Masterful Policies and Compliance: Industries, Policies, Regulations, and How to Get Started

Introduction to Cybersecurity Policies and Compliance

It is hard to imagine any organization today that does not use technology as a tool to manage and operate their everyday business and operations. The barrage of cybersecurity attacks that are targeting all types of organizations with any Internet presence is unparalleled, and many times, successful.

Policies and procedures are often an afterthought for many organizations. If used correctly, they can provide a robust and tailored cybersecurity framework that can help provide clarity to organizations of any size and in any industry.

Policies can be utilized by providing a tailored approach used to drive informed technical controls of an organization. This provides knowledge of where to apply the correct amount of security, which then has the potential to decrease the overall organizational cybersecurity risks, increase effectiveness of cybersecurity controls, and allows the organization to not waste money and better manage resources. This results in organizations being able to better secure their critical assets that threat actors actually attack.

Cybersecurity policies and compliance requirements are usually paired to the organization’s industry and maturity. However, for organizations that do not have to follow such requirements, these frameworks are still available to be used in order to increase the overall security posture, cybersecurity efficiency, and provide a starting point for securing the organization from threats.

Terminology:

Cybersecurity Framework - a piece and/or collection of standards, policies, procedures, guidelines, requirements, regulations, checklists, publication(s) and/or guidance aimed at providing a holistic view of how to implement cybersecurity controls in order to increase overall security posture of organizations.

Cybersecurity Policy Compliance - one or more set of publications that are defined as requirements and/or regulations to be complied to by organization, where failing to comply to set policies may result in discontinued business, failure to operate, fines, and further consequences defined by industry.

Cybersecurity Requirements - one or more set of publications that are defined as requirements and/or regulations to be complied to by organization, where failing to comply to set requirements may result in fines, and further consequences defined by industry or organization.

Cybersecurity Policies and/or Procedures - one or more set of publications that are used, produced, tailored, and specifically defined per organization to be used as either guidance for the organization concerning cybersecurity or adopted as compliance despite no industry requirements (per organizational management).

Compliance and/or Policy Assessments - an audit/assessment based on one or more set of policy requirement publications where the organization is assessed against a set of security controls that are required to be complied to in order to pass the audit, and to receive the results of the assessment to remediate weaknesses. Policy assessments focus on auditing the organizations cybersecurity posture as a whole focusing on operational, management, and administrative security controls.

• Examples of areas that are assessed during Policy Assessments are Access Controls, Incident Response, Awareness and Training, Physical and Environmental Protection, Systems and Communications Protection, and more.

• This type of assessment is not to be confused with vulnerability assessments - which is specifically conducted directly against systems to identify vulnerabilities within systems that have the potential to be exploited.

• In some cases vulnerability assessments and penetration tests are required by certain cybersecurity policies and frameworks such as PCI DSS, and NIST 800-53 rev 4/5.

Popular Cybersecurity Policies and Frameworks: A Brief Overview

One of the most robust cybersecurity frameworks is NIST 800-53 Revision 4. This publication has been an excellent guide for the cybersecurity industry for many years. Over time, each of the following industries (healthcare, finance, government) has adopted a set of cybersecurity publications and requirements that are used today as cybersecurity guidelines and/or compliance requirements. Some examples include the following:

Government

NIST 800-53 rev 4 and 5 (low, moderate and high): Security and Privacy Controls for Federal Information Systems and Organizations

• This publication is often used as an overall cybersecurity framework for government agencies and organizations to conduct compliance assessments/audits. Often this is a process for the systems to receive Authority To Operate.

• Required compliance will depend on the type of government organization, and sensitivity of information. Based on this, the level of audit will be conducted between low, moderate, and high.

NIST 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

• This by itself is not an audit framework, however is often a standard to which government organizations should strive to apply in order to assess overall risk to their organization. The private sector can also use this framework. All audits and assessments are integrated into the Risk Management Framework.

Financial

PCI DSS - Payment Card Industry Data Security Standard

• PCI DSS is designed to be used as a compliance framework for organizations that handle credit card information.

• It focuses on building and maintaining a secure network, protecting cardholder data, implementing strong access controls, maintaining vulnerability management program, monitoring and testing the networks, and maintaining an Information Security Policy

• Financial organizations that are required to follow PCI DSS must conduct assessments and audits that identify their current state within the requirements, and must remediate them.

• Additionally, the organization may be required to conduct other activities such as vulnerability assessments and penetration tests, and any other requirements in order to stay compliant to the PCI

GLBA - Gramm-Leach-Bliley Act

• GLBA is focused around ensuring privacy and security practices are implemented to protect customer information.

• Financial institutions such as non-bank mortgage lenders, real estate appraisers, debt collectors, banks, tax return preparers, and other organizations that deal with customer financial information may be required to comply with GLBA.

• Some organizations may be required to comply with both PCI DSS and GLBA, others may be required to comply with one of them depending on the type of data they process and store.

• GLBA’s heavy emphasis on privacy of customer information draws some similarities with GDPR (below).

Healthcare

HIPAA - Health Insurance Portability and Accountability Act

• HIPAA Privacy and Security Rules were designed to help keep healthcare information secure by introducing a set of security controls as requirements.

• Some of the areas that HIPAA requirements focus on are confidentiality, integrity, and availability (CIA) of all Patient Health Information (PHI) healthcare organization(s) create, receive, maintain, or transmit.

• Like PCI DSS, and other frameworks, assessments and audits are required to identify the organization's posture of compliance, and any deficiencies must be remediated.

Medium to Small Businesses

NIST 800-171 (DFARS): Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations

• This set of requirements, based on NIST 800-53 Rev. 4, were published as an abridged version for smaller organizations. Some government entities have started to require their smaller contractors and sub-contractors to comply to DFARS.

• This publication is also an excellent choice for businesses that have no industry requirements when it comes to cybersecurity, however, would like some guidance in getting started with securing their organization against cybersecurity threats.

International

GDPR: General Data Protection Regulation

• The GDPR, published by the European Union (EU), are a set of standards and requirements that aim to increase security and privacy of EU citizens’ personal data that are collected, stored, and processed by organizations (regardless of location).

Getting Compliant and Using Frameworks to Increase Security Posture

For many organizations, whether in government or commercial sectors, the requirements for security standards and compliance have increased as technology has imprinted itself as an essential way to conduct business. For organizations that may not have any requirements for cybersecurity assessments and audits, cyberspace is still a threatening landscape, and using a cybersecurity framework will provide higher visibility into the organization’s assets, risks, and security posture.

Policy assessments should be considered as a cybersecurity best practice and should be conducted annually with other assessments, such as vulnerability assessments and penetration testing. Depending on the maturity of the organization, policy assessments can be integrated into Risk Management Programs to add value to the overall knowledge of the state of cybersecurity of an organization.

Having broad visibility into issues, and remediating or mitigating them, will effectively increase an organization's security posture and reduce the risk of successful exploitation by threat actors.

Policies, assessments, and compliance have further benefits to organizations as they may increase the reputation of the organization with certifications, leading to additional business opportunities and value for all stakeholders.

Additional Resources

Below are two tools that can be used to get started with conducting self assessments and learning further about the specific security controls required by the policies and regulations:

1. https://aws.amazon.com/quickstart/architecture/compliance-nist/

2. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.

Phone: 571-969-7039

E-mail: info@politoinc.com

Website: politoinc.com

References:

https://nvd.nist.gov/800-53/Rev4

https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5-draft.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

https://www.pcisecuritystandards.org/document_library

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1599783350970

https://www.fdic.gov/regulations/compliance/manual/8/viii-1.1.pdf

https://www.fdic.gov/consumers/consumer/alerts/glba.html

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

https://www.hhs.gov/hipaa/for-professionals/security/index.html

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

https://gdpr-info.eu/

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

https://aws.amazon.com/quickstart/architecture/compliance-nist/

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool