Read to learn about the cross over and differences between the different compliance mandates and standards.
The following information is a part of our free cybersecurity and compliance Academy course.
The type of data your company handles will determine which compliance regulation you need to follow.
For example:
Each of these standards has a unique scope and purpose. Some are heavier in security, while some emphasize privacy. Some requirements may “cross over,” but this doesn’t mean compliance with one mandate equals compliance with another.
For example, PCI DSS has a list of specific security controls, whereas GDPR focuses more on process and privacy. And HIPAA focuses on both privacy and security.
It’s also important to note that compliance will look different at every organization, so be careful to avoid the “check-box” mentality that can mislead data security and compliance efforts.
Becoming PCI compliant can seem like a frustrating process, especially if you’re a small to medium-sized business.
To give you a quick overview, PCI stands for the Payment Card Industry, and consists of companies taking and processing payment transactions using major card brands like Visa, MasterCard, and American Express. These card brands came together in an effort to help regulate the industry and most importantly to help businesses and customers avoid card data theft and fraud.
As part of this organization, they formed the Payment Card Industry Security Standards Council (PCI SSC) which in turn is responsible for developing and maintaining the Payment Card Industry Data Security Standard, or the PCI DSS. This is a set of twelve specific requirement areas–or card-handling practices–that have to be followed to handle and process payment card data securely. So, because it’s an industry standard, anyone that’s accepting credit card payments has to meet these standards.
The PCI DSS was developed by the security standards council with involvement from the major card brands, but the PCI SSC is just a regulatory body not an enforcement organization; individual card brands, merchant banks, or acquirers are the organizations that actually enforce those standards. Many of the merchant banks we work with will charge a non-compliance fee, and there may be other negative consequences for merchants who don’t meet these standards.
First, you need to identify your scope, which is basically determining how your card processing is handled at your business and where it occurs, and which PCI requirements you need to validate.
Second, you need to complete a Self-Assessment Questionnaire (or SAQ) to assess your compliance with the PCI DSS and close any security gaps you find. The way you handle card data or outsource processing will determine the type of SAQ you have to fill out. Based on your companies processing risk to card data you will have to validate more or less of the total PCI DSS requirements. If your company processes large amounts of card data you may be required to complete a full Report on Compliance written by an external Qualified Security Assessor.
Third, if you use the Internet or a website to process cards, there are typically requirements to run a vulnerability assessment scan on your systems exposed to the Internet.
And lastly, once you’ve completed your SAQ and achieved a passing scan, then your job is to report your compliance to your merchant processor.
Again, the main purpose of PCI compliance is to improve your organization’s data security. A little bit of consistent effort implementing data security principals can go a long way when it comes to deterring cyber criminals and protecting your business.
REQUIREMENT 1: PROTECT YOUR SYSTEM WITH FIREWALLS
REQUIREMENT 2: USE ADEQUATE CONFIGURATION STANDARDS
REQUIREMENT 3: SECURE CARDHOLDER DATA
REQUIREMENT 4: SECURE DATA OVER OPEN AND PUBLIC NETWORKS
REQUIREMENT 5: PROTECT SYSTEMS WITH ANTI-VIRUS
REQUIREMENT 6: UPDATE YOUR SYSTEMS
REQUIREMENT 7: RESTRICT ACCESS
REQUIREMENT 8: USE UNIQUE ID CREDENTIALS
REQUIREMENT 9: ENSURE PHYSICAL SECURITY
REQUIREMENT 10: IMPLEMENT LOGGING AND LOG MONITORING
REQUIREMENT 11: CONDUCT VULNERABILITY SCANS AND PENETRATION TESTING
REQUIREMENT 12: START DOCUMENTATION AND RISK ASSESSMENTS
Additional Resources:
Securing the privacy of protected health information (PHI) is one of the focuses of the Health Insurance Portability and Accountability Act (HIPAA) passed into law in the United States. It is being expanded and improved constantly and as electronic health care data became prevalent the HIPAA Privacy and Security Rules were added in 2003. Keeping up with HIPAA privacy and security tasks can seem overwhelming, especially if you’re a small to medium-sized healthcare organization.
A main purpose of HIPAA privacy and security rules are to protect electronic health care data from being compromised, which usually occurs as a result of a hacker, unauthorized access, or employee negligence.
Breaches within the healthcare industry are not going away, and a lot of expensive mistakes have been made by organizations in recent years. Because of the personal information often stored in healthcare systems and its potential use in identity theft, there are a lot of criminals targeting this information.
When HIPAA privacy and security requirements are taken seriously, companies can decrease liability, increase overall security within the organization, and companies can avoid costly HIPAA fines and fees.
One portion of the HIPAA law–Title II–covers the areas where data Privacy, Security and Breach Notification are contained. We will go into a bit more detail on each of these categories.
The Privacy Rule is often the one category that most organizations are familiar with. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information to those who need it so good care can be provided. The Privacy Rule protects all "individually identifiable health information" held or transmitted by doctors, health care organizations, or their associates, in any form or media (electronic, paper, oral, etc).
The Security Rule deals with the technical controls that should be in place to protect PHI. It establishes standards and guidelines for protecting data that can be applied to firewalls, logging, network design, encryption, and anything else that has to do with the creation, processing, transmission, and maintenance of PHI.
Lastly, the Breach Notification Rule requires organizations to have policies and procedures in place in the event that a breach of PHI data takes place.
Healthcare organizations will continue to be at risk for data compromise, but by doing a little bit each day and by making HIPAA requirements a priority, you can make a big impact on the strength of your data security.
Additional Resources:
The General Data Protection Regulation, or GDPR, is meant to harmonize data privacy laws across Europe and strengthen EU citizen’s data privacy.
The GDPR applies to any organization that handles, processes, or stores personally identifiable information or PII of EU citizens. PII is data kept by an organization which can be used to “distinguish or trace an individual’s identity.” PII could include names, birth dates, birth places, mothers’ maiden names, addresses, emails, IP addresses, or social security/insurance numbers.
So whether your business is located in the EU or not, if you have customers from the EU, this regulation applies to you.
Organizations found to be in non-compliance with the GDPR can be fined up to 20 Million Euros, or 4% of their annual global revenue for the preceding financial year. While this is the maximum fine, there are different tiers of fines that can be assessed to organizations that aren’t meeting GDPR requirements. So what can you do to start addressing these requirements and avoid potential fines?
First of all, you need to learn about the GDPR and how to apply its data privacy guidelines to your business. The best thing you can start doing right away is learning where PII is stored, processed, or transmitted as a result of your daily business operations. Document this carefully with flow diagrams, descriptions, etc. Be sure to talk to people throughout your organization in order to learn how they interact with PII. When it comes to PII, don’t make assumptions.
Some requirements of the GDPR are easier to interpret than others. For example, the GDPR says that data owners are required to have an opt-in choice presented to them before a company can begin storing, processing, or transmitting their personal information. It’s easy to determine whether that requirement has been met or not.
On the other hand, the GDPR states, “protect your data by design and default.” With this requirement, it can be difficult to know if you’re perfectly compliant because it eludes to any number of possible data security practices.
The next step is to start working on requirements and make necessary remediation. Think about the processes you need to fix at your organization and start fixing them to be in accordance with the GDPR. Consider working with a consultant to conduct a GDPR gap analysis to identify areas you need to focus on first.
The third step is to start thinking about all the documentation that may be required. You might have a long list of policies and procedures that need to be documented. Documentation could be a pretty big task, and you need to either create that from the ground up or find a company that has packages of this documentation that you can modify.
So in summary, the best thing you can do to meet GDPR requirements is to start doing something. This is a new regulation, so start reading a lot to get up-to-speed on what this law means. Start working on privacy and disclosure documents. Perform a GDPR Risk Analysis. In the case that you are audited by a supervisory authority, you’ll be in a much better position to protect yourself from hefty fines if you can prove you were making an effort to implement GDPR best practices.
Question 1:
If you are compliant with the PCI DSS, are you compliant with other compliance mandates (e.g., HIPAA, GDPR)? (Choose only ONE best answer.)
Question 2:
Who needs to follow GDPR compliance? (Choose only ONE best answer.)
Question 3:
TRUE OR FALSE: A main purpose of HIPAA Privacy and Security Rules is to protect electronic health care data from being compromised. (Choose only ONE best answer.)
Question 4:
Should your organization have a designated person responsible for HIPAA/PCI/GDPR compliance? For example, a Security and/or Privacy Officer(s). (Choose only ONE best answer.)
Answer Code: Q1: 2, Q2: 3, Q3: 1, Q4: 1
Security is not a bottom-up process. Management often tells IT to “just get their organization secure.” However, those placed in charge of security and compliance may not have the means necessary to reach their goals.
For example, IT may not have the budget to implement adequate security. Some may try to look for free software to fill in security gaps, but this process can be expensive due to the time it takes to implement and manage. In some instances, we have seen that an IT department wanted their third party auditor to purposely fail their compliance evaluations so they could prove that they needed a higher security budget. Obviously, it would have been better to focus on security from the top-down beforehand.
Keep in mind that checkbox attitudes lead to breaches. C-Level management should support the process. If you are a C-level executive, you should be involved with budgeting, assisting, and promoting security best practices from the top level down to foster a strong security culture.
The cost of data security entirely depends on your organization. Here are a few variables that will factor in to the cost of your overall efforts:
The following are estimated annual security budgets:
SMALL ORGANIZATION BUDGET
TOTAL POSSIBLE COST: $2,170+
MEDIUM ORGANIZATION BUDGET
TOTAL POSSIBLE COST $70,800+
Keep in mind this budget doesn’t include remediation security measures, such as firewalls, encryption, updating systems and equipment.
However, this is far cheaper than paying for a data breach, which can easily cost anywhere from $180,000 to $8.3 million and above.
If you’re having problems communicating budgetary needs to management, start by conducting a risk assessment. NIST 800-30 is a good risk assessment protocol to follow. At the end of this assessment, you’ll have an idea of your compromise probability, how much a compromise would cost, and the impact a breach might have on your organization (e.g., brand damage).
Simply put, find a way to show how much weak security will cost the organization. For example, “if someone gains access to the system through X, this is how much it will cost and damage our brand.” Consider asking marketing or accounting teams for help delivering the message in more bottom-line terms.
If possible, work with a third party security professional to come up with security controls to address the requirements to gather information on what tools you may need to implement.
Additional Resources:
.svg)
