What Is Cybersecurity Compliance?

The business world is rapidly changing and becoming more data-driven

and technologically advanced. Whether it's hardware or software,
organizations must leverage information technology to improve their
operational efficiency, gather more data for analytics and empower their
workforce.
New industry standards and regulations regarding data and cybersecurity
have made compliance more challenging for organizations. However,
cybersecurity compliance is a driving force behind any organization’s
success. Compliance is not just a checkbox for government regulations,
but also a formal way of protecting your organization from cyberattacks,
such as distributed denial of service (DDoS), phishing, malware,
ransomware and more.
Below is an in-depth guide outlining cybersecurity compliance,
requirements, how compliance impacts your sector, how to get started
with a compliance program and more.
What Is Cybersecurity Compliance?
Any organization working with data, which is the majority of them, or that
has an internet-exposed edge must take cybersecurity seriously.
Accessing data and moving it from one place to another puts
organizations at risk and makes them vulnerable to potential
cyberattacks.
At its core, cybersecurity compliance means adhering to standards and
regulatory requirements set forth by some agency, law or authority
group. Organizations must achieve compliance by establishing risk-based
controls that protect the confidentiality, integrity and availability (CIA) of
information. The information must be protected, whether stored,
processed, integrated or transferred.
Cybersecurity compliance is a major challenge for organizations because
industry standards and requirements can overlap, leading to confusion
and more work.
Why Is Compliance Important in Cybersecurity?
No organization is completely immune from experiencing a cyberattack,
meaning that complying with cybersecurity standards and regulations is
paramount. It can be a determining factor in an organization's ability to
reach success, have smooth operations and maintain security practices.
Small or medium-sized businesses (SMBs) can be a major target because
they're considered low-hanging fruit. And in the United States, the
Cybersecurity and Infrastructure Security Agency (CISA) has identified 16
critical infrastructure sectors (CIS) that are the most important to protect
because a breach could have a debilitating effect on national security, the
economy, public health and safety, or more.
SMBs may not prioritize cybersecurity or cybersecurity compliance,
making it easier for hackers to exploit their vulnerabilities and execute
damaging, costly cyberattacks. According to a 2020 Cyber Readiness
Institute (CRI) survey, only 40% of SMBs implemented cybersecurity
policies in light of the remote work shift during the ongoing COVID-19
pandemic.
Often, data breaches can cause complex situations that can damage an
organization's reputation and financial standing. Legal proceedings and
disputes resulting from a breach are becoming increasingly common
across industries. For these reasons, compliance is a significant
component of any organization’s cybersecurity program.
Types of Data Subjected to Cybersecurity Compliance
Most cybersecurity and data protection laws revolve around sensitive
data, including three different types: personally identifiable information
(PII), financial information and protected health information (PHI).
Personally Identifiable Information (PII)
 Date of birth
 First/last names
 Address
 Social security number (SSN)
 Mother's maiden name
Financial Information
 Credit card numbers, expiration dates and card verification values
(CVV)
 Bank account information
 Debit or credit card personal identification numbers (PINs)
 Credit history or credit ratings
Protected Health Information
  Medical history
 Insurance records
 Appointment history
 Prescription records
 Hospital admission records
Other types of sensitive information may also fall under these compliance
requirements and laws:
 Race
 Religion
 Marital status
 IP addresses
 Email addresses, usernames and passwords
 Biometric data (fingerprints, facial recognition and voice prints)
Benefits of Cybersecurity Compliance
Having proper cybersecurity compliance measures is beneficial to
organizations for several reasons:
 Protects their reputation
 Maintains customer or client trust
 Builds customer confidence and loyalty
 Helps identify, interpret and prepare for potential data breaches
 Improves an organization’s security posture
Many of these benefits can directly impact an organization's bottom line.
It's widely understood that a positive reputation, garnering customer
loyalty and confidence, and maintaining trust are critical factors that lead
to success.
Aside from these benefits, maintaining cybersecurity compliance can
improve an organization's security posture and protect intellectual
property (IP) like trade secrets, product specifications and software code.
All of this information can help give an organization a competitive
advantage.
How to Start a Cybersecurity Compliance Program
If you've gotten this far, you may be wondering how to start a
cybersecurity compliance program within your organization. It may seem
like a daunting task because there is no one-size-fits-all approach.
However, following the five steps below can help you start developing
your compliance program to reap the benefits and meet regulatory
compliance requirements. The compliance team and risk management
process and policies are all part of this.
1. Creating a Compliance Team
Your organization's IT team is the primary force for cybersecurity
compliance. Forming a compliance team is necessary when implementing
a thorough compliance program.
While IT teams typically handle most cybersecurity processes, general
cybersecurity does not exist in a vacuum. In other words, all departments
within an organization need to work together to maintain a good
cybersecurity posture and help with compliance measures.
2. Setting Up a Risk Analysis Process
Although naming conventions will vary by compliance program, there are
four basic steps in the risk analysis process:
1. Identify: Any information systems, assets or networks that access
data must be identified.
2. Assess: Review data and assess the risk level of each type. Rate
the risk of all locations that data will pass through in its lifecycle.
3. Analyze: Use this analysis formula to determine risk: Likelihood of
Breach x Impact or Cost
4. Set Tolerance: Decide to mitigate, transfer, refute or accept any
determined risks.
3. Setting Controls: How to Mitigate or Transfer Risk
The next step would be to set up security controls that mitigate or
transfer cybersecurity risks. A cybersecurity control is a mechanism to
prevent, detect and mitigate cyberattacks and threats. The controls can
be technical controls, such as passwords and access control lists, or
physical controls such as surveillance camera and fences.
These controls can also be:
 Encryption
 Network firewalls
 Password policies
 Cyber insurance
 Employee training
 Incident response plan
 Access control
 Patch management schedule
Demand for these controls is high, meaning plenty of cybersecurity
solutions are available that can help you with this step. For an example of
security and privacy controls, visit the NIST 800-53 Risk Management
Framework and go to Section 2.4 Security and Privacy Controls.
4. Creating Policies
Now that controls are in place, you must document any policies regarding
these controls or guidelines that IT teams, employees and other
stakeholders need to follow. Forming these policies will also come in
handy for any internal or external audits in the future.
5. Monitoring and Quick Response
It's crucial to continuously monitor your compliance program as
regulations emerge or existing policies are updated. The goal of a
compliance program is to identify and manage risks and catch
cyberthreats before they turn into a full-blown data breach. It’s also
important to have business processes in place that allow you to
remediate quickly when attacks happen.
Major Cybersecurity Regulations
It's important to understand what major cybersecurity regulations exist
and to identify the correct cybersecurity regulation needed for your
industry. Below are some common regulations that impact cybersecurity
and data professionals alike. These help your organization remain
compliant, depending on your industry and the locations where you do
business.
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) is a set of
regulatory standards that ensures all organizations maintain a secure
environment for credit card information. To be compliant, organization
compliance must be validated annually.
All requirements that have been set forth to protect cardholder data
pertain to these six principles:
 Build and maintain a secure network
 Protect cardholder data
 Maintain a vulnerability management program
 Implement strong access control measures
 Regularly monitor and test networks
 Maintain an information security policy
HIPAA
The Health Insurance Portability and Accountability Act, commonly known
as HIPAA, is a law that ensures the confidentiality, availability and
integrity of PHI.
HIPAA is often applied in healthcare settings, including:
 Health care providers
 Health care Clearinghouses
 Health care plans
 Business professionals that frequently handle PHI
The entities listed above must comply with HIPPA and are bound to the
privacy standards it sets forth.
SOC 2
System and Organization Control 2 (SOC 2) establishes guidelines for
managing customer records based on five trust service principles:
 Safety
 Availability
 Processing integrity
 Secrecy
 Privacy
SOC 2 reports are specific to the organization that develops them, and
each organization designs its own controls to adhere to one or two of the
trust principles. While SOC 2 compliance isn't required, it plays an
important role in securing data for software as a service (SaaS) and cloud
computing vendors.
NYDFS Cybersecurity Regulation
This regulation (23 NYCRR 500) was set forth by the New York
Department of Financial Services (NYDFS) in 2017. It establishes
cybersecurity requirements for any financial services providers that may
or may not reside in NY.
Some basic principles outlined in this regulation are risk assessments,
documentation of cybersecurity policies and assigning a chief information
officer (CIO) for compliance program management.
GDPR
GDPR stands for General Data Protection Regulation and was enacted by
the European Union (EU) in 2018. The GDPR includes set standards for
organizations that collect data or target individuals in the EU, even if the
organization is located outside the EU or its member states.
The seven principles included in the GDPR include:
 Lawfulness
 Accuracy
 Data minimization
 Fairness and transparency
 Purpose limitation
 Storage limitation
 Integrity, confidentiality and security
 Accountability
FERPA
The Federal Educational Rights and Privacy Act (FERPA) is a U.S. federal
law that ensures students' educational records are protected and private.
FERPA applies to all educational institutions that receive funding from the
U.S. Department of Education (DOE). Students above the age of 18,
parents or students attending college, trade school or university are
granted specific rights and protections regarding their educational
records.
NIST
The National Institute of Standards and Technology (NIST) aims to
promote innovation, industry competitiveness and quality of life with the
advancements of standards and technology.
The NIST 800-53 Risk Management Framework is a list of guidelines to
support and manage information security systems. Although the
framework was originally used for U.S. defense and contractors, NIST has
been implemented by enterprises worldwide.
The NIST 800-161 Supply Chain Risk Management provides standards on
assessing and reducing information and communications technology
supply chain risks.
CCPA
The California Consumer Privacy Act (CCPA) is a piece of legislation in
California that gives consumers more control over the data that
organizations collect about them. The CCPA applies to many organizations
and requires them to disclose their data privacy practices to consumers.
Some other CCPA requirements include the right to know, opt-out of sale,
delete, non-discrimination and more.
CMMC
CMMC stands for Cybersecurity Maturity Model Certification and requires
some organizations to implement stringent cybersecurity measures to
safeguard sensitive information. It applies to any organization that
handles controlled unclassified information (CUI), meaning that some
organizations are not held to this standard.
Under the CMMC, organizations must receive an audit from a certified
third-party assessor organization (C3PAO) to verify compliance and
determine if the organization satisfies the minimum requirements to bid
on any U.S. Department of Defense (DoD) contracts.
There are other compliance regulations that your organization may need
to know. For example, the Federal Information Security Management Act
(FISMA) protects critical government information and operations. It's
always worth running a compliance audit or contacting a cybersecurity
professional or licensed attorney to double-check requirements.
Compliance Assessment Checklist
A checklist for compliance helps assess that an organization meets the
requirements of a given regulation. Because every organization has to
approach compliance differently, many online sources of information and
guidance can help you.
Here are some helpful resources:
 The PCI DSS (Payment Card Industry Data Security Standard) is
administered by the Payment Card Industry Security Standards
Council (PCI SSC)
 The SOC 2 from the American Institute of CPAs (AICPA)
 NIST information, special publications and frequently asked
questions (FAQ) page
 Cybersecurity and Infrastructure Security Agency (CISA) website
 International standards like the ISO 27001
Thankfully, there are many resources at your disposal to help you create
a compliance checklist for your organization. Be sure to assess which
compliance regulations your organization must meet and check them off
one-by-one to ensure you’re complying with them.
Make Cybersecurity Compliance a Priority
With cyberattacks on the rise and more cybersecurity and data protection
legislation emerging, now is the time to learn more about cybersecurity
compliance. No organization wants to put itself or its customers at risk of
data breaches in a threatening cybersecurity environment.
Hopefully, you know more about cybersecurity compliance and how
certain compliance standards impact your organization. Whether you
need to meet HIPAA, SOC 2 or PCI DSS requirements, there are plenty of
cybersecurity solutions that can help you get there and stay compliant.

Read more about Cybersecurity.

Tags : Cybersecurity
Get Started With Cybersecurity
Read more about cybersecurity
Get cybersecurity training
Earn a cybersecurity certification

 About Us
 Newsroom
 Contact Us
 Blog










 





CERTIFICATION
 CompTIA IT Certifications
 Store
 Account Login
 CompTIA Tech Career Academy
MEMBERSHIP COMMUNITY
 CompTIA – The IT Industry Association
SOCIAL IMPACT
 CompTIA Spark
PARTNERS
 CompTIA Authorized Partner Program

Change Language

English

German

Portuguese

Spanish

 Copyright © CompTIA, Inc. All Rights Reserved


 Sitemap
 
 Legal

What Is Cybersecurity Compliance?

The business world is rapidly changing and becoming more data-driven

and technologically advanced. Whether it's hardware or software,
organizations must leverage information technology to improve their
operational efficiency, gather more data for analytics and empower their
workforce.
New industry standards and regulations regarding data and cybersecurity
have made compliance more challenging for organizations. However,
cybersecurity compliance is a driving force behind any organization’s
success. Compliance is not just a checkbox for government regulations,
but also a formal way of protecting your organization from cyberattacks,
such as distributed denial of service (DDoS), phishing, malware,
ransomware and more.
Below is an in-depth guide outlining cybersecurity compliance,
requirements, how compliance impacts your sector, how to get started
with a compliance program and more.
What Is Cybersecurity Compliance?
Any organization working with data, which is the majority of them, or that
has an internet-exposed edge must take cybersecurity seriously.
Accessing data and moving it from one place to another puts
organizations at risk and makes them vulnerable to potential
cyberattacks.
At its core, cybersecurity compliance means adhering to standards and
regulatory requirements set forth by some agency, law or authority
group. Organizations must achieve compliance by establishing risk-based
controls that protect the confidentiality, integrity and availability (CIA) of
information. The information must be protected, whether stored,
processed, integrated or transferred.
Cybersecurity compliance is a major challenge for organizations because
industry standards and requirements can overlap, leading to confusion
and more work.
Why Is Compliance Important in Cybersecurity?
No organization is completely immune from experiencing a cyberattack,
meaning that complying with cybersecurity standards and regulations is
paramount. It can be a determining factor in an organization's ability to
reach success, have smooth operations and maintain security practices.
Small or medium-sized businesses (SMBs) can be a major target because
they're considered low-hanging fruit. And in the United States, the
Cybersecurity and Infrastructure Security Agency (CISA) has identified 16
critical infrastructure sectors (CIS) that are the most important to protect
because a breach could have a debilitating effect on national security, the
economy, public health and safety, or more.
SMBs may not prioritize cybersecurity or cybersecurity compliance,
making it easier for hackers to exploit their vulnerabilities and execute
damaging, costly cyberattacks. According to a 2020 Cyber Readiness
Institute (CRI) survey, only 40% of SMBs implemented cybersecurity
policies in light of the remote work shift during the ongoing COVID-19
pandemic.
Often, data breaches can cause complex situations that can damage an
organization's reputation and financial standing. Legal proceedings and
disputes resulting from a breach are becoming increasingly common
across industries. For these reasons, compliance is a significant
component of any organization’s cybersecurity program.
Types of Data Subjected to Cybersecurity Compliance
Most cybersecurity and data protection laws revolve around sensitive
data, including three different types: personally identifiable information
(PII), financial information and protected health information (PHI).
Personally Identifiable Information (PII)
 Date of birth
 First/last names
 Address
 Social security number (SSN)
 Mother's maiden name
Financial Information
 Credit card numbers, expiration dates and card verification values
(CVV)
 Bank account information
 Debit or credit card personal identification numbers (PINs)
  Credit history or credit ratings
Protected Health Information
 Medical history
 Insurance records
 Appointment history
 Prescription records
 Hospital admission records
Other types of sensitive information may also fall under these compliance
requirements and laws:
 Race
 Religion
 Marital status
 IP addresses
 Email addresses, usernames and passwords
 Biometric data (fingerprints, facial recognition and voice prints)
Benefits of Cybersecurity Compliance
Having proper cybersecurity compliance measures is beneficial to
organizations for several reasons:
 Protects their reputation
 Maintains customer or client trust
 Builds customer confidence and loyalty
 Helps identify, interpret and prepare for potential data breaches
 Improves an organization’s security posture
Many of these benefits can directly impact an organization's bottom line.
It's widely understood that a positive reputation, garnering customer
loyalty and confidence, and maintaining trust are critical factors that lead
to success.
Aside from these benefits, maintaining cybersecurity compliance can
improve an organization's security posture and protect intellectual
property (IP) like trade secrets, product specifications and software code.
All of this information can help give an organization a competitive
advantage.
How to Start a Cybersecurity Compliance Program
If you've gotten this far, you may be wondering how to start a
cybersecurity compliance program within your organization. It may seem
like a daunting task because there is no one-size-fits-all approach.
However, following the five steps below can help you start developing
your compliance program to reap the benefits and meet regulatory
compliance requirements. The compliance team and risk management
process and policies are all part of this.
1. Creating a Compliance Team
Your organization's IT team is the primary force for cybersecurity
compliance. Forming a compliance team is necessary when implementing
a thorough compliance program.
While IT teams typically handle most cybersecurity processes, general
cybersecurity does not exist in a vacuum. In other words, all departments
within an organization need to work together to maintain a good
cybersecurity posture and help with compliance measures.
2. Setting Up a Risk Analysis Process
Although naming conventions will vary by compliance program, there are
four basic steps in the risk analysis process:
5. Identify: Any information systems, assets or networks that access
data must be identified.
6. Assess: Review data and assess the risk level of each type. Rate
the risk of all locations that data will pass through in its lifecycle.
7. Analyze: Use this analysis formula to determine risk: Likelihood of
Breach x Impact or Cost
8. Set Tolerance: Decide to mitigate, transfer, refute or accept any
determined risks.
3. Setting Controls: How to Mitigate or Transfer Risk
The next step would be to set up security controls that mitigate or
transfer cybersecurity risks. A cybersecurity control is a mechanism to
prevent, detect and mitigate cyberattacks and threats. The controls can
be technical controls, such as passwords and access control lists, or
physical controls such as surveillance camera and fences.
These controls can also be:
 Encryption
 Network firewalls
 Password policies
 Cyber insurance
 Employee training
 Incident response plan
 Access control
  Patch management schedule
Demand for these controls is high, meaning plenty of cybersecurity
solutions are available that can help you with this step. For an example of
security and privacy controls, visit the NIST 800-53 Risk Management
Framework and go to Section 2.4 Security and Privacy Controls.
4. Creating Policies
Now that controls are in place, you must document any policies regarding
these controls or guidelines that IT teams, employees and other
stakeholders need to follow. Forming these policies will also come in
handy for any internal or external audits in the future.
5. Monitoring and Quick Response
It's crucial to continuously monitor your compliance program as
regulations emerge or existing policies are updated. The goal of a
compliance program is to identify and manage risks and catch
cyberthreats before they turn into a full-blown data breach. It’s also
important to have business processes in place that allow you to
remediate quickly when attacks happen.
Major Cybersecurity Regulations
It's important to understand what major cybersecurity regulations exist
and to identify the correct cybersecurity regulation needed for your
industry. Below are some common regulations that impact cybersecurity
and data professionals alike. These help your organization remain
compliant, depending on your industry and the locations where you do
business.
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) is a set of
regulatory standards that ensures all organizations maintain a secure
environment for credit card information. To be compliant, organization
compliance must be validated annually.
All requirements that have been set forth to protect cardholder data
pertain to these six principles:
 Build and maintain a secure network
 Protect cardholder data
 Maintain a vulnerability management program
 Implement strong access control measures
 Regularly monitor and test networks
 Maintain an information security policy
HIPAA
The Health Insurance Portability and Accountability Act, commonly known
as HIPAA, is a law that ensures the confidentiality, availability and
integrity of PHI.
HIPAA is often applied in healthcare settings, including:
 Health care providers
 Health care Clearinghouses
 Health care plans
 Business professionals that frequently handle PHI
The entities listed above must comply with HIPPA and are bound to the
privacy standards it sets forth.
SOC 2
System and Organization Control 2 (SOC 2) establishes guidelines for
managing customer records based on five trust service principles:
 Safety
 Availability
 Processing integrity
 Secrecy
 Privacy
SOC 2 reports are specific to the organization that develops them, and
each organization designs its own controls to adhere to one or two of the
trust principles. While SOC 2 compliance isn't required, it plays an
important role in securing data for software as a service (SaaS) and cloud
computing vendors.
NYDFS Cybersecurity Regulation
This regulation (23 NYCRR 500) was set forth by the New York
Department of Financial Services (NYDFS) in 2017. It establishes
cybersecurity requirements for any financial services providers that may
or may not reside in NY.
Some basic principles outlined in this regulation are risk assessments,
documentation of cybersecurity policies and assigning a chief information
officer (CIO) for compliance program management.
GDPR
GDPR stands for General Data Protection Regulation and was enacted by
the European Union (EU) in 2018. The GDPR includes set standards for
organizations that collect data or target individuals in the EU, even if the
organization is located outside the EU or its member states.
The seven principles included in the GDPR include:
 Lawfulness
 Accuracy
 Data minimization
 Fairness and transparency
 Purpose limitation
 Storage limitation
 Integrity, confidentiality and security
 Accountability
FERPA
The Federal Educational Rights and Privacy Act (FERPA) is a U.S. federal
law that ensures students' educational records are protected and private.
FERPA applies to all educational institutions that receive funding from the
U.S. Department of Education (DOE). Students above the age of 18,
parents or students attending college, trade school or university are
granted specific rights and protections regarding their educational
records.
NIST
The National Institute of Standards and Technology (NIST) aims to
promote innovation, industry competitiveness and quality of life with the
advancements of standards and technology.
The NIST 800-53 Risk Management Framework is a list of guidelines to
support and manage information security systems. Although the
framework was originally used for U.S. defense and contractors, NIST has
been implemented by enterprises worldwide.
The NIST 800-161 Supply Chain Risk Management provides standards on
assessing and reducing information and communications technology
supply chain risks.
CCPA
The California Consumer Privacy Act (CCPA) is a piece of legislation in
California that gives consumers more control over the data that
organizations collect about them. The CCPA applies to many organizations
and requires them to disclose their data privacy practices to consumers.
Some other CCPA requirements include the right to know, opt-out of sale,
delete, non-discrimination and more.
CMMC
CMMC stands for Cybersecurity Maturity Model Certification and requires
some organizations to implement stringent cybersecurity measures to
safeguard sensitive information. It applies to any organization that
handles controlled unclassified information (CUI), meaning that some
organizations are not held to this standard.
Under the CMMC, organizations must receive an audit from a certified
third-party assessor organization (C3PAO) to verify compliance and
determine if the organization satisfies the minimum requirements to bid
on any U.S. Department of Defense (DoD) contracts.
There are other compliance regulations that your organization may need
to know. For example, the Federal Information Security Management Act
(FISMA) protects critical government information and operations. It's
always worth running a compliance audit or contacting a cybersecurity
professional or licensed attorney to double-check requirements.
Compliance Assessment Checklist
A checklist for compliance helps assess that an organization meets the
requirements of a given regulation. Because every organization has to
approach compliance differently, many online sources of information and
guidance can help you.
Here are some helpful resources:
 The PCI DSS (Payment Card Industry Data Security Standard) is
administered by the Payment Card Industry Security Standards
Council (PCI SSC)
 The SOC 2 from the American Institute of CPAs (AICPA)
 NIST information, special publications and frequently asked
questions (FAQ) page
 Cybersecurity and Infrastructure Security Agency (CISA) website
 International standards like the ISO 27001
Thankfully, there are many resources at your disposal to help you create
a compliance checklist for your organization. Be sure to assess which
compliance regulations your organization must meet and check them off
one-by-one to ensure you’re complying with them.
Make Cybersecurity Compliance a Priority
With cyberattacks on the rise and more cybersecurity and data protection
legislation emerging, now is the time to learn more about cybersecurity
compliance. No organization wants to put itself or its customers at risk of
data breaches in a threatening cybersecurity environment.
Hopefully, you know more about cybersecurity compliance and how
certain compliance standards impact your organization. Whether you
need to meet HIPAA, SOC 2 or PCI DSS requirements, there are plenty of
cybersecurity solutions that can help you get there and stay compliant.

Read more about Cybersecurity.

Tags : Cybersecurity
Get Started With Cybersecurity
Read more about cybersecurity
Get cybersecurity training
Earn a cybersecurity certification

 About Us
 Newsroom
 Contact Us
 Blog










 





CERTIFICATION
 CompTIA IT Certifications
 Store
 Account Login
 CompTIA Tech Career Academy
MEMBERSHIP COMMUNITY
 CompTIA – The IT Industry Association
SOCIAL IMPACT
 CompTIA Spark
PARTNERS
 CompTIA Authorized Partner Program

Change Language

English

German

Portuguese

Spanish

 Copyright © CompTIA, Inc. All Rights Reserved


 Sitemap
 
 Legal