Regulatory compliance monitoring is a key component of any cybersecurity program. But it's becoming increasingly difficult to ensure you are meeting your regulatory requirements. Driven by an increasing web of complex extraterritorial laws, industry-specific regulations, and general data protection laws.
This is not a valid excuse for non-compliance. Regulators and lawmakers will impose significant fines on organizations that aren't able to align their cybersecurity and compliance programs.
A good way to do this is by creating a compliance monitoring plan capable of continually assessing your organization's compliance activities in real-time.
To build a successful compliance monitoring program, you must first understand what laws and regulations are applicable to your organization, and what compliance with them looks like.
This will allow you to perform a gap analysis of what your current compliance controls and business processes are, and what additional security controls need to be in place. This risk assessment process will outline risk areas and should inform your information security policy.
How to Determine What Regulations Apply to You
The cybersecurity and data protection regulations that apply to your organization depend on your industry. With that said, several regulations span across multiple industries and continents. These are the ones you should consider.
Joe Biden's Cybersecurity Executive Order
Joe Biden's Cybersecurity Executive Order call for a complete reformation of security programs throughout government entities and the entire private sector.
Some of the key mandates of the Executive Order includes:
- Data breach transparency between vendors and government entities
- A Zero Trust Architecture as a security framework
- Multi-factor authentication
- Encryption for all data at rest and in transit.
- Improved supply chain security standards
Payment Card Industry Data Security Standards (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from major credit card schemes.
PCI DSS aims to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a Report of Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
To comply with PCI DSS, you must meet twelve requirements
- Installing and maintaining a firewall configuration to protect cardholder data. The purpose of a firewall is to scan all network traffic, block untrusted networks from accessing the system.
- Changing vendor-supplied defaults for system passwords and other security parameters. These passwords are easily discovered through public information and can be used by malicious individuals to gain unauthorized access to systems. Read our password security checklist for more information.
- Protecting stored cardholder data. Encryption, hashing, masking, and truncation are methods used to protect cardholder data.
- Encrypting transmission of cardholder data over open, public networks. Strong encryption, including using only trusted keys and certifications reduces the risk of being targeted by malicious individuals through cyber attacks.
- Protecting all systems against malware and performing regular updates of anti-virus software. Different types of malware can enter a network in numerous ways, including Internet use, phishing emails, mobile devices or storage devices. Up-to-date anti-virus software or supplemental anti-malware software will reduce the risk of exploitation via malware.
- Developing and maintaining secure systems and applications. Vulnerabilities in systems and applications allow unscrupulous individuals to gain privileged access. Security patches should be immediately installed to fix vulnerabilities and prevent exploitation and compromise of cardholder data.
- Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a “need to know” basis. Read more about the principle of least privilege here.
- Identifying and authenticating access to system components. Each person with access to system components should be assigned a unique identification (ID) that allows accountability of access to critical data systems.
- Restricting physical access to cardholder data. Physical access to cardholder data or systems that hold this data must be secure to prevent unauthorized access or removal of data. Read more about data breaches here.
- Tracking and monitoring all access to cardholder data and network resources. Logging mechanisms should be in place to track user activities that are critical to prevent, detect or minimize the impact of data compromises.
- Testing security systems and processes regularly. New vulnerabilities are continuously discovered. Systems, processes, and software need to be tested frequently to uncover vulnerabilities that could be used by malicious individuals.
- Maintaining an information security policy for all personnel. A strong security policy includes making personnel understand the sensitivity of data and their responsibility to protect it.
These twelve requirements are then organized into six control objectives:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Fines for non-compliance can range from $5,000 to $25,000 per month depending on the size of your organization. In the event of a security breach, you can be fined up to $5,000 which is why it's essential to comply with PCI DSS. And remember, the true cost of a data breach goes far beyond the fine.
Sarbanes-Oxley (SOX) was passed by the United States Congress in 2002 to protect shareholders and the general public from accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures. Australian businesses should also comply with SOX security controls.
All public companies must comply with SOX, both on the financial side and the IT side. The way in which IT teams store corporate electronic records has changed as a result of SOX, even though it does not directly specify how records should be stored. It does, however, define which records should be stored and for how long (not less than five years).
SOX requires a written statement to be submitted by the Chief Executive Officer (CEO) and Chief Financial Officer (CFO). The content of the written statement, according to section 906 “shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.”
The penalties for violations are either:
- Knowingly certifying a report that does not comport with requirements: Maximum penalty of $1,000,000, 10 years imprisonment, or both.
- Willfully certifying a report that does not "comport" with requirements: Maximum penalty of $5,000,000, or 20 years imprisonment, or both.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was passed by the European Union (EU) to protect the personally identifiable information (PII) of EU citizens. GDPR is mandatory for any organization that processes the PII of EU citizens, regardless of where it is located.
Furthermore, any third-party vendors you use must also be compliant with GDPR.
Fines for non-compliance have two tiers:
- Up to €10 million, or 2% annual global turnover (whichever is higher)
- Up to €20 million, or 4% annual global turnover (whichever is higher)
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) or AB 375 is a new law that became effective on January 1 2020, designed to enhance consumer privacy rights and protection for residents in the state of California by imposing rules on how businesses handle their personal information.
The CCPA is the most extensive consumer privacy legislation to pass in the United States and is akin to the European Union's General Data Protection Regulation (GDPR) and other data privacy laws and privacy regulations.
CCPA allows class-action lawsuits against companies who fail to take reasonable precautions to prevent data breaches. Apart from that, it is up to the Attorney General's office to ensure CCPA compliance, who was indicated it only has the bandwidth to bring a handful of cases each year.
Even if cases are rare, the threat of large files–$7,500 per data record–should be enough to entice most organizations to comply.
Lei Geral de Proteção de Dados Pessoais (LGPD)
The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) is a new law that was passed by the National Congress of Brazil on August 14, 2018 and comes into effect on August 15, 2020.
The LGPD creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. It is closely modeled after the European Union's General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far-reaching consequences for data processing activities in and outside of Brazil.
Penalties for non-compliance with LGPD is "2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reais (~$12.8 million USD)."
The SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) or Senate Bill 5575, was enacted on July 25, 2019, as an amendment to the New York State Information Security Breach and Notification Act. The law goes into effect on March 21, 2020.
The motivation behind the SHIELD Act is to update New York's data breach notification law to keep pace with current technology. The bill broadens the scope of information covered under the notification law and updates breach notification requirements when there has been a breach of data.
Critically, the bill requires the designation of a person to run the vendor risk management process and to conduct due diligence on the data security measures of third-party vendors and service providers.
Failure to implement a compliant information security program is enforced by the New York State Attorney General and can result in injunctive relief and civil penalties of up to $5,000 per violation.
Businesses that fail to comply with the breach notification requirements can be held liable for the "actual costs or losses incurred by a person entitled to notice". In addition, if the business violates the provision "knowingly or recklessly", a civil penalty of the greater of $5,000 or $20 per instance of failed notification, up to a maximum of $250,000.
The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA, GLB Act or the Financial Services Modernization Act of 1999) is a United States federal law requiring financial institutions to explain how they share and protect their customers' nonpublic personal information (NPI).
The three major components of the GLBA are designed to work together to govern the collection, disclosure, and protection of customers' nonpublic personal information (NPI), namely:
- The Financial Privacy Rule: Restricts the sharing of nonpublic personal information (NPI) about an individual and requires financial institutions to provide each consumer with a privacy notice at the start of the customer relationship and annually thereafter.
- The Safeguards Rule: Requires financial institutions to develop an information security plan that describes how the company is prepared for and plans to continue to protect customers' and former customers' nonpublic personal information (NPI).
- Pretexting Protection: Pretexting or social engineering occurs when someone tries to gain access to nonpublic personal information without the authority to do so. This may entail requesting private information by impersonating the account holder by phone, by mail or by phishing or spear phishing. GLBA encourages organizations to implement safeguards against pretexting.
Non-compliance penalties include:
- $100,000 fine for each violation for financial institutions
- $10,000 fine for each violation for individuals
- Up to 5 years in prison for individuals
The Florida Information Protection Act (FIPA)
The Florida Information Protection Act of 2014 (FIPA) came into effect July 1, 2014, expanding Florida's existing data breach notification statute requirements for covered entities that acquire, use, store or maintain Floridian's personal information.
FIPA is an extraterritorial law, which means any company that acquires, uses, stores or maintains the personally identifiable information (PII) of Floridians must comply.
Entities who fail to provide required notices under FIPA violate Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to civil penalties:
- $1,000 per day for the first 30 days
- $50,000 for each 30-day period up to 180 days
- A maximum penalty of $500,000 for violations exceeding 180 days
The Federal Information Security Management Act of 2002 (FISMA)
The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural and manmade threats. FISMA was enacted as part of the E-Government Act of 2002.
There are seven main FISMA requirements:
- Inventory of information systems: FISMA requires agencies and third-party vendors maintain an inventory of their information systems and an identification of any interfaces between each system and other systems or networks including those not operated by or under control of the agency. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems provides guidance on determining how to group information systems and their boundaries.
- Risk categorization: All sensitive information and information systems are categorized based on their required information security according to a range of risk levels. FIPS 199 and NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories provide categorization guidelines. The key thing to understand about FISMA's risk assessment methodology is that it uses the high water mark for its impact rating. This means if a system scores low risk for confidentiality and integrity but high risk for availability the impact level would be high risk.
- Security controls: FISMA requires federal information systems meet minimum security requirements as defined in FIPS 104-3 and FIPS 200. NIST SP 800-53 Recommended Security Controls for Federal Information Systems outlines appropriate security controls and assurance requirements. Agencies are not required to implement every control, only those they deem necessary. Once controls are selected and minimum security requirements satisfied, agencies must document selected controls in their system security plan.
- Risk assessments: The combination of FIPS 200 and NIST SP 800-53 form the foundational level of all federal agencies' risk management frameworks. A cybersecurity risk assessment determines if the current security controls are sufficient and if any additional controls are needed. As with any risk assessment, it starts by identifying potential cyber threats, cyber attacks, vulnerabilities, exploits and other common attack vectors then maps to controls designed to mitigate them. Risk is determined by calculating the likelihood and impact of a given security incident, taking into account existing controls. The end result is a risk assessment with calculated risks for all events and information about whether the risk is to be accepted or mitigated.
- System security plan: NIST SP-800-18 introduced the concept of a system security plan, a living document requiring periodic review, modification, plans of action and milestones for implementing security controls. Procedures should be developed and outlined to review the plan, keep it current and to follow the progress on any planned security controls. The system security plan is a major input into the security certification and accreditation process. During the process, the system security plan is analyzed, updated and then accepted with a certification agent confirming the security controls described are consistent with FIPS 199 and FIPS 200.
- Certification and accreditation: Once a risk assessment and system security plan are complete, FISMA requires program officials and agency heads to conduct annual security reviews to ensure security controls are sufficient and risk is sufficiently mitigated. FISMA certification and accreditation is a four-phase process that includes initiation and planning, certification, accreditation, and continuous monitoring. NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems outlines this process in detail. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts of a data breach, data leak, unauthorized access or other security incidents.
- Continuous monitoring: All FISMA accredited systems are required to monitor their selected set of security controls, with documentation updated to reflect changes and modifications to the system. Large changes should trigger an updated risk assessment and may need to be recertified. Continuous monitoring activities include configuration management, control of information system components, security impact analysis of changes to the system (e.g. security ratings), ongoing assessment of security controls and status reporting.
For government agencies and their third-party vendors, failing to comply with FISMA could result in censure by congress, a reduction in federal funding, reputational damage, government hearings, loss of future contracts and poor cybersecurity infrastructure.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy legislation for private-sector organizations in Canada.
PIPEDA became law in April 13, 2000 to promote trust and data privacy in eCommerce and has since expanded to include industries like banking, broadcasting and the health sector.
Like the European Union's General Data Protection Regulation (GDPR), under PIPEDA individuals have the right to access personal information held by an organization, know who is responsible for collecting it, understand why it's being collected and to challenge its accuracy.
Failure to comply with PIPEDA's data breach notification and record-keeping requirements can result in fines of up to CAD$100,000.
Prudential Standard CPS 234 Information Security (CPS 234)
CPS 234 is an APRA Prudential Standard that aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.
CPS 234 applies to all APRA-regulated entities namely:
- Authorized deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorized under the Banking Act
- General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act, and parent entities of Level 2 insurance groups
- Life companies, including friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under the Life Insurance Act
- Private health insurers registered under the PHIPS Act
- RSE licensees under the SIS Act in respect to their business operations
Failure to comply with CPS 234 can result in loss of RSE license.
How to Conduct a Cybersecurity Audit
After you've identified the regulations your organization must adhere to, the next step is to assess your overall compliance by conducting a cybersecurity audit. The goal of the audit is to evaluate your current security governance structure, any compliance issues, risky business activities or business units, and to understand your current monitoring efforts. Here are some things you will likely want to address.
A cybersecurity risk assessment is about understanding, managing, controlling, and mitigating cybersecurity risk.
The primary purpose of cyber risk assessments is to help inform decision-making and to streamline proper risk responses. Leveraging risk timely risk assessments can greatly reduce compliance risk and improve your compliance management processes by:
- Reducing long-term costs: Identify issues with internal audit or internal control processes and policies can save your organization money and/or reputational damage over time
- Providing a cybersecurity risk assessment template for future assessment: Creating a robust risk assessment process will ensure it is a repeatable process regardless of staff turnover
- Improving organizational knowledge: Knowing organizational risks can help your compliance officers understand what areas need improvement
- Avoiding data breaches: Data breaches can have a huge financial and reputational impact on any organization
- Avoiding application downtime: Internal or customer-facing systems need to be available for staff and customers to do their job
- Avoiding data loss: theft of trade secrets or other key information assets can aid industrial espionage, risk assessments are one part of your overall data loss prevention strategy
Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.
And an important part of CM are the monitoring processes that look for changes made to cybersecurity controls. Without automation, a single engineer forgetting to update a piece of software can leave a system with an outdated version of the software that has a known vulnerability listed on CVE. This vulnerability could be exploited to spread computer worms, install ransomware or other types of malware.
Security Ratings Monitoring Systems
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk.
Security ratings are increasingly used for internal security performance management, including:
- Continual assessment of internal cybersecurity posture, providing CISOs with a simple, understandable rating that can be presented to key stakeholders including C-Suite and board members.
- Benchmarking and comparison to industry peers, competitors, sectors, and vendors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in.
- Providing assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breaches, malware, and ransomware.
Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests. Most importantly, they are always up-to-date.
Cybersecurity Awareness Training
This is an evaluation of the cybersecurity awareness training you have in place. Your workforce will have to take an assessment that focuses on their understanding of your regulatory requirements to identify gaps.
How to Create a Compliance Monitoring Plan
Once the initial audit has been completed, you can begin creating a compliance monitoring plan.
While you may only be required to conduct a cybersecurity audit once a year, many industry best practices recommend continuous monitoring. This ensures you are always in compliance and can remediate any gaps you find in controls on an as-needed basis, rather than once a year.
Additionally, you should document any changes and the results of ongoing evaluation so it can be used in future audits.
The plan should aim to address all the risks identified, however, the largest risks should be prioritized first. When deciding on the control and responsible individual remember to map the required expertise against the employee's skill set. Where possible, you may find it helpful to combine risk monitoring activities.
The output of your compliance monitoring plan will depend on the level and frequency required by your regulatory requirements. With that in mind, it is very important to keep regulators informed about any potential issues and to invest in the gaps you identify.