The following information is a part of our free cybersecurity and compliance Academy course.
Compliance Mandates Overview
The type of data your company handles will determine which compliance regulation you need to follow.
If you handle credit card data, you need to follow the PCI DSS,
If you deal with healthcare information, you need HIPAA,
and if you collect or store data from EU citizens, then GDPR applies to you.
Each of these standards has a unique scope and purpose. Some are heavier in security, while some emphasize privacy. Some requirements may “cross over,” but this doesn’t mean compliance with one mandate equals compliance with another.
For example, PCI DSS has a list of specific security controls, whereas GDPR focuses more on process and privacy. And HIPAA focuses on both privacy and security.
It’s also important to note that compliance will look different at every organization, so be careful to avoid the “check-box” mentality that can mislead data security and compliance efforts.
PCI DSS Compliance
Becoming PCI compliant can seem like a frustrating process, especially if you’re a small to medium-sized business.
To give you a quick overview, PCI stands for the Payment Card Industry, and consists of companies taking and processing payment transactions using major card brands like Visa, MasterCard, and American Express. These card brands came together in an effort to help regulate the industry and most importantly to help businesses and customers avoid card data theft and fraud.
As part of this organization, they formed the Payment Card Industry Security Standards Council (PCI SSC) which in turn is responsible for developing and maintaining the Payment Card Industry Data Security Standard, or the PCI DSS. This is a set of twelve specific requirement areas–or card-handling practices–that have to be followed to handle and process payment card data securely. So, because it’s an industry standard, anyone that’s accepting credit card payments has to meet these standards.
The PCI DSS was developed by the security standards council with involvement from the major card brands, but the PCI SSC is just a regulatory body not an enforcement organization; individual card brands, merchant banks, or acquirers are the organizations that actually enforce those standards. Many of the merchant banks we work with will charge a non-compliance fee, and there may be other negative consequences for merchants who don’t meet these standards.
Now that you know the purpose of PCI compliance, let’s talk about how to become compliant. In basic terms, PCI compliance can be broken down into four steps.
First, you need to identify your scope, which is basically determining how your card processing is handled at your business and where it occurs, and which PCI requirements you need to validate.
Second, you need to complete a Self-Assessment Questionnaire (or SAQ) to assess your compliance with the PCI DSS and close any security gaps you find. The way you handle card data or outsource processing will determine the type of SAQ you have to fill out. Based on your companies processing risk to card data you will have to validate more or less of the total PCI DSS requirements. If your company processes large amounts of card data you may be required to complete a full Report on Compliance written by an external Qualified Security Assessor.
Third, if you use the Internet or a website to process cards, there are typically requirements to run a vulnerability assessment scan on your systems exposed to the Internet.
And lastly, once you’ve completed your SAQ and achieved a passing scan, then your job is to report your compliance to your merchant processor.
Again, the main purpose of PCI compliance is to improve your organization’s data security. A little bit of consistent effort implementing data security principals can go a long way when it comes to deterring cyber criminals and protecting your business.
PCI DSS REQUIREMENTS OVERVIEW
REQUIREMENT 1: PROTECT YOUR SYSTEM WITH FIREWALLS
Install a hardware and software firewall
Tweak firewall configuration for your system
Have strict firewall rules
REQUIREMENT 2: USE ADEQUATE CONFIGURATION STANDARDS
Avoid using default passwords
Harden your systems
Implement system configuration management
REQUIREMENT 3: SECURE CARDHOLDER DATA
Encrypt stored card data
Find where card data is held
Craft your card flow diagram
REQUIREMENT 4: SECURE DATA OVER OPEN AND PUBLIC NETWORKS
Know where data is transmitted and received
Encrypt all transmitted cardholder data
Stop using SSL and early TLS where possible
REQUIREMENT 5: PROTECT SYSTEMS WITH ANTI-VIRUS
Create a vulnerability management plan
Regularly update anti-virus
Maintain an up-to-date malware program
REQUIREMENT 6: UPDATE YOUR SYSTEMS
Consistently update your systems
Patch all critical systems and software
Establish software development processes
REQUIREMENT 7: RESTRICT ACCESS
Restrict access to cardholder data
Document who has access to the card data environment
Establish an access control system
REQUIREMENT 8: USE UNIQUE ID CREDENTIALS
Use unique ID credentials for every employee
Change ID credentials
Configure multi-factor authentication
REQUIREMENT 9: ENSURE PHYSICAL SECURITY
Control physical access at your workplace
Keep track of POS terminals
Train your employees often
REQUIREMENT 10: IMPLEMENT LOGGING AND LOG MONITORING
Implement logging and alerting
Establish log management
Create log management system rules
REQUIREMENT 11: CONDUCT VULNERABILITY SCANS AND PENETRATION TESTING
Know your environment
Run vulnerability scans quarterly
Conduct a penetration test
REQUIREMENT 12: START DOCUMENTATION AND RISK ASSESSMENTS
Implement a risk assessment process
Create an incident response plan
- Guide:SecurityMetrics Guide to PCI DSS Compliance
- Worksheet: PCI Compliance IT Checklists
- Webinar: PCI Basics
- Article: What are the 12 requirements of PCI DSS Compliance?
- Article: PCI DSS Compliance FAQ
- Article: 7 PCI Compliance Tips for Small Businesses
- SecurityMetrics Solution: PCI Compliance for Small Businesses
- SecurityMetrics Solution: PCI DSS Audit
- SecurityMetrics Solution: PCI DSS Compliance Training
- SecurityMetrics Solution: PCI Compliance Policies
Securing the privacy of protected health information (PHI) is one of the focuses of the Health Insurance Portability and Accountability Act (HIPAA) passed into law in the United States. It is being expanded and improved constantly and as electronic health care data became prevalent the HIPAA Privacy and Security Rules were added in 2003. Keeping up with HIPAA privacy and security tasks can seem overwhelming, especially if you’re a small to medium-sized healthcare organization.
A main purpose of HIPAA privacy and security rules are to protect electronic health care data from being compromised, which usually occurs as a result of a hacker, unauthorized access, or employee negligence.
Breaches within the healthcare industry are not going away, and a lot of expensive mistakes have been made by organizations in recent years. Because of the personal information often stored in healthcare systems and its potential use in identity theft, there are a lot of criminals targeting this information.
When HIPAA privacy and security requirements are taken seriously, companies can decrease liability, increase overall security within the organization, and companies can avoid costly HIPAA fines and fees.
One portion of the HIPAA law–Title II–covers the areas where data Privacy, Security and Breach Notification are contained. We will go into a bit more detail on each of these categories.
The Privacy Rule is often the one category that most organizations are familiar with. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information to those who need it so good care can be provided. The Privacy Rule protects all "individually identifiable health information" held or transmitted by doctors, health care organizations, or their associates, in any form or media (electronic, paper, oral, etc).
The Security Rule deals with the technical controls that should be in place to protect PHI. It establishes standards and guidelines for protecting data that can be applied to firewalls, logging, network design, encryption, and anything else that has to do with the creation, processing, transmission, and maintenance of PHI.
Lastly, the Breach Notification Rule requires organizations to have policies and procedures in place in the event that a breach of PHI data takes place.
Healthcare organizations will continue to be at risk for data compromise, but by doing a little bit each day and by making HIPAA requirements a priority, you can make a big impact on the strength of your data security.
- Guide: SecurityMetrics Guide to HIPAA Compliance
- White Paper: HIPAA Compliance 101 for Business Associates
- White Paper: HIPAA Privacy Rule 101
- Webinar: How to Improve your HIPAA Compliance Efforts in 2018
- Webinar: 3 Steps to Become HIPAA Compliant
- Article: 5 Tips to Improve HIPAA Compliance in 2018
- Article: HIPAA FAQ
- SecurityMetrics Solution: HIPAA for Small Practices
- SecurityMetrics Solution: HIPAA Audit
- SecurityMetrics Solution: HIPAA Compliance Training
- SecurityMetrics Solution: HIPAA Compliance Policies
The General Data Protection Regulation, or GDPR, is meant to harmonize data privacy laws across Europe and strengthen EU citizen’s data privacy.
The GDPR applies to any organization that handles, processes, or stores personally identifiable information or PII of EU citizens. PII is data kept by an organization which can be used to “distinguish or trace an individual’s identity.” PII could include names, birth dates, birth places, mothers’ maiden names, addresses, emails, IP addresses, or social security/insurance numbers.
So whether your business is located in the EU or not, if you have customers from the EU, this regulation applies to you.
Organizations found to be in non-compliance with the GDPR can be fined up to 20 Million Euros, or 4% of their annual global revenue for the preceding financial year. While this is the maximum fine, there are different tiers of fines that can be assessed to organizations that aren’t meeting GDPR requirements. So what can you do to start addressing these requirements and avoid potential fines?
First of all, you need to learn about the GDPR and how to apply its data privacy guidelines to your business. The best thing you can start doing right away is learning where PII is stored, processed, or transmitted as a result of your daily business operations. Document this carefully with flow diagrams, descriptions, etc. Be sure to talk to people throughout your organization in order to learn how they interact with PII. When it comes to PII, don’t make assumptions.
Some requirements of the GDPR are easier to interpret than others. For example, the GDPR says that data owners are required to have an opt-in choice presented to them before a company can begin storing, processing, or transmitting their personal information. It’s easy to determine whether that requirement has been met or not.
On the other hand, the GDPR states, “protect your data by design and default.” With this requirement, it can be difficult to know if you’re perfectly compliant because it eludes to any number of possible data security practices.
The next step is to start working on requirements and make necessary remediation. Think about the processes you need to fix at your organization and start fixing them to be in accordance with the GDPR. Consider working with a consultant to conduct a GDPR gap analysis to identify areas you need to focus on first.
The third step is to start thinking about all the documentation that may be required. You might have a long list of policies and procedures that need to be documented. Documentation could be a pretty big task, and you need to either create that from the ground up or find a company that has packages of this documentation that you can modify.
So in summary, the best thing you can do to meet GDPR requirements is to start doing something. This is a new regulation, so start reading a lot to get up-to-speed on what this law means. Start working on privacy and disclosure documents. Perform a GDPR Risk Analysis. In the case that you are audited by a supervisory authority, you’ll be in a much better position to protect yourself from hefty fines if you can prove you were making an effort to implement GDPR best practices.
- White Paper: GDPR 101: What You Need to Know About the EU General Data Protection Regulation (GDPR)
- Webinar: GDPR 101: What You Need to Know
- Article: GDPR FAQs
- Article: PCI vs. GDPR: What’s the Difference
- Article: How Much Does GDPR Compliance Cost?
- SecurityMetrics Solution: GDPR Defense
- SecurityMetrics Solution: Consulting
Compliance Mandate Quiz
If you are compliant with the PCI DSS, are you compliant with other compliance mandates (e.g., HIPAA, GDPR)? (Choose only ONE best answer.)
No, but your compliance to each mandate increases your data security and reduces your potential for fines and penalties.
Who needs to follow GDPR compliance? (Choose only ONE best answer.)
Only EU organizations
Only EU citizens
Anyone who handles, processes, or stores personally identifiable information or PII of EU citizens.
TRUE OR FALSE: A main purpose of HIPAA Privacy and Security Rules is to protect electronic health care data from being compromised. (Choose only ONE best answer.)
Should your organization have a designated person responsible for HIPAA/PCI/GDPR compliance? For example, a Security and/or Privacy Officer(s). (Choose only ONE best answer.)
Answer Code: Q1: 2, Q2: 3, Q3: 1, Q4: 1
Create a Security Culture
Security is not a bottom-up process. Management often tells IT to “just get their organization secure.” However, those placed in charge of security and compliance may not have the means necessary to reach their goals.
For example, IT may not have the budget to implement adequate security. Some may try to look for free software to fill in security gaps, but this process can be expensive due to the time it takes to implement and manage. In some instances, we have seen that an IT department wanted their third party auditor to purposely fail their compliance evaluations so they could prove that they needed a higher security budget. Obviously, it would have been better to focus on security from the top-down beforehand.
Keep in mind that checkbox attitudes lead to breaches. C-Level management should support the process. If you are a C-level executive, you should be involved with budgeting, assisting, and promoting security best practices from the top level down to foster a strong security culture.
The cost of data security entirely depends on your organization. Here are a few variables that will factor in to the cost of your overall efforts:
Your business type (e.g., franchise, service provider, mom-and-pop shop, or hospital): Each business type will have varying amounts of environment structure, risk levels, and sensitive data in their systems, which means each business type will have different needs.
Your organization size: Typically, the larger the organization, the more potential vulnerabilities it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments mean more cost.
Your organization’s culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budgets to security, because they don’t understand their organization’s security liabilities.
Your organization’s environment: The type of processing or medical devices, the brand(s) of computers, the types of your firewalls, and the model(s) of back-end servers can all affect security costs.
Your organization’s required mandates: Some compliance mandates may require additional budget to be spent on security tools (e.g., PCI DSS), while others may require you to follow additional security practices to protect an individual’s privacy and records (e.g., GDPR, HIPAA).
Your organization’s dedicated security staff: Even with a dedicated team, organizations usually require outside assistance or consulting to help them meet data security and compliance mandate requirements.
The following are estimated annual security budgets:
SMALL ORGANIZATION BUDGET
Risk Analysis and Management Plan: $2,000
Vulnerability scan $100-$150 per IP address
Training and policy development $70 per employee
TOTAL POSSIBLE COST: $2,170+
MEDIUM ORGANIZATION BUDGET
Risk Assessment and Management Plan: $20,000+
Onsite audit $40,000+
Vulnerability scan $800+
Penetration testing $5,000+
Training and policy development $5,000+
TOTAL POSSIBLE COST $70,800+
Keep in mind this budget doesn’t include remediation security measures, such as firewalls, encryption, updating systems and equipment.
However, this is far cheaper than paying for a data breach, which can easily cost anywhere from $180,000 to $8.3 million and above.
OVERCOME MANAGEMENT’S BUDGET CONCERNS
If you’re having problems communicating budgetary needs to management, start by conducting a risk assessment. NIST 800-30 is a good risk assessment protocol to follow. At the end of this assessment, you’ll have an idea of your compromise probability, how much a compromise would cost, and the impact a breach might have on your organization (e.g., brand damage).
Simply put, find a way to show how much weak security will cost the organization. For example, “if someone gains access to the system through X, this is how much it will cost and damage our brand.” Consider asking marketing or accounting teams for help delivering the message in more bottom-line terms.
If possible, work with a third party security professional to come up with security controls to address the requirements to gather information on what tools you may need to implement.
- Article: 10 Tips for Increasing IT Budget and Security Buy-In
- Article: 10 Tips for Keeping Security in the Budget
- Article: How Much Does HIPAA Compliance Cost?
- Article: How Much Does PCI Compliance Cost?
- Article: How Much Does GDPR Compliance Cost?