How do you implement regulatory compliance in IT?
A patchwork of laws, regulations and standards apply to organizations requiring public disclosure of security breaches that involve private information. Organizations are either mandated or incentivized to build and improve their information security programs to avoid security breaches, penalties, sanctions and embarrassing news headlines.
Organizations can enforce regulatory compliance mandates through security governance, which incorporates activities such as risk management. This includes regulatory compliance risks, incident response, process improvement, event identification, business continuity and disaster recovery planning and resource management as well as the establishment of metrics to measure progress and efficiency. Through information security governance, organizations can establish an effective structure and clear statements of roles and responsibilities that are in lockstep with business stakeholders, the legal team and IT. Among other things, security governance helps identify compliance risk and address countermeasures in IT security policy, including technical and organizational controls and guidelines for operational teams to follow.
The cost of compliance
Achieving and maintaining adherence to various compliance regulations is a complex and expensive process. It requires the legal and IT teams to translate a regulation to their organization, perform a gap assessment and then create and revise IT security policies and guidelines. It also requires organizations to implement new processes or capabilities while amending existing ones, regularly monitoring effectiveness and providing validation of compliance to government entities or IT auditors. For many organizations, the required time, resources and staffing result in millions of dollars spent on top of their normal operational costs. However, maintaining compliance is often much less costly than the fines incurred by a regulatory violation and the time and effort required to regain customer trust.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. Enacted in 1996, HIPAA standardizes the handling of patient data collected by medical offices, hospitals, health insurance companies and other health care providers. HIPAA compliance is enforced by both the Department of Health and Human Services (HHS) and its subgroup, the Office for Civil Rights (OCR). Non-compliance can result in civil and criminal penalties, which can be as high as $50,000 for civil violations and up to 10 years in prison for criminal violations.
HIPAA incorporate several interlinked regulatory rules, including:
- HIPAA Privacy Rule: This HIPAA rule sets national standards for access to patient health information (PHI), which includes all the information contained in an individual’s medical records, including contact details, Social Security numbers, financial data, diagnoses, treatments and other personal data. It applies only to HIPAA “covered entities.”
- HIPAA Security Rule: This rule provides specific guidelines for PHI, and how it is created, stored, transmitted, or received electronically (also known as ePHI). Because of the sharing of electronic data, this rule applies to both HIPAA covered entities and their “business associates” — the service providers that handle PHI.
- HIPAA Breach Notification Rule: This rule outlines the procedures that HIPAA covered entities and their business associates must follow in the event that PHI is exposed.
- HIPAA Enforcement Rule: This rule details the procedures and penalties relating to HIPAA violations.
HIPAA compliance establishes standards for how healthcare organizations from hospitals to health plans handle patient data.
The HHS defines a HIPAA breach as “generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” For example, an unencrypted laptop containing hundreds of patients’ PHI stolen from an unsecured room in a doctor’s office would constitute a breach.
What is required for HIPAA compliance?
HIPAA compliance requires safeguarding patients’ PHI in all its forms — verbal, physical and electronic. The HIPAA Journal outlines seven steps to becoming HIPAA compliant, which include developing and enforcing policies and procedures, appointing a HIPAA Compliance Officer, conducting effective employee and management training, establishing effective channels of communication, conducting internal monitoring and auditing, responding to breaches, undertaking corrective action, assessing policies and procedures and amending them as necessary.
TGDPR, which stands for General Data Protection Regulation, was adopted in 2016 and applies to all organizations within the EU, as well as those based abroad that have operations or customers there. Since fully going into effect in 2018, GDPR is the primary law governing the protection and privacy of individuals’ personal data in the European Union. GDPR, which replaced the EU Data Protection Directive 95/46/ec, introduced new requirements for all transactions, including:
- Gathering the consent of customers when data is collected or processed
- “Pseudonymization” of collected data to protect privacy
- Delivering data breach notification within 72 hours of incident detection
- Establishing guidelines for the secure transfer of data across borders
- Appointing a Data Protection Officer (DPO) officer within certain companies to oversee GDPR compliance
Non-compliance can result in fines of up to 4 percent of annual worldwide sales or €20 million, whichever is higher.
A GDPR breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This broad interpretation can be anything that poses a compliance risk — from a hacked computer network that exposes customer information to a hard drive that is unintentionally erased with no backup.
GDPR compliance requires that data controllers (generally the companies that own the data) and data processors (the entities handling the customer data on the controller’s behalf) meet the outlined standards for collecting, storing and processing the data of EU citizens.
Introduced in 2004, PCI is the commonly used as shorthand for the Payment Card Industry Data Security Standard (PCI DSS). Since then, it has been updated regularly to improve the security standards of payment processing both on- and offline. PCI DSS applies to any organization that accepts, transmits or stores cardholder data, regardless of the size or number of transactions. These standards are managed by the Payment Card Industry Security Standards Council and are enforced by the owners of the five major credit/debit card brands. PCI compliance violations can result in the offending bank being fined from $5,000 to $100,000 per month.
A PCI breach is any incident in which credit card holder data is accessed, viewed or taken without authorization. A breach can be the result of a malicious hack, the theft of an unsecured laptop or an incident that exposes a cardholder’s personal data to unauthorized users.
Requirements for PCI compliance are structured around a business’ transaction volume. Each major card brand has slightly different details, but generally there are four levels of compliance:
- Level 1: Merchants that process more than 6 million transactions annually
- Level 2: Merchants that process between 1 and 6 million transactions annually
- Level 3: Merchants that process between 20,000 and 1 million e-commerce transactions annually
- Level 4: Merchants that process fewer than 20,000 e-commerce transactions annually, along with all other sellers that process up to 1 million transactions annually
PCI DSS specifies 12 primary requirements to protect cardholder data:
- Install and maintain a firewall.
- Don’t use vendor-supplied defaults for system passwords and other security measures
- Protect stored cardholder data
- Encrypt the transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data within the business on a need-to-know basis
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
NIST, which stands for National Institute of Standards and Technology, is a non-regulatory government agency within the U.S. Department of Commerce that sets standards for the science and technology industries. These standards, in part, help federal agencies and contractors meet the requirements of the Federal Information Security Management Act (FISMA).
One of the most widely adopted standards is the Cybersecurity Framework (CSF), a voluntary framework designed to accommodate a wide range of individual businesses and other organizations seeking to evaluate security controls and proactively assess risk. The Cybersecurity Framework is organized by five main "functions,” which include guidance on how to identify, protect, detect, respond and recover after a wide array of cybersecurity threats.
NIST standards also include Federal Information Processing Standards (FIPS), a set of cybersecurity standards developed by the United States federal government for non-military government agencies, contractors and vendors. Among other things, FIPS establishes requirements for computer security and interoperability where broader industry standards are lacking or don’t exist, providing a framework around encoding data, document processing, encryption algorithms and other IT security processes.
What is considered a NIST breach?
NIST does not provide a specific definition of a breach. Rather, NIST standards, best practices, and guidelines provide a framework to keep data secure and safe from threats and attacks both within and outside and organization. As such, they can help prevent breaches as defined by other regulations, such as HIPAA.
What is required for NIST compliance?
NIST compliance standards can vary, as they are often designed to meet specific regulatory requirements. For example, the agency outlines nine steps to FISMA compliance:
- Categorize the information to be protected
- Select minimum baseline controls
- Refine controls using a risk-assessment procedure
- Document the controls in the system security plan
- Implement security controls in appropriate information systems
- Assess the effectiveness of the security controls once they have been implemented
- Determine agency-level risk to the mission or business case
- Authorize the information system for processing
- Monitor the security controls on a continuous basis
Many of NIST’s rules are outlined in the NIST Special Publication 800-series, which address the security and privacy needs of the government’s data and information systems.
How do I achieve NIST compliance?
If you’re doing business with the federal government, you will need to determine which mandates you’re obligated to meet. A good starting point is Special Publication 800-171, which explains how information systems and policies must be set up to protect Controlled Unclassified Information (CUI). If you’re working with subcontractors, you will also need to verify their compliance.
What is COPPA?
COPPA, which stands for the Children's Online Privacy and Protection Act, is a federal law enacted in 1998 requiring companies that operate apps, websites and other online services to notify parents and obtain their consent before collecting personal information from children under 13. This information includes name, address, online contact information, Social Security number, username or screen name, geolocation information, any type of photograph, video or audio file that contains a child’s image or voice, or a persistent identifier (such as a cookie) that can be used to recognize a child. The FTC mandates that courts can hold operators that liable for civil penalties of up to $42,530 per COPPA violation.
What is considered a COPPA breach?
A COPPA breach can be anything that violates legal mandates about how children’s data is collected and used. For example, a music streaming site would be in violation of COPPA if it allowed a child under 13 to register for an account without first obtaining parental consent. A business could also be in violation if it takes steps to follow COPPA rules and those methods fail.
What is required for COPPA compliance?
COPPA compliance can be reduced to three basic requirements: obtaining verifiable parental consent before collecting data from children under 13; protecting the confidentiality, security, and integrity of that data; and posting clear privacy policies that explain how the collected data is used and stored. To achieve COPPA compliance, the FTC provides a detailed FAQ, and recommends you read the FTC’s Children’s Privacy guidance materials and the FTC’s “Six-Step Compliance Plan for Your Business.” You can also send an email to the COPPA hotline at CoppaHotLine@ftc.gov.
What is CCPA?
CCPA, which stands for California Consumer Protection Act and goes into effect Jan. 1, 2020, dictates how companies doing business in California can collect and use consumers’ personal information. Personal consumer information is defined as everything from contact details to IP addresses, shopping history and psychological profiles. CCPA stipulates that California residents have a right to know what personal information is being collected about them, to whom that information is disclosed and if that information is sold. It also grants them the right to access their collected personal information or opt out of the sale of their data, while ensuring equal service and prices whether or not they exercise these privacy rights.
What is considered a CCPA breach?
A CCPA breach is anything that violates California’s existing data breach law, which stipulates that businesses must notify any California resident whose unencrypted personal information is stolen or accessed without authorization. The CCPA expands the definition of “personal information” to include anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What is required for CCPA compliance?
The bottom line: compliance is a must
Compliance requires diligence, and missteps can heavily impact the bottom line. With new and increasingly prescriptive regulatory requirements going into effect each year, compliance may be the biggest challenge businesses face. But while achieving compliance involves a significant investment of resources, the costs of non-compliance — in terms of both penalties and damage to your business’ reputation — can be far greater. Regulatory requirements are all about mitigating risk, and the best way to protect your business is to determine proactively what specific regulations cover your particular organization, then develop a comprehensive compliance plan to adhere to them.
To learn more, check out these resources on regulatory compliance:
- Knowledge is power: guidance from
- ICO and NCSC on GDPR security outcomes
- Best practices for using Splunk Enterprise for compliance
- A prescriptive approach to enabling real-time compliance visibility and reporting
- Overcoming the compliance visibility challenge
- Government compliance made easier with Splunk
- New HIPAA and PCI-DSS compliance attestations for Splunk Cloud
- Keeping you ahead of the digital evolution