As technology continues to advance, global consumers now have the convenience of purchasing goods from anywhere in the world, all from the comfort of their homes. A McKinsey survey revealed that 46% of consumers make online purchases on a weekly basis, and 53% of respondents express a preference for organizations known for safeguarding customer data. However, how can an average person be certain that an organization is truly protecting their data? The solution lies in compliance certification through information security frameworks.
A compliance framework provides a set of rules and guidelines to be followed by organizations to strengthen their information security posture. Information frameworks are of two types – regulations and standards. In this article, we will learn about some of the most used information security frameworks.
What is an information security framework?
Information security frameworks are documented policies and procedures that are implemented to manage risk and reduce vulnerabilities of information. The framework defines specific tasks to be performed by the organization for its security. Frameworks also help you achieve successful information security audit certification in compliance and other IT fields.
Some frameworks are location-specific, and some are industry-specific. Organizations can also have their own security frameworks. Different information security frameworks often overlap as their goals are similar.
What is the difference between regulations and standards?
Information security frameworks are either regulations or standards, as we discussed earlier. Here is how they differ from each other:
General Data Protection Regulation (GDPR)
If you are collecting, processing, transferring, or storing the data of European Union citizens and the European Economic Area, then you should follow GDPR regulations. GDPR is an imperative part of European privacy law. It is considered one of the toughest privacy laws in the world.
Controls for prohibiting illegal access to stored data and access control methods such as least privilege, role-based access, and multifactor authentication are all required under GDPR. It also includes protecting data in transit.
GDPR is a regulatory framework, meaning that organizations failing to adhere to its requirements may face legal repercussions and financial penalties. The monthly breakdown of GDPR fines is as follows:
The Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA is a federal law by the United States government that requires the creation of a national standard to protect the personal health information (PHI) of patients from being disclosed without their consent.
The data subjects are the people whose information is processed. Data subjects have the right to access the information. The entities covered under HIPAA are required to disclose the PHI to the individual within 30 days of the request. Such entities include healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions.
Additionally, the act mandates that if there is a legal necessity for the disclosure of PHI in cases related to reporting child abuse, the information must be shared with state child welfare agencies.
HIPAA violations are categorized into four distinct groups, which form the basis for the penalty structure, as outlined below:
Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided had a reasonable amount of care been taken to abide by HIPAA Rules
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules)
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules in cases where an attempt has been made to correct the violation
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days
California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
CCPA is a statute for the state of California to enhance the privacy rights of its residents. The law gives the residents the right to:
- Know that their personal information is collected
- Know whether their personal information is sold or disclosed and to whom
- Deny the sale of their personal data
- Access to their personal data
- Request the business to delete personal data previously collected
- Not to be discriminated against for exercising their privacy rights
The CCPA is applicable to businesses if they satisfy any one of the following conditions:
- Have a gross revenue of $25 million or more
- Buy, receive, or sell personal data of 50,000 consumers or households or more
- Earn more than half of its revenue from the sale of consumers’ personal data
Violation of the CCPA results in fines and penalties.
The CPRA was introduced to strengthen the rights of the residents of California. It became fully effective on January 1, 2023, and the enforcement began on July 1, 2023. Data collected from January 1, 2022, is liable for compliance. This law will enhance the privacy rights of California residents.
Payment card industry Data security standard (PCI DSS)
The PCI/DSS is enforced by PCI Security Standard Council (PCI SSC). PCI SSC was established by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. on September 7, 2006, to handle the credit card data of major credit card companies.
When merchants accept payment via credit card, they store, process, or transmit the cardholders’ data. PCI DSS was established to ensure that the merchants follow minimum levels of security and is accepted worldwide.
The validation process is carried out yearly or quarterly, depending on the volume of transactions handled. There are three types of assessments:
- Self-assessment questionnaire (SAQ)
- Firm-specific internal security assessor (ISA)
- External qualified security assessor (QSA)
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 series
ISO 27001 is an international standard for information security, while ISO 27002 is the supporting standard for the implementation of information security controls. It is applicable to all types and sizes of organizations.
The standard establishes procedures and requirements for creating and maintaining information security management systems (ISMS). An efficient and effective ISMS can be helpful in audit and compliance activities. ISO doesn’t provide ISO certification; external auditors do.
The ISO 27000 series has 60 standards covering a wide range of information security issues, such as:
- ISO/IEC 27005 – Information technology – Security techniques – Information security risk management
- ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27033 – Information technology – Security techniques – Network security
- ISO/IEC 27036 – Information technology – Security techniques – Information security for supplier relationships
- ISO/IEC 27040 – Information technology – Security techniques – Storage security
- ISO/IEC 27050 – Information technology – Security techniques – Electronic discovery
SOC 2 was developed by the American Institute of CPA (AICPA). SOC 2 defines criteria for managing customer data based on five trust service principles:
Just like ISO certification, SOC 2 certification is also provided by external auditors who verify the implementation of the standard in the organization. There are two types of SOC 2 reports:
- Type I – evaluates the organization’s information security controls at a single point in time
- Type II – evaluates the effectiveness of the organization’s information security controls over a period of time
Organizations can choose either type according to their requirements .
Center for internet security (CIS) Controls
The CIS controls were formerly known as the SANS critical security controls (SANS Top 20). There are 18 CIS critical security controls today:
NIST SP 800-53
NIST has over 1300 standard reference materials, and most compliance frameworks fall into the 800 category.
NIST SP 800-53 is a framework used by organizations that don’t have the expertise or budget to build their own cybersecurity team, processes, and systems to protect their information systems. It is also used by federal government departments. It covers a majority of the risks faced by organizations.
This compliance standard needs to be met by federal information systems, agencies, and associated government contractors and departments that work with the government. It not only protects the information of the federal government departments but also ensures that the vendors they are dealing with adhere to a specific security standard.
NIST SP 800-171
NIST SP 800-171 is for federal agencies working with non-federal agencies or companies. This may include contractors for the Department of Defense, universities and research institutions that receive federal grants, or organizations providing services to government agencies.
It defines the standards that must be followed by every organization working with the federal government to boost the cybersecurity of federal government information. It targets controlled unclassified information (CUI) for enhanced cybersecurity.
Although NIST SP 800-171 is not a regulation, it is mandatory for the contractors to follow it if they handle the information of the federal government. These organizations must conduct self-assessment to determine and maintain compliance with this standard.
National Institute of Standard and Technology (NIST) cybersecurity framework
NIST cybersecurity framework is a set of guidelines for assessing and mitigating the cybersecurity risks of an organization. It is widely used across the globe by organizations and several governments and has been translated into many languages. One of the limiting factors for implementing the NIST cybersecurity framework is the significant investment required.
The framework is divided into three parts, namely:
- Core – contains a list of activities, outcomes, and references about aspects and approaches to cybersecurity
- Profile – contains an array of the chosen outcomes from the categories and subcategories, based on its needs and risk assessments
- Tiers – It defines how the organization views its cybersecurity risk and the degree of sophistication of its management approach
The following figure shows the functions and categories of cybersecurity activities according to NIST:
The list of regulations and standards can go on and on. However, this is just a beginner’s guide to frameworks, and we have explained some of the most well-known ones. The purpose of compliance standards is to provide an outline to the organizations for better information security. In addition to compliance, organizations must have an in-house information security policy to strengthen their security posture.
Information security frameworks help prove to stakeholders that you are doing your bit to protect their data from unauthorized access. Visit Scrut Automation to learn more about compliance regulations and how to follow them.
The two types of information security compliance frameworks are regulations and standards.
Regulations refer to the policies and procedures formed by the government that organizations must follow to maintain a secure information network.
Standards are policies and procedures recommended by non-government agencies to ensure a robust compliance posture in the organizations that implement them.