own organization
- External auditors to evaluate and attest to the controls in place within an organization
- Third parties (potential customers, investors, and more,) to evaluate the potential risks of partnering with an organization
To protect consumers from cybercriminals and ensure transparency, lawmakers have empowered several regulatory bodies with oversight authority. While the European Union (EU) has one single law that regulates cybersecurity and privacy, called the General Data Protection Regulation (GDPR), the US has no single federal law that does the same. What’s more, several US states have their own cybersecurity and data breach notification laws. This can pose challenges for organizations conducting business within the US and globally. For example, a California-based company that does business in the EU needs to be familiar with and comply with differing state, federal, and EU breach notification requirements.
While we can’t cover them all, let’s look at some of the regulators in the cybersecurity landscape today.
Regulatory Agency |
Role |
---|---|
US Securities and Exchange Commission (SEC) |
Enforces requirements for adequate public disclosures regarding cybersecurity risks and material cybersecurity incidents |
US Office of the Comptroller of the Currency (OCC) |
Publishes procedures for managing third-party risk in the financial sector |
The European Union Agency for Cybersecurity (ENISA) |
Makes recommendations to member states on the course of action for security breaches, and provides policy making and implementation support for all member states of the EU |
The Federal Trade Commission (FTC) |
Requires companies to implement security measures and brings enforcement actions against companies it alleges failed to implement reasonable security measures |
Information Commissioner's Office (ICO) |
Regulates and enforces the GDPR in the United Kingdom (UK) |
Cybersecurity Regulations 101
As a security professional, you may be tasked with achieving Systems and Organizations Controls (SOC) compliance for your organization, adopting a NIST framework, or complying with new security laws. These are just a few examples—you likely face many requirements! Let’s review some of the regulations that lawmakers have created to strengthen cybersecurity across industries.
Regulation |
Requirements |
---|---|
Gramm Leach Bliley Act (GLBA) |
Requires US financial institutions to implement written policies and procedures that are reasonably designed to ensure the security and confidentiality of customer records and protect against anticipated threats |
Federal Information Security Modernization Act (FISMA) |
Strengthens information security within US federal agencies by requiring them to implement information security programs to ensure their systems’ confidentiality, integrity, and availability |
California Consumer Privacy Act (CCPA) |
Creates a data breach right of action for California residents with statutory penalties of $100–$750 per consumer and per incident if plaintiffs prove the impacted business failed to implement reasonable security procedures |
GDPR |
Aims to bring a single standard for data protection among all EU member states, and applies to entities that operate in the EU or deal with the data of any EU resident, regardless of where the data is processed |
Health Insurance Portability and Accountability Act (HIPAA)/HITECH Omnibus Rule |
Aims to protect the confidentiality and security of US healthcare information |
Sarbanes-Oxley Act (SOX) |
Requires public companies in the US to implement strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports in order to enable them to make timely disclosures to the public if a breach were to occur |
Knowledge Check
Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.
Great work!
Sum It Up
You now have a better understanding of compliance and regulation’s role in cybersecurity. Now let’s continue to Unit 2, where we introduce some major players in cybersecurity compliance and regulation.
Resources
-
External Site: Center for Internet Security® (CIS): Cybersecurity Compliance: Start with Proven Best Practices
-
External Site: IPOhub®: Cybersecurity Laws & Regulations