CYBERSECURITYREGULATORYCOMPLIANCE

CHEAT SHEET

Regulatory Compliance

Continue reading on next page >

CRAIG PETERSØN.COM

REG

ULA

TO

RY

CO

MP

LIA

NCE

AN

D C

YB

ERSE

CUR

ITY

CH

EAT

SH

EET

15

Compliance and Cybersecurity

Companies need to complywith both Industry-mandatedand government regulateddata security requirements.Where there is personal data,there are regulations.

1

2

© 2019 Craig Peterson. All Rights Reserved.

And hackers trying to get at it.Compliance in this sense meansconforming to a rule, such as aspecification, policy, standard or law.Regulatory compliance describes thegoal that organizations aspire toachieve in their efforts to ensure thatthey are aware of and take steps tocomply with relevant laws, policies, andregulations.

evidence of compliance with stated policies,standards, laws, regulations, etc. in order toissue the proper attestations as required.Compliance is directly impacted by the ever-changing, and sometimes obscure, rules andregulations making it quite challenging fororganizations to maintain a sound complianceposture. The continuous expansion andextension of organizational productionenvironments adds additional complexity totoday's compliance challenges. Businessesthat must comply with key controls such asprivileged access, segregation of duties, third-party access face a nightmare when trying toensure continuous authorized access.

Compliance is a criticalcomponent of any securityprogram. Compliance lives bythe rule that states "Trust butVerify." The overall concept isthat we must obtain

HIPAA - Health InsurancePortability and AccountabilityAct applies to any company oroffice that deals withhealthcare data. That includesbut is not limited to doctor’soffices, insurance companies,

Compliance Frameworks 3

  business partners, and all employers.HITECH - Health Information Technology forEconomic and Clinical Health Act - appliesto businesses keeping personal health data.This means any company with employees mustcomply. It also extends the reach of HIPAA towhat are referred to as 'Business Associates'SOX - Sarbanes Oxley Act applies to publiccompany boards, management and publicaccounting firms in the US.FISMA - Federal Information SecurityManagement Act applies to all Federalagencies. GLBA - Gramm Leach Bliley Act applies tocompanies that offer financial products orservices to individuals, like loans, financial orinvestment advice, or insurance.

FERPA - Family Educational Rights andPrivacy Act applies to any postsecondaryinstitution including universities,academies, colleges, seminaries, technicalschools, and vocational schools.PCI-DSS - Payment Card Industry DataSecurity Standard applies to any companywho Companies handles credit cardinformation.DFARS - The Defense Federal AcquisitionRegulation Supplement applies to any sizeDoD contractors “that process, store ortransmit Controlled UnclassifiedInformation (CUI) and subcontractors thatwork with Controlled UnclassifiedInformation are also responsibleSupplement (DFARS) minimum securitystandardsFRCP - Federal Rules of Civil Procedureapplies to all electronic documents andtraditional documents storedelectronically. These must be available fortimely search and retrieval in the event oflitigation proceedings. Discovery must bemaintained in its original format.Accidental deletion, misplacement, or anyinability to locate data before deadlineswill result in court fines.

Compliance Frameworks (con't.)3

(CONTINUED)

CRAIG PETERSØN.COM

Continue reading on next page >© 2019 Craig Peterson. All Rights Reserved.

CYBERSECURITYREGULATORYCOMPLIANCECHEAT SHEET Compliance Frameworks (con't.) 3

NIST - National Institute of Standards andTechnology encompass security bestpractices controls across a range ofindustriesFIPS - Federal Information ProcessingStandards applies to all federal agenciesmust comply – federal agencies may notwaive the use of the standardsGDPR - General Data ProtectionRegulation applies applies to any datacontroller (an organization that collects orstores data from or on any EU residents),or processor (an organization thatprocesses data on behalf of a datacontroller like cloud service providers), orthe data subject (person) is based in theEU.Many US States are following suit withregulations of their own like the CCPA -California Consumer Privacy Act, SHIELD -Stop Hacks and Improve Electronic DataSecurity Handling Act, UPIA -Utah Protection of Personal InformationAct, and RIITPA - Rhode Island’s IdentityTheft Protection Act to name a few.

Steps to Compliance (con't.)

Continue reading on next page >

CRAIG PETERSØN.COM

© 2019 Craig Peterson. All Rights Reserved.

4

(CONTINUED)

To obtain and maintain compliance to anyindustry or government mandated informationsecurity protocol, you must have documentedand validated data security policies andprocedures that are in use and enforced by yourcompany. No matter what industry the steps thatneed to be followed regarding cybersecuritypolicies and procedures are prettymuch standard. They include:

Risk analysis - review all current cybersecuritymeasures and identify and have a timetable torepair gaps.

What needs to be protected?Who/What are the threats andvulnerabilities?What are the implications if they weredamaged or lost?What is the value to the organization?What can be done to minimize exposure tothe loss or damage?

Development of policies and procedures -develop a comprehensive plan outlining datasecurity policies.

A comprehensive plan outlining datasecurity and cybersecurity policiesIndividual staff responsibilities formaintaining data security

Perform enterprise-wide riskassessments.Clearly document andconsistently enforce policies andcontrols.Establish physical security in the

4 Steps to ComplianceTools to be used to minimize datasecurity risks, such as securitycameras, firewalls or security softwareCybersecurity guidelines concerninguse of internet, intranet and extranetsystems

Implementation - implement policies andprocedures and educate all employees:

Purchase security software and othertools that have been identified asnecessaryUpdate existing software andoperating systems that are out-of-dateConduct mandatory security trainingand awareness programs for allemployees, and require signatures onmandatory reading materialsConduct background checks of allemployeesVet third-party providers to be surethat they maintain and documentcompliant information securityprotocols identical to or more robustthan those in place within yourcompany.

CYBERSECURITYREGULATORYCOMPLIANCECHEAT SHEET

4

(CONTINUED)

CRAIG PETERSØN.COM

Validation - hire a third party to review,test and validate your security protocols.

This process can be pricey, time-consuming and intrusive; however,this type of verification will both helpyour business to maintain datasecurity, and add value to yourservices for use by your customers.

Enforcement - enforce through educationand penalties eliminating the temptationto ignore data security protocols andencouraging compliance.

Mandatory data security training andawareness programs must bescheduled for employees to ensuresensitive and confidential data isprotected. Anyone who might touchprotected data must be trained oncurrent policies and risks, and keptcurrent as policies are updated or newrisks identified. This can be done by issuing penalties,financial or otherwise, for those whodo not follow important procedures

© 2019 Craig Peterson. All Rights Reserved.

Steps to Compliance (con't.)

CYBERSECURITYREGULATORYCOMPLIANCECHEAT SHEET

Compliance≠

Security

The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, eitherexpress or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Weare not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information isobtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, we make no claim,

promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-dateinformation, or errors. We make no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of

any information contained in this document.If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.