Decoding Cybersecurity Compliance
Cybersecurity compliance certainly isn’t simple. There are countless acronyms, hundreds of controls, and many organizations find themselves completely overwhelmed. Cybersecurity compliance requirements may vary and can be imposed by law, regulatory bodies, and even private industry groups, such as payment processors. Furthermore, Cybersecurity compliance is not the same thing as cybersecurity itself, though the two concepts are sometimes conflated. Many organizations, particularly those with limited resources — tend to mistakenly assume that being cybersecurity "compliant" is the same as being secure, but cybersecurity compliance does not equal cybersecurity.
Cybersecurity compliance is a measure of an organization achieving the requirements outlined by a law or regulation or security best practice. Therefore, the need to be compliant may only apply to a logical subset of the organization (e.g., certain locations, systems, applications) and certain types of data. The idea behind compliance is that if an organization properly implements and operates the controls then the data and systems in scope would be secure. Cybersecurity itself is a measure of the effectiveness of the cybersecurity practices to reduce information related risk. Hence, Cybersecurity and Cybersecurity compliance are closely related and in an ideal environment achieved together.
Cybersecurity Compliance is a more universal point-in-time analysis that demonstrates whether your organization meets the minimum, security-related requirements of specific regulatory standards.
Cybersecurity is the whole unique system of policies, processes and technical controls that define how your organization stores, processes, consumes and distributes data so that it’s effectively and verifiably protected from cyber threats.
Cybersecurity Compliance involves meeting various controls (which are typically enacted and often enforced by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by region industry and sector, but typically they involve using a range of specific organizational processes and technologies to safeguard data.
To begin working towards Cybersecurity compliance, it’s important to first determine what specific regulations or laws with which you may need to comply. One commonalty around the world, regardless, is that every country has some framework of laws or regulations that seek to protect private data, and they often require companies to notify customers in the event that their personal information is compromised.
While compliance requirements can vary greatly, there are some general principles that apply universally when thinking about how to organize any organizational cyber security compliance plan. For example, many websites and databases implement two factor authentication for access to user accounts. This means that accessing an account requires not only a password, but also the input of a verification code sent to a phone number or other device. Password encryption is also a common practice, as opposed to the storage of user passwords in plain text on a system database. With password encryption, even if a hacker gains access to the database of passwords stored on a system, they will not be able to readily access any user passwords or data, as this information will be encrypted by the system, and shall therefore not be readily available to any third parties. Encryption is the use of mathematical techniques to secure digital data, whereby the original information is algorithmically translated into a form in which it is unreadable to a third party, while it is stored. When the data needs to be accessed for the purposes of the input of a password, the database will “decrypt” the information for the specific user accordingly.
It is also crucial to determine what type of data you are storing and processing, as well as which states, territories, and countries you are operating within, since specific types of personal information are subject to additional controls. Personal information can be any personally identifiable information, such as any data that could uniquely identify an individual. Examples include data such as:
Passport Numbers, Social Security Numbers, Country ID numbers, etc.
First/Last Name
Date of Birth
Address
Mother’s Maiden Name
This could also include data such as personal health information, which consists of any information which can be used to identify an individual or their medical treatment. Some examples may include data such as:
Medical Appointment Information
Medical History
Admissions Records
Prescription Records
Insurance Records, etc.
Every organization is different in terms of cyber maturity, the number of employees dedicated to cybersecurity, and financial resources available to invest in such efforts.
With compliance programs, the requirements may only pertain to a subset of the business while comprehensive cybersecurity programs are implemented throughout the entire organization.
Another crucial difference between cybersecurity compliance and cybersecurity is that compliance requirements change slowly and are often more predictable, while the world of security threats is in a constant state of flux; this means cybersecurity compliance itself may often lag behind the current state of threats.
Therefore, the cybersecurity compliance process requires a skilled and experienced team that can assess an organization’s current state against independent standards and identify any potential gaps in policy, process, people and/or technology. Once any potential gaps are identified, a comprehensive plan must be developed to close those gaps in a timely manner in order to meet any certification deadlines that may be required. The process can often be overwhelming, since they require very specific controls to be implemented in specific ways, and be documented by detailed evidence.
Borderless Counsel, through our partner, Infinigence Consulting, offers a broad range of expertise and highly targeted services in this complex arena designed to simplify the complex process, and we can partner with you throughout every step in the cybersecurity compliance process.
If you need help with your Cybersecurity program, reach out to us today at info@borderlesscounsel.com!