Why is regulatory compliance important?
Regulatory compliance is essential for protecting customers, employees, and assets by ensuring adherence to applicable laws, regulations, and industry standards.
It also helps organizations avoid the costly penalties, fines and reputational damage that occur when an organization fails to comply with the law.
What is PSSecureMe's role in all of this?
In most companies, IT is generally the owners of anything technical. So all required, implementations, monitoring, security configuration, standards, policies, and procedures fall under IT. PSSecureME, as automated the security and standard configurations required to pass these compliances, so they can be quickly applied to any system.
What are some of the IT Compliance standards companies have to adhere to?
There are many but the more common ones are
HIPPA - Health Insurance Portability and Accountability Act - Health Care
PCI - PCI DSS, or Payment Card Industry Data Security Standard - If you want to process card payments this is required.
Sarbanes-Oxley Act - US federal law enacted to improve the accuracy and reliability of financial reporting and corporate disclosures for public companies
GDPR - General Data Protection Regulation, is a European Union law focused on protecting personal data and individual privacy rights
The IT Security Frameworks that fall under these standards are
ISO 27000 series
The ISO 27000 series was developed by the International Organization for Standardization. It is a flexible information security frmework that can be applied to all types and sizes of organizations.
The two primary standards -- ISO 27001 and 27002 -- establish the requirements and procedures for creating an informationa security management system (ISMS). Having an ISMS is an important audit and compliance activity. ISO 27000 consists of an overview and vocabulary and defines ISMS requirements. ISO 27002 specifies the code of practice for developing ISMS controls.
NIST SP 800-53
NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 series addresses virtually every aspect of information security, with an increasing focus on cloud security.
NIST SP 800-53 is the information security benchmark for U.S. government agencies and is widely used in the private sector. SP 800-53 has helped spur the development of information security frameworks, including NIST Cybersecurity Framework
NIST SP 800-171
NIST SP 800-171 has gained popularity due to requirements set by the U.S. Department of Defense regarding contractor compliance with security frameworks. Government contractors are a frequent target for cyber attacks due to their proximity to federal information systems. Government manufacturers and subcontractors must have an IT security framework to bid on federal and state business opportunities.
NIST CSF
NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, was developed under Executive Order 13636, released in February 2013. It was developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries must maintain a high level of preparedness, as they have all been targeted by nation-state actors due to their importance.
NIST SP 1800 series
The NIST SP 1800 series is a set of guides that complement the NIST SP 800 series of standards and frameworks. The SP 1800 series of publications offers information on how to implement and apply standards-based cybersecurity technologies in real-world applications.
COBIT
COBIT was developed in the mid-1990s by ISACA, an independent organization of IT governance professionals. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.
CIS Controls
Center for Internet Security (CIS) Critical Security Controls, Version 8 -- formerly the SANS Top 20 -- lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and increasing resilience for technical infrastructures.
HITRUST Common Security Framework
HITRUST Common Security Framework (CSF) includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and can be applied to almost any organization, including healthcare.
GDPR
GDPR or General Data Protection Regulation - is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens' personal information. GDPR requirements include controls for restricting unauthorized access to stored data and access control measures, such as least privilege, role-based access and multifactor authentication.
COSO
COSO, short for the Committee of Sponsoring Organizations of the Treadway Commission, is a joint initiative of five professional associations that has published two complementary frameworks. Its Internal Control -- Integrated Framework, released in 1992 and updated in 2013, helps companies achieve a risk-based approach for internal controls. It covers the following five components:
Control environment.
Risk assessment.
Control activities.
Information and communication.
Monitoring activities.
FISMA
The Federal Information Security Modernization Act (FISMA), which aligns closely with NIST Risk Management Framework, provides a security framework for protecting federal government data and systems. Introduced in 2002 and updated in 2014, FISMA was suggested for an update in 2023; legislation is pending.
DISA
Defense Information Systems Agency (DISA), applies to U.S. Department of Defense (DoD) systems and networks, including those of contractors and federal agencies that connect to the DoD Information Network (DoDIN). DISA's Security Technical Implementation Guides (STIGs) outline specific security protocols for configuring IT systems to minimize vulnerabilities.
Use this paragraph to describe what you do. This is a great place to let your visitors know who you are. Add useful information that your users may find interesting. What makes you stand out? Why you do what you do? What is your passion? Here is where you can just let go.