Data Security Compliance: Essentials Only

With cyber threats constantly evolving, new compliance regulations are being proposed and enacted around data protection and data privacy. Staying compliant is never an easy task. However, the idea that data protection and compliance must be a core part of all business practices makes a good sense in the end. After all, the goal of data security compliance regulations is to help companies achieve integrity, security and availability of information systems and sensitive data. They provide a set of rules and guidelines that help organizations protect their systems and data from security risks.

In this article, we will review the key facts to know about common data security regulations and explore best practices that can enable you to build a solid ground for compliance.

Regulations focused on data protection

Today there is a variety of laws and regulations focused on data protection; these include standards like General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Gramm–Leach–Bliley Act (GLBA).

Here’s the key information about actual security regulations focused on data protection:

Compliance regulation	Who is affected	Data protected	Key obligations	Penalties
Payment Card Industry Data Security Standard (PCI DSS)	Any business that processes, stores or transmits credit card data	Payment card data in electronic form, during both storage and transmission Payment card data stored in paper-based records	Build a secure network and regularly monitor and test security systems and processes Implement strong access control measures around cardholder data Maintain a vulnerability management program	Fines of up to $100,000 per month for noncompliance Suspension of card acceptance
Health Insurance Portability and Accountability Act (HIPAA)	Every healthcare provider that transmits health information in electronic form	Personally identifiable electronic health information (ePHI)	Ensure the confidentiality, integrity and availability of all ePHI created, received, maintained or transmitted Identify and protect against reasonably anticipated threats and impermissible uses or disclosures	Fines of up to $50,000 per violation, with an annual maximum of $1.5 million Prison terms of up to ten years
Federal Information Security Management Act of 2002 (FISMA)	Every federal agency and its subcontractors and service providers, as well as organizations that operate IT systems on behalf of federal agencies	Federal government information	Categorize types of data stored by the degree of harm their compromise would entail Periodically conduct risk assessments and reduce risk to an acceptable level by implementing appropriate controls	Budget cuts Increased oversight
Family Educational Rights and Privacy Act (FERPA)	Educational agencies and institutions that receive federal funds from the U.S. Department of Education	Student records	Provide eligible students and their parents with access to their educational records and maintain records of those access events Prevent disclosure of personally identifiable information (PII) contained in educational records to ineligible parties	Loss of federal funding
Gramm–Leach–Bliley Act (GLBA)	Any organization that provides financial products or services to customers	Nonpublic personal information (NPI) Personally identifiable information	Ensure the secure collection, disclosure and protection of consumers’ NPI and PII Clearly explain to consumers what data is collected about them, where it is shared, how it is used and how it is protected Develop a written information security plan to protect customers’ NPI and PII	$100,000 fine per violation for the organization $10,000 fine per violation or up to 5 years in prison for personally liable officers
General Data Protection Regulation (GDPR)	All organizations that process the personal data of EU residents	Personal data of EU residents	Process personal data in a manner that ensures its security, including protecting against unauthorized or unlawful processing and accidental loss, destruction or damage	Fines of up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher

How best-practice standards and frameworks can help you achieve and maintain compliance

In order to improve data security and ensure regulatory compliance, organizations often align their security programs with established frameworks developed based on industry best practices, academic research, training and education, internal experience, and other materials. These frameworks offer repeatable procedures that have proven themselves over time in a large number of organizations. Organizations are free to choose the framework that best suits their needs, or to not use one at all.

Here are some of the most popular frameworks:

NIST SP 800-53. This framework establishes security standards and guidelines for government agencies and federal information systems. In particular, it fully supports FIPS 200 — a security standard that companies need to implement in order to achieve FISMA compliance. Because it provides general best practices, the NIST framework is also widely used in the private sector.
NIST Cybersecurity Framework. This framework provides standards, guidelines and best practices to help organizations manage cybersecurity risks. HIPAA-covered companies can use the crosswalk map between the HIPAA Security Rule and the NIST Cybersecurity Framework to improve information security and better safeguard ePHI by filling in the gaps in companies’ cybersecurity posture.
ISO 27000 series. These standards for IT security help organizations safeguard financial information, employees’ personal data, intellectual property and other critical assets. In particular, ISO 27001 is an international standard for the establishment, implementation, maintenance and continuous improvement of an information security management system (ISMS); it provides practical details on how to develop clear, comprehensive policies to minimize security risks.
BS 10012. This framework is aligned to the data security requirements of the GDPR. It covers a massive amount of ground concerning data privacy, although like many frameworks and standards, it is not a complete model for GDPR compliance.

When there is no framework that fully supports a certain regulation, organizations often use a combination of frameworks and controls to meet their compliance requirements and business needs. In fact, the process of ensuring and demonstrating compliance often involves comparing required controls to established security measures in order to identify and remediate any gaps.

Five tips for complying with data security regulations

No matter which framework, if any, you choose to adopt, the following five tips will help you on your journey to regulatory compliance:

Understand what data you have. Depending on the compliance regulations they are subject to, organizations might need to protect cardholder information (PCI DSS), health records (HIPAA), PII of EU residents (GDPR) or other data. Data discovery and classification tools can help you locate regulated data so you can ensure it is protected by appropriate security controls and is trackable and searchable as required.
Conduct regular risk assessments. Regular risk assessment is a central mandate of many compliance regulations. At a high level, risk assessment involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps.
Develop a clear plan. Most regulations require a combination of administrative, physical and technical measures, such as policies and procedures, employee training, and IT controls. Managing all of that effectively requires a clear plan. Use existing checklists to see where your company stands and consider using a standard framework as a starting point for designing a data protection policy.
Do extra reading. Many resources are available to make regulations more understandable. For example, this comprehensive guide developed by the UK’s Information Commissioner’s Office (ICO) answers the most common questions about GDPR compliance.
Get advice. If you have more questions than answers and your company doesn’t have an internal compliance officer, consider engaging external advisors who have expertise with the specific regulations your organization is subject to. Professional advice can help you adjust your information security program faster and more effectively, saving you money in the long run.

Ryan Brooks

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.