Compliance & Regulations Advisory Services

---

Various government entities have established a number of IT compliance standards over the years. We will now examine some of the most common IT compliance standards, including the fundamentals of each standard and the industries it impacts. As a note, this list is not exhaustive, and your business may be impacted by standards not listed here. 

GDPR

GDPR stands for General Data Protection Regulation. This regulation came into effect in 2018 and was designed to protect the privacy of citizens in the European Union. Under this regulation, all EU citizens must consent before their data is processed. There are additional specifications about how data must be transferred and secured under this standard.

Data impacted by GDPR include:

• Name
• Address
• Health data
• Political opinions
• Biometric data
• Racial or ethnic data
• Sexual orientation
• Web data

GDPR protects only EU citizens, so your organization must meet these standards only if you employ citizens of the EU or conduct business there. 

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. Enacted in 1996, HIPAA seeks to protect sensitive health information and prevent that data from being disclosed without the patient’s consent. 

Data impacted by HIPAA include:

• Health plan numbers
• Medical record numbers
• Biometric identifiers
• Identifiable photos
• Medical diagnoses
• Treatment information
• Medical test results
• Prescription information

Organizations most commonly affected by HIPAA are health plan providers, healthcare clearinghouses, hospitals, and more. However, if your business maintains any health records for employees or customers, you are also subject to HIPAA.

PCI DSS

PCI DSS stands for the Payment Card Industry Data Security Standard. This regulation refers to a set of twelve security requirements related to credit card and financial information.

The standards of PCI DSS are as follows, to quote:

1. Installing and maintaining a firewall configuration to protect cardholder data
2. Refraining from using vendor-supplied defaults for passwords and other security parameters
3. Protecting stored cardholder data
4. Encrypting transmission of cardholder data across open, public networks
5. Protecting all systems against malware and regularly updating ant-virus software
6. Developing and maintaining secure systems and applications
7. Restricting access to cardholder data that businesses need to know
8. Identifying and authenticating access to system components
9. Restricting physical access to cardholder data
10. Tracking and monitoring all access to network resources and cardholder data
11. Regularly testing security systems and processes
12. Maintaining a policy that addresses information security for all personnel

If your business manages transactions by credit card, you will need to be aware of and adhere to the requirements set forth by PCI DSS. 

SOX

SOX stands for the Sarbanes-Oxley Act of 2002. This regulation is also referred to as the Public Company Accounting Reform and Investor Protection Act. This act applies to any publicly traded company in the United States and publicly traded foreign companies that do business in the United States. 

The goal of SOX is to protect shareholders from corporate accounting fraud or errors. Many of the regulations in this standard are related to financial reporting and an IT-specific component.

To comply with SOX, your IT department must comply with standards for storing financial records. Under SOX, financial records must be maintained for seven years. 

GLBA

The Gramm- Leach-Bliley Act (GLBA) applies to financial institutions that offer investment or financial advice, insurance or loans to clients. For instance, financial advisory firms, real estate firms and universities must adhere to GLBA. This regulation requires institutions to disclose how they protect their customers' data and what information-sharing policies they have in place.

To abide by this regulation, financial institutions must disclose their policies and request that customers and clients opt into their services. Customers can choose not to have their information shared with certain third parties by opting out of this. Here are the GLBA's rules:

• Financial privacy: The financial privacy rule governs how financial institutions collect and share private financial information. They must provide clients with the option to opt out of their information-sharing policy on an annual basis, for as long as the client works with the institution.
• Safeguard: Safeguard rules specify how institutions must implement security measures to protect their clients' data from cybersecurity threats. These security measures include proper software, employee training and testing for vulnerabilities.
• Pretexting: The pretexting provision restricts businesses from gathering information under false pretenses. Many businesses develop employee training protocols to teach employees how to avoid using pretexting in their work, how to recognize it and other information about pretexting.

NIST

NIST stands for the National Institute of Standards and Technology. NIST differs from the other standards on this list in that it is voluntary. This standard is a framework designed to help manage cybersecurity risks and reduce breaches. 

Essentially, NIST provides your organization with best practices and guidelines you can use to reduce the risk of data-related issues and crises in your organization. 

Penetration testing, often referred to as pentesting, offers several benefits for organizations. Here are some of the key benefits:

1. Identify Vulnerabilities: Pentesting helps in uncovering security weaknesses, vulnerabilities, and flaws in an organization's systems, networks, and applications. By simulating real-world attacks, pentesters can identify potential entry points that malicious actors could exploit. This enables organizations to proactively address these vulnerabilities before they can be exploited by actual attackers.
2. Risk Mitigation: By conducting pentests, organizations can assess their overall security posture and identify areas of high risk. This allows them to prioritize resources and efforts to mitigate those risks effectively. By addressing vulnerabilities discovered during a pentest, organizations reduce the likelihood of successful cyber attacks, minimizing potential damage, financial losses, and reputational harm.
3. Compliance Requirements: Many industries and regulatory frameworks require regular security assessments and pentesting to comply with specific standards. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates regular penetration testing for organizations that handle credit card data. By performing pentests, organizations can ensure they meet the necessary compliance requirements and avoid potential penalties or legal issues.
4. Enhanced Incident Response: Pentests can help organizations improve their incident response capabilities. By experiencing simulated attacks, organizations can identify and refine their incident detection and response procedures. This allows security teams to become more adept at recognizing and responding to security incidents effectively, minimizing the impact of potential breaches.
5. Awareness and Education: Pentesting increases security awareness among employees and stakeholders. It helps educate them about potential threats, common attack techniques, and the importance of following secure practices. This awareness can lead to a more security-conscious culture within the organization, reducing the likelihood of human error-based security breaches.
6. Third-Party Assessment: Pentesting is valuable for assessing the security posture of third-party vendors and suppliers. Many organizations rely on external partners for various services, and a pentest can evaluate their security measures and identify any potential risks they might introduce to the organization's infrastructure.
7. Continuous Improvement: Pentesting is not a one-time event. Regularly conducting pentests allows organizations to measure their progress in terms of security and identify areas for improvement. By continually testing and remediating vulnerabilities, organizations can establish a cycle of continuous improvement in their security practices.

Overall, pentesting is an essential component of a comprehensive security strategy. It provides proactive insights into an organization's security weaknesses, enables risk mitigation, ensures compliance, and helps improve incident response and overall security posture.