Cyber Security Compliance

Compliance to Cyber Security standards can be confusing. We can help you make sense of it for your organization.

Get a Quotation

Compliance, Cyber Standards, and are You Affected?

Your company or organization might require cyber security measures that meet established federal, and in some cases state, standards. Getting in compliance can be difficult and resource intensive. The standards themselves are typically lengthy and difficult to interpret without familiarity with the protocols and procedures involved.

GDF has helped hundreds of organizations in many different industries and sectors earn and maintain compliance. We've assembled a resource below which divides up the more common and all-encompassing cyber security regulations by sector.

Healthcare

HIPAA - the Health Insurance Portability and Accountability Act

What it is:

HIPAA does several things that affect the US healthcare system, but the effect on cyber security is that the act encourages the adoption of Electronic Health Records (EHRs), also called Electronic Personal Health Information (ePHI). Both are the same thing: a portable, electronically stored paperless version of a patient's health record. And, of course, any electronically stored data is automatically a cyber security issue.

Who it effects:

HIPAA affects any individual or organization dealing with EHRs, - hospitals, doctor offices, insurance companies, or any company, even outside of the healthcare field, that might have access to EHRs.

What is required for compliance:

HIPAA compliance requires:

  • Access control – facility and workstation/network user authentication, including user identification, data encryption, emergency procedures, etc.
  • Auditing and monitoring – all hardware, software and data usage procedures are monitored and checked.
  • Integrity assurance – mechanisms designed to authenticate Electronic Personal Health Information (ePHI).
  • Transmission security – data encryption and other safeguards which prevent the unauthorized access of ePHI when it is sent across the Internet.

Additionally, HIPAA compliance requires employee training, a security assessment, the development of a cyber security plan, and penetration testing.

Finance and Banking

SOX - the Sarbanes Oxley Act

What it is:

Implemented to prevent something like ENRON from happening again, SOX requires companies to maintain financial records for seven years, puts into place strict penalties for malfeasance, protections for whistleblowers, and controls on the access and storage of financial data.

Who it affects:

SOX affects public companies, company boards and management, and public accounting firms.

What is required for compliance:

Similar to HIPAA and NIST, SOX requires protections to limit access to data, both from internal tampering, or external unauthorized access. SOX also requires verification of data security from an independent outside audit.

GLBA - Gramm Leach Bliley Act (GLBA)

What it is:

GLBA requires companies that offer consumers financial products or services, like loans, financial or investment advice, or insurance, to secure the private information of clients and customers.

Who it effects:

GLBA can affect a lot of different companies, from banks, to car dealers that arrange financing and credit to ATM operators.

What is required for compliance:

Gramm Leach Bliley requires organizations to develop and implement a security plan appropriate to the size and scope of the organization. Particulars of meeting GLBA include:

  • Designation of one or more employees to coordinate the information security program
  • Background checks of employees
  • Access controls, including controls for workers who telecommute
  • Controls concerning the destruction of data and data storage devices

Federal and Department of Defense

FISMA - Federal Information Security Management Act

What it is:

FISMA treats information security as a matter of national security, and mandates all federal agencies develop methods of protecting their data and information systems.

Who it effects:

FISMA originally affected all Federal agencies, but its scope has expanded to include state agencies that manage Federal programs (think Medicare and Medicaid, unemployment insurance, etc.), as well as private companies contracted to work with federal agencies.

What is required for compliance:

FISMA compliance is based on NIST, in particular NIST 800-53. Briefly, FISMA requires:

  • Information System Inventory: All agencies must maintain an inventory of all systems and integrations in use.
  • Risk Assessment and Categorization: Agencies must evaluate and categorize their risks and security requirements. This categorization sets the level of security to which the agency must adhere. The agency, then, is responsible for maintaining that level of security necessary per this document.
  • System Security Plan: An agency must have a comprehensive security plan in place, and a mechanism for reviewing and regularly updating the plan to maintain the required security category.
  • Security Controls: An agency has to conform to twenty security controls as defined by NIST 800-53.
  • Risk Assessments: An agency is required to perform a three-tiered risk assessment whenever the agency makes any changes to their systems. The assessment is governed by NIST SP 800-37.
  • Certification and Accreditation: An agency must perform security reviews on a yearly basis. To maintain FISMA compliance, the review must make clear the agency has a well maintained and monitored information security system in place.

Falling under FISMA is FedRAMP, which stands for The Federal Risk and Authorization Management Program. FedRAMP covers how FISMA is applied to cloud computing services. FedRAMP provides authorized cloud service providers, as well as third party assessment organizations, which can certify an agency is FedRAMP compliant.

DFARS - Defense Federal Acquisition Regulation Supplement

What it is:

DFARS is a set of security standards that apply to something called Controlled Unclassified Information (CUI). CUI is information that isn't classified as secret, but is still important enough that it should be kept out of public view.

Who it effects:

DFARS applies to businesses in the supply chain of a Department of Defense contract. This can range from a company such as Boeing, down to a company supplying Boeing subcontractor with screws. DFARS is basically NIST Special Publication 800-171.

What is required for compliance:

Up until the fall of 2019, getting DFARS compliance was a lengthy process that was based around an intense self-study by the organization seeking DFARS certification. However, the DoD has released CMMC, the Cybersecurity Maturity Model Certification, which becomes fully effective in the fall of 2020.

CMMC defines five levels of security, ranging from Level 1, Basic Cyber Hygiene, up to Level 5. The level of security is based on the number of controls from NIST 800-171 a company has to implemented. Level 1 requires seventeen controls, Level 2 requires 46 controls, etc.

CMMC also requires a company hire an outside auditing agency to certify compliance, in a manner similar to what is required by ISO.

EDUCATION

FERPA - Family Educational Rights and Privacy Act

What it is:

FERPA has sections in it which establish controls for protecting a student's education record.

The act affects all post-secondary institutions - universities, colleges, technical and vocational schools, academies, seminaries, etc.

What is required for compliance:

FERPA has similar controls to HIPAA and many other rights and privacy regulations. Of particular note are FERPA's guidelines for best practices when dealing with the destruction of data.

Commerce

PCI-DSS - Payment Card Industry Data Security Standard

What it is:

PCI-DSS is a regulation aimed at protecting consumer credit card information from fraud, theft, etc.

If a company handles credit cards, online or otherwise, is is subject to PCI regulations.

What is required for compliance:

PCI-DSS has twelve clear-cut requirements:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update antivirus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data on a need-to-know basis
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

GDF's Compliance Expertise

GDF regularly helps clients through implementing security plans, securing compliance, performing audits and penetration testing, and making sure all aspects of your business or organization are meeting mandated requirements. Contact us now for answers to your questions.

Get a Quotation

Use the secure form below to get your questions answered.
Or call our 24 hour hotline at: 
1-800-868-8189

GDF Local Providers

We are an international company with a local focus.
Contact a regional office near you.
envelope-oclosephonebars linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram