Infosec standards and regulations – a primer sorting compliance
Categorizing InfoSec standards and regulations into different groups may sound silly at first since bringing a written set of guidelines and rules to life is not something that serious people actually do. However, each category features a set of characteristics that aid in defining the personalities of students. In fact, several different online websites have already grouped celebrities, Game of Thrones characters, and politicians into their own groups. Although InfoSec standards and regulations lack personalities, the organizations that develop them do.
Infosec compliance does not have the stringent hierarchy belonging to other compliance fields. In some cases, Infosec standards and regulations serve as both peer suggestions and guidance. Even so, growing customer attention has twisted a significant portion of this subject into compliance being a key selling aspect for revenue. Nevertheless, organizing such InfoSec standards and regulations into a wider guide can assist in negotiating the ever-changing compliance space.
Focusing on organizations that have exuded determination, bravery and courage in the InfoSec standards and regulations world entails looking at entities that appear to be spearheading the charge of security in a bid to enhance cybersecurity in the world. They include:
- OWASP: The Open Web Application Security Project was established back in 2001 to operate as an open global community that allows organizations to operate, acquire, develop, conceive and uphold trusted applications. Even though it projects more resources and less compliance, OWASP deserves a spot on this list thanks to its heroic effort of industry innovation, which delivers guidance to members. Furthermore, it appears to be an organization whose key goals overlap mainly with traditional compliance objectives put in place by organizations that are more formalized.
- NIST: Otherwise known as the National Institute of Standards and Technology, NIST publishes its well-respected Cybersecurity Framework at no cost. Both NIST 800-53 and the Cybersecurity Framework aid in giving organizations a technique to begin organizing their best practices without having to automatically spend money. Designed to protect cybersecurity, the National Institute of Standards and Technology’s website provides a reference tool for free, which represents the Framework Core, a group of industry practices, guidelines, and standards.
- Security Policy Framework UK: The Government Security Profession, National Security and Intelligence and the UK Cabinet Office published this eleven-page document to assist in guiding protection of government assets. It includes twenty Mandatory Requirements that are categorized into key seven areas of personal security, protective marking & asset control, business continuity, counter-terrorism, information security & assurance, physical security, and governance, risk management & compliance.
- COBIT: The Information Systems Audit and Control Association is behind the creation of the Control Objectives for Information Related Technology (COBIT) framework. The structure functions as a tool that assists in bridging the gaps that exist between technical issues and business requirements in a bid to make sure that controls are mapped appropriately. Importantly, COBIT acts as a tool for process-based modeling.
What’s more, the framework provides maturity models for evaluating changes required as enterprises grow. It does this through breaking thirty-four processes into the four particular domains of monitoring & evaluation, acquiring & implementation, organization and delivering & support.
- ISO: ISO or the International Organization for Standardization delivers some of the most often complied with and recognized standards. The ISO/IEC/27000 compliance together with its associated standards leads the charge, particularly for those embarking on InfoSec standards and regulations. Being a foremost specialist when it comes to information security, ISO has harnessed that attribute to present itself as an ongoing enterprise with an impressive ambition.
- HITRUST: Established back in 2007, the Health Information Trust Alliance (HITRUST) aids in protecting patient information. Its model aims at building baselines across the health sector, which can be applied to enterprises based on both their maturity and risk. HITRUST assessed the healthcare industry and resolved that only certain risks were probable for their members as opposed to beginning with risk and building controls as responses to such risks. By doing so, its model enables entities that are HIPAA covered to customize their programs via the Common Security Framework model.
- HIPAA: The Health Insurance Portability and Accountability (HIPAA) of 1996 urged the Secretary of Health and Human Services to implement privacy regulations intended to safeguard health information that was individually identifiable. What’s more, the HIPAA Security Standards bring about a regulatory requirement whereby the enterprises within its purview build administrative procedures aimed at protecting and managing the protection of data, technical security services that review access to information, and technical security mechanism that averts unauthorized transmission of information and physical safeguards over computer systems.
- GDPR: GDPR or the EU’s General Data Protection Regulation is known for making governance and accountability one of its key directives. It creates a single collection of rules that apply to all members. Nonetheless, it expands the scope to data controllers who are involved in gathering information from European Union residents drawn from EU residents. What this means is that even without being in the EU, an organization that handles EU resident information in such ways requires to be compliant. GDPR seeks to reduce the amount of data involved, limit the aim of using information, determine the fairness, lawfulness & transparency of privacy enforce the integrity and confidentiality of information, and limit the amount of storage an organization keeps on an individual.
- SOX: The Sarbanes-Oxley Act (SOX) was enacted back in 2002 as a response to the broad array of corporate fraudulent reporting. Even though SEC had done a commendable job when it came to addressing most of SOX‘s concerns, corporate greed resulted in several companies flouting the laws. SOX aims to enforce ethics upon such companies through creating penalties for those who misreport. Additionally, the SOX Section 404 calls for businesses to assess their IT environment in a bid to determine whether there are financial reporting risks (internal or external) and measures that dress them.
- PCI-DSS: PCI or the Payment Card Industry Security Standards Council was organized by various financial entities including Visa, Mastercard, JCB International, Discover Financial Services and American Express. It plays a major role in promoting information security, particularly over electronic systems. In fact, the PCI Data Security Standard or (PCI-DSS) has emerged as a compliance standard not only for any but all payment processors. Furthermore, vendors have to assess the landscape in an attempt to determine the scope of their risk, which allows them to be PCI-DSS compliant.
- COSO: The Securities and Exchange Commission, or popularly known as SEC formed a committee in the 1980’s to scrutinize fraudulent reporting. In the process, five supporting organizations of accountants and auditors joined in the review, which resulted in the creation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Later in 2013, a major revision was included into the initial framework.
COSO’s Internal Control recognizes the five correlated elements of control activities, control environment, monitoring, information & communication, and control activities. In addition, its Enterprise Risk Management –Integrated Framework, which was created by PricewaterhouseCoopers included strategic, reporting, operations and compliance business objective with eight framework elements of event identification, monitoring, information & management, control activities, risk response, objective setting, internal environment, and risk assessment.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.