With cyber threats constantly evolving, new compliance regulations are being proposed and enacted around data protection and data privacy. Staying compliant is never an easy task. However, the idea that data protection and compliance must be a core part of all business practices makes a good sense in the end. After all, the goal of data security compliance regulations is to help companies achieve integrity, security and availability of information systems and sensitive data. They provide a set of rules and guidelines that help organizations protect their systems and data from security risks.
In this article, we will review the key facts to know about common data security regulations and explore best practices that can enable you to build a solid ground for compliance.
Regulations focused on data protection
Today there is a variety of laws and regulations focused on data protection; these include standards like General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Gramm–Leach–Bliley Act (GLBA).
Here’s the key information about actual security regulations focused on data protection:
|Compliance regulation||Who is affected||Data protected||Key obligations||Penalties|
|Payment Card Industry Data Security Standard (PCI DSS)|
|Health Insurance Portability and Accountability Act (HIPAA)|
|Federal Information Security Management Act of 2002 (FISMA)|
|Family Educational Rights and Privacy Act (FERPA)|
|Gramm–Leach–Bliley Act (GLBA)|
|General Data Protection Regulation (GDPR)|
How best-practice standards and frameworks can help you achieve and maintain compliance
In order to improve data security and ensure regulatory compliance, organizations often align their security programs with established frameworks developed based on industry best practices, academic research, training and education, internal experience, and other materials. These frameworks offer repeatable procedures that have proven themselves over time in a large number of organizations. Organizations are free to choose the framework that best suits their needs, or to not use one at all.
Here are some of the most popular frameworks:
- NIST SP 800-53. This framework establishes security standards and guidelines for government agencies and federal information systems. In particular, it fully supports FIPS 200 — a security standard that companies need to implement in order to achieve FISMA compliance. Because it provides general best practices, the NIST framework is also widely used in the private sector.
- NIST Cybersecurity Framework. This framework provides standards, guidelines and best practices to help organizations manage cybersecurity risks. HIPAA-covered companies can use the crosswalk map between the HIPAA Security Rule and the NIST Cybersecurity Framework to improve information security and better safeguard ePHI by filling in the gaps in companies’ cybersecurity posture.
- ISO 27000 series. These standards for IT security help organizations safeguard financial information, employees’ personal data, intellectual property and other critical assets. In particular, ISO 27001 is an international standard for the establishment, implementation, maintenance and continuous improvement of an information security management system (ISMS); it provides practical details on how to develop clear, comprehensive policies to minimize security risks.
- BS 10012. This framework is aligned to the data security requirements of the GDPR. It covers a massive amount of ground concerning data privacy, although like many frameworks and standards, it is not a complete model for GDPR compliance.
When there is no framework that fully supports a certain regulation, organizations often use a combination of frameworks and controls to meet their compliance requirements and business needs. In fact, the process of ensuring and demonstrating compliance often involves comparing required controls to established security measures in order to identify and remediate any gaps.
Five tips for complying with data security regulations
No matter which framework, if any, you choose to adopt, the following five tips will help you on your journey to regulatory compliance:
- Understand what data you have. Depending on the compliance regulations they are subject to, organizations might need to protect cardholder information (PCI DSS), health records (HIPAA), PII of EU residents (GDPR) or other data. Data discovery and classification tools can help you locate regulated data so you can ensure it is protected by appropriate security controls and is trackable and searchable as required.
- Conduct regular risk assessments. Regular risk assessment is a central mandate of many compliance regulations. At a high level, risk assessment involves identifying risks, assessing the probability of their occurrence and their potential impact, taking steps to remediate the most serious risks, and then assessing the effectiveness of those steps.
- Develop a clear plan. Most regulations require a combination of administrative, physical and technical measures, such as policies and procedures, employee training, and IT controls. Managing all of that effectively requires a clear plan. Use existing checklists to see where your company stands and consider using a standard framework as a starting point for designing a data protection policy.
- Do extra reading. Many resources are available to make regulations more understandable. For example, this comprehensive guide developed by the UK’s Information Commissioner’s Office (ICO) answers the most common questions about GDPR compliance.
- Get advice. If you have more questions than answers and your company doesn’t have an internal compliance officer, consider engaging external advisors who have expertise with the specific regulations your organization is subject to. Professional advice can help you adjust your information security program faster and more effectively, saving you money in the long run.