Companies that sell software, manufactured parts or legal services are very different types of businesses, yet all of them have something in common. They’re all faced with an increasing need to prove that they are safeguarding the data that they gather, use and store. Sometimes the need for security compliance comes from legal regulations but for an increasing number of organizations, the need for security compliance is coming from their customers or vendors.
In this article, we’re going to explore how cybersecurity compliance requirements are extending into industries that haven’t traditionally been regulated and present an overview of the compliance process.
Here’s what you’ll learn:
- What is cybersecurity compliance?
- The drivers for security compliance
- Frameworks and security compliance
- Examples of security frameworks
- Choosing a framework to follow
- Using frameworks when compliance isn’t required
- The compliance process
- Attaining compliance with a security framework
- Maintaining compliance
- The costs of compliance
What is Cybersecurity Compliance?
Cybersecurity compliance is the process of assuring that a set of standards are met for securing data and access to IT systems.
Industries like healthcare and financial services have had to comply with regulations for data security for a long time because of the type of information that they handle. Medical history and banking credentials are valuable to the individuals who own that information. Regulations were established to protect people from the harm that can result from having that information stolen or exposed.
Today, there’s a realization that organizations in regulated industries aren’t the only ones that need to protect data and IT systems. The companies you do business with want to ensure that the data they own and you utilize is secure. Likewise, your employees want the personal identifiable information (PII) that you store about them (like their social security numbers) to be protected from cyber-attackers.
The Drivers for Security Compliance
Cybersecurity compliance is about managing risk. Specifically, it’s the risk of utilizing technology and the internet to do business. Threats on the web are widespread and increasing in number and sophistication. Every company is a target for cyber bad guys who work together in a large underworld ecosystem to monetize the online accounts they infiltrate and the information they steal.
We’ve already mentioned that security requirements are being pushed down from customers and vendors, but cyber insurers are also driving requirements for security compliance. A time may be coming when qualifying for cyber insurance will mean that you need to be compliant with a specific security framework.
Frameworks and Security Compliance
A compliance framework is a set of policies and procedures that establish the technical controls and behaviors that secure data and IT systems. Following a framework doesn’t necessarily mean that an organization is compliant. Think of a framework as providing the building blocks for compliance. In fact, a compliance program may be built on more than one framework.
What a security framework does is to establish a method for defining security standards and how an organization will meet and maintain those standards. In addition to its role in the implementation of security measures, a framework gives different entities common language to use when communicating cybersecurity standards.
Examples of Security Frameworks
There are several different security frameworks that are in the creation of compliance regulations. Some are industry specific and some are not. Even though a framework may be specific to a certain industry, it doesn’t mean that entities outside of that industry cannot use it.
This framework, established by the National Institute of Standards and Technology (NIST), was designed to protect federal agencies and their vendors that utilize. NIST 800-53 separates security controls into different families based on the level of impact that would be sustained in the event of a breach.
This framework is designed for vendors of government entities that store and use Controlled Unclassified Information (CUI). The framework includes 110 requirements, divided into 14 families that encompass the organization’s technology, policies and procedures.
ISO 27001 and 27002
This ISO certification attests to an organization’s best-practice approach to managing their information security management system (ISMS). The certification is recognized globally and includes regular security risk assessments to determine effectiveness. ISO 27002 supplements 27001 by listing security controls that may be included in an organization’s security plan.
Cybersecurity Maturity Model Certification (CMMC) is a multi-tiered certification for companies that do business with the Department of Defense. The first tier is certified by self-assessment with tiers 2 and 3 requiring a third-party audit. Requirements in the CMMC framework include controls from NIST 171 and
SOC 2 Type 2
Originally developed by the American Institute of CPAs (AICPA), SOC (Systems and Organization Controls) compliance is a procedure to third-party verify an organization’s security processes. Audits cover five areas of trust principles: security, availability, processing integrity, confidentiality and privacy. Type 1 denotes that the audit represents a snapshot in time. Type 2 indicates that processes were audited for effectiveness over an extended period of time.
How Do You Know What Framework to Follow?
If your customer or vendor is asking you to follow compliance requirements, they’ll specify what framework you should follow. In fact, they may pull requirements from more than one framework to communicate their security expectations.
It’s also very possible that your company may have one entity telling you to follow a specific framework, and another entity requiring a different framework. You can often set up controls that will satisfy both frameworks. Start with one, then setting up the other one should be an easier process because part of the work is already done.
If you’re starting with either CMMC Level 2 or NIST 171, then you’ll likely be in good shape for just about any other compliance framework that your customers or vendors require.
Are Frameworks Useful if Compliance Isn’t Required?
Even if you haven’t yet been required by a customer or vendor to comply with their security requirements, adopting a framework as the foundation of your security strategy is a good idea. A framework gives a way to create and document your security strategy and put your organization in a good place when you are faced with compliance requirements.
The CMMC Level 1 framework is a good first step for organizations with no experience with compliance. At this level, you can do a self-assessment of your security processes and procedures. Self-assessment doesn’t mean that it’s easy. Don’t be surprised if you uncover gaps that you didn’t know you had before, both in security controls and security expertise.
The Compliance Process
Becoming compliant with security regulations involves a lot more than checking off boxes on a list. Compliance is about making your operations secure so sometimes you’re going to have to change your processes and that takes time.
To give you an idea of the kind of time frame you need, consider a period of 12 – 1 months to attain ISO 27001, NIST 171 or CMMC Level 2 compliance. SOC 2 Type 1 could take six months, and SOC 2 Type 2 a year or more.
There are generally five phases in the compliance process:
- Conduct a gap analysis to evaluate your current state of security.
- Review the report and recommendations that come out of the gap analysis.
- Create a plan that will bring your organization up to framework standards.
- Implement the plan to attain compliance.
- Manage the security process on an ongoing basis to maintain compliance.
Attaining Compliance with a Security Framework
The plan that is needed to attain compliance with a security framework is going to be as unique as each organization. There will be controls that can be easily implemented so punch these out first. These are things like MFA, proper endpoint protection, logging, and regular assessments.
The more difficult or complex measures will take more time and often have to do with changing employees’ habits and how they go about their tasks on their computer. For example, if they aren’t already, computer users will need to use multi-factor authentication (MFA) on everything.
The security process has technical and non-technical components, so a major part of your process is going to be documenting, training, and enforcing your policies for how people access data and IT systems.
The process of writing security policies is time consuming and complicated but necessary. It can also be very enlightening if you discover that your company is far from operating within the Principle of Least Privilege. Not only will you need to audit all roles to find out what permissions they have, but you may need to back up and establish new permission profiles to get a handle on data access going forward.
Maintaining your organization’s compliance with a security framework actually begins before you get every component in place. So if your gap analysis indicates that you have some appropriate security controls already set up, make sure that those are being monitored and managed. Likewise, begin managing each new layer of security as it’s added.
A big part of managing compliance has to do with making sure that employees know about security policies and are equipped to follow them. You can and should automate enforcement of policies with technical measures whenever possible. However, you’ll need to make a plan to audit employee behavior and provide ongoing training.
In addition to training employees on how to access data and IT systems, cybersecurity awareness training should be included in your plan to maintain compliance. This type of training teaches people how to recognize potential cyber-attacks and what to do when they come across something suspicious.
The Costs of Security Compliance
You should expect your level of investment in security to increase when you start down the road towards compliance. But when you consider the costs of compliance, you also have to consider the cost of non-compliance which can mean the loss of customers or limits to who will work with you as a vendor.
Additionally, becoming compliant lowers your cyber risk. That can translate into better rates on cyber insurance not to mention peace of mind that your business will be resilient in the event of a cyber-attack.
As you’re getting started, you’ll most likely need to add software tools like better endpoint detection and response (EDR), and extended log collections. You may need hardware improvements like upgrading your firewalls. If your employees have been using their own computers and phones, you may need to provide company-owned devices.
Regular vulnerability scans, penetration tests, and security and risk assessments are needed on a regular basis to make sure that security controls are effective.
Even if you work with a cybersecurity services provider, it’s a good idea to have someone act as your compliance manager. That means you’ll need to devote resources for that person to become trained so they can coordinate your efforts with all of the parties involved.
How Bellwether Works with Clients to Attain and Maintain Compliance
Unless your company has advanced security expertise internally, you’ll likely need to work with a cybersecurity services provider to take you through the compliance process. Not can we create and implement a customized compliance plan for your organization, but we’ll work with your company to ensure that everyone involved in the process stays on top of their compliance responsibilities. Plus, a Bellwether compliance analyst will participate in each audit, facilitating the audit process.
Get in touch to schedule a meeting and explore how we can help you make compliance a strong business capability.