Whether you are adhering to mandatory regulations or voluntary cybersecurity frameworks, taking compliance seriously can be a huge boon to your organization. It can help you avoid costly penalties, signal to your customers that you’re serious about security, and improve your organization’s overall security maturity. Meeting compliance requirements can also help open your business up to new markets, whether you’re targeting specific industry verticals or going after international customers, and finally, it can speed up your sales process along the way.
But let’s be honest: Compliance can seem like a necessary evil. It’s time consuming and complex, and it can be a huge pain in the you-know-what. Just because the benefits outweigh the costs doesn’t make the process any less painful.
Certain frameworks make their pain felt across industries. GDPR, for example, applies to any organization doing business even nominally in Europe and requires notification of a breach within 72 hours. SOC 2 is a rigorous standard that applies to any company operating in the cloud, and one of the main challenges for Threat Stack in achieving SOC 2 compliance was eliminating the disconnect between our engineering team’s tickets and the code associated with those tickets.
Other compliance frameworks reserve their pain for specific industries, and those can feel especially burdensome. What are the main pain points by industry, and, more importantly, how can you mitigate them? We dig into the specifics below.
HIPAA is the big framework here, and it’s the industry-specific regulation that nearly everyone is aware of, thanks to those disclosure forms handed out in doctor’s offices everywhere. Referring to the Health Insurance Portability and Accountability Act of 1996, HIPAA requires you to have certain administrative, physical, and technical safeguards in place to protect electronic protected health information (ePHI). It is, nevertheless, designed to strike a balance between privacy and accessibility when it comes to ePHI.
After a major HIPAA audit in 2016 resulted in tens of million of dollars in settlements, the Health and Human Services Office for Civil Rights announced proactive audits for 2017 and beyond, upping the ante for the healthcare industry and affected third-party providers to get it right. It’s easier said than done considering the sheer volume of data that needs to be collected in order to support compliance and the need to monitor large volumes of network traffic. These pain points resulted in little threat of reprisal until the announcement of proactive audits, but the times seem to be a-changing, and strict compliance is more necessary than ever.
One of the widest reaching frameworks to affect the financial industry is the Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500), released by the New York State Department of Financial Services (NYDFS) last year. The regulation applies to anyone licensed to operate under banking, insurance, or financial services laws, and third-party service providers will need to be covered as of March 2019. (Check here, for a list of key dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500).)
The requirements (and, therefore, the pain points) of 23 NYCRR 500 are many:
- Continuous monitoring or periodic Penetration Testing and Vulnerability Assessments (Sec 500.05)
- Audit trails designed to detect and respond to Cybersecurity Events (Sec 500.0(a)(2))
- Access controls to limit access privileges to systems providing access to Nonpublic Information (Sec. 500.07)
- Written procedures, guidelines, and standards to ensure secure in-house development of applications and for evaluating, assessing, and testing externally developed applications (Sec. 500.08)
- Effective controls (e.g., Multi-Factor Authentication or Risk-Based Authentication) to protect against unauthorized access to Nonpublic Information or Information Systems (Sec. 500.12(a))
- Risk-based policies, procedures, and controls to monitor activity of Authorized Users and detect unauthorized access, use, or tampering by Authorized Users (Sec. 500.14(a))
- Controls (e.g., Encryption) to protect Nonpublic Information in transit and at rest (Sec 500.15(a))
- Written Incident Response Plan to promptly respond to and recover from any material Cybersecurity Event (Sec 500.16(a))
FFIEC Guidance is another standard that applies to the financial industry, though it does not hold the force of law or regulation. Instead, it serves as a blueprint for examiners to follow in conducting audits. Failure to comply could lead you to fail an audit, thereby preventing you from entering new markets, introducing new products, or even successfully merging with or acquiring another organization.
Meeting guidelines, according to the FFIEC Information Technology Examination Handbook, involves having a “robust and effective information security program.” This includes risk identification, assessment, mitigation, and monitoring, so it’s necessary that any financial organization face these pain points head on in order to proactively head off an audit.
The Payment Card Industry Data Security Standard (PCI DSS) is an “actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.” That’s according to the standard’s creators — Visa, MasterCard, Discover, and American Express — who released PCI DSS in 2004.
While PCI DSS really belongs to both the financial and retail industries, it is particularly painful to retail for a multitude of reasons, including the large workforce of retail chains and their correspondingly large number of personal devices, as well as myriad retail chain locations, which can make restricting and monitoring access controls particularly challenging.
There are 12 PCI DSS requirements, and the Verizon 2017 Payment Security Report found that the retail industry had the most trouble complying with two:
- #4. Encrypt transmission of cardholder data across open, public networks
- #11. Regularly test security systems and processes
The retail industry needs to address these pain points not only to comply with PCI DSS and avoid costly penalties in the case of an audit, but also to protect sensitive customer data and, ultimately, to demonstrate true security maturity.
Breaking Through the Pain
While working with any compliance framework can be a challenge, it can also be a powerful business driver that allows you to stand out among the competition. Threat Stack’s Cloud Security Platform® can help ease the pain with automatic controls, policies, and procedures that allow you to audit your cloud infrastructure for compliance, scan your workload for vulnerabilities, and continuously monitor your infrastructure to protect against internal and external threats. These built-in functionalities will allow you to identify, assess, and remediate existing threats, as well as monitor for new ones, to get you on track to meet the requirements of the compliance frameworks we’ve discussed here.