Operationalization of Compliance Part 1

There is no other way to say it, compliance is here to stay.  It used to only apply to select industries and organizations, but new frameworks, regulations, and standards are being developed continuously and now the congress is debating federally mandated standards, sadly 535 lawyers, 10,000 lobbyists, and 100’s of paid IT Theorists don’t equal 1 experienced cybersecurity expert, which means it’s going to be messy. If you need an example you need to look no further than the first versions of CCPA or GDPR The day is coming soon when everyone will have a compliance requirement to follow.  It is a good idea to lay the proper foundation for compliance now, before it becomes a fire drill later with a tighter timeline.

The inescapable truth for all compliance frameworks is that they all overlap at some point, they may sound overwhelming if you are not familiar with them, they add overhead to your KTLO and cybersecurity resources, and they can all create a 30–90-day fire drill when it is time for the auditor to be onsite or the assessment. This is why RITC Cybersecurity continues to repeat this simple mantra “Compliance is a by-product of good cybersecurity.  However, being compliant does not mean you are secure.” If you focus on security by implementing a cybersecurity framework like NIST CSF 2.0 (800-171 or 800-53), CIS v8, or ISO 27001 you are about 85% of the way to being compliant with any framework you just have to fill in the compliance specific requirements, which generally have nothing to do with security.

Performing a quick web search– Google if you prefer, though the author prefers DuckDuckGo, Safari, or Brave (since Ask Jeeves and Fletch are long gone)–will bring up numerous lists of the top 10 compliance frameworks. A list of these top frameworks have been provided below, with more emerging over time.

Top 10 Compliance Frameworks:

1. AICPA SOC2 Type 1 and 2 – 

• AICPA: The American Institute of Certified Public Accountants is a professional organization that sets ethical standards, auditing guidelines, and best practices for CPAs in the U.S. It also provides certifications, education, and advocacy to support the accounting profession.
• SOC2: A framework developed with the AICPA to assess a service organization’s controls related to security, availability, and privacy of customer data.
• SOC2 Type 1: Evaluates the design and implementation of these controls at a specific point in time.
• SOC2 Type 2: Assesses the effectiveness of these controls over a defined period (typically 3-12 months), providing a more in-depth review of ongoing compliance.

2. CMMC/NIST –

• CMMC: Cybersecurity Maturity Model Certification is a framework developed by the U.S. Department of Defense (DoD) to ensure contractors and subcontractors meet specific cybersecurity standards when handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It consists of three maturity levels, ranging from basic cyber hygiene to advanced security, and requires independent third-party assessments for compliance.
• NIST: National Institute of Standards and Technology is a U.S. government agency that develops standards, guidelines, and best practices to enhance security and innovation across industries. In cybersecurity, NIST is best known for framework like the NIST Cybersecurity Framework (CSF) and NIST Special Publications (SP) 800 series, which provides guidelines for risk management, information security, and compliance.

3. HIPAA –

• The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law enacted in 1996 to protect the privacy, security, and integrity of individuals’ health information.it establishes rules for healthcare providers, insurers, and their business associates to safeguard Protected Health Information (PHI) through administrative, physical, and technical safeguards. Non-compliance can result in significant legal and financial penalties.

4. HiTrust–

• Health Information Trust Alliance is a comprehensive cybersecurity and compliance framework designed to help organizations manage risk, security, and regulatory compliance– particularly in healthcare. The HITRUST Common Security Framework (CSF) integrates multiple standards, including HIPAA, NIST, ISO, and GDPR, providing a certifiable approach to data protection and risk management.

5. ISO–

• The Internation Organization for Standardization is a global, independent organization that develops and publishes international standards across various industries, including information security, quality management, and risk management.

6. PCI-DSS–

• The Payment Card Industry Data Security Standard (PCI-DSS) is a security framework that ensures organizations securely process, store, and transmit credit card data to protect against fraud and breaches.

7. CCPA–

• The California Consumer Privacy Act is a data privacy law that grants California residents rights over their personal information, including the right to access, delete, and opt out of the sale of their data, while requiring businesses to implement transparency and security measures.

8. SEC FINRA–

• SEC: The Securities and Exchange Commission is a U.S. government agency that regulates the securities markets to protect investors, maintain fair and efficient markets, and facilitate capital formation.
• FINRA: Financial Industry Regulatory Authority is a self-regulatory organization overseeing broker-dealers in the U.S., ensuring compliance with securities laws and ethical standards to protect investors and maintain market integrity.

9. SOX–

• The Sarbanes-Oxley Act a U.S. federal law enacted in 2002 to enhance corporate financial transparency and accountability, requiring public companies to implement internal controls and undergo independent audits to prevent fraud and protect investors.

10. FedRAMP–

• The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government framework that standardizes security assessments, authorization, and continuous monitoring for cloud service providers (CSPs), ensuring they meet stringent cybersecurity requirements before being used by federal agencies.

Honorable mention

1. Almost every state has specific data retention requirements for medical records that often provide additional requirements over and above HIPAA.
2. ITAR
3. States are starting to adopt their own “Ramp” compliance similar to FedRamp (see number 10 above)
4. FISMA
5. CSA Trusted Cloud Architecture Architectural Standard
6. CDSA
7. NISTIR 7756 CAESARS
8. NCUA
9. KYC – (Know Your Customer)
10. BSA/AML
11. The list keeps going and there is more to come…...

Scope

Compliance will impact any business unit, including human resources, sales, accounting, engineering, development and operations teams as well as any application that is subject to or supports the compliance framework. All 3 of the compliance frameworks that we will discuss in this series (SOC2 Type 1 and 2, HIPAA, and PCI-DSS) impact the company as a whole. For example, most believe that the SOC2 Type 1 or 2 is an IT audit, it is not, it is an audit of the company and how it addresses risk. The SOC2 looks at everything from HR to Legal to Sales to Finance to IT so not only will IT be required to participate in the audit but so will everyone else. HIPAA for example has administrative, physical, and technical controls this will involve not only IT, but also HR, Legal, Medical Staff, data processing for claims, finance, the entire company will be impacted. Even PCI with its stringent technical requirements will impact other parts of your business but the simple fact remains the most impacted resources will be the security and operations teams as they will be responsible for conducting most of the work achieving and maintaining compliance

While compliance of varying flavors is becoming part of everyday cybersecurity life there is good news there is a way to simplify compliance, regardless of the type, without buying expensive tools to do it! You can simplify compliance by operationalization of the compliance process.  This will especially benefit you if you have multiple compliance framework requirements. RITC Cybersecurity can show you the way to maximize your compliance ROI and efficiently use your in-house resources. This series of Blog Posts will go explore different compliance frameworks and provide guidance on how to operationalize your compliance requirements and simplify your life.

Dive deeper into implementation! Check the next blog in the series:  Operationalization of Compliance Part 2 for actionable insights

Relevant  blogs:

CCPA Compliance Checklist Ensures Data Protection & Privacy

How Cyberattacks Impact Your Business | Cybersecurity