Regulatory Compliance
Regulatory Requirements, Industry Standards, and Security Frameworks Overview
-
What Is Regulatory Compliance?
-
What Is Sarbanes-Oxley (SOX) Compliance?
-
What Are Important Regulations by Industry?
-
Healthcare: HIPAA Compliance
-
Financial Services Regulatory Compliance & Other Security Frameworks
-
Retail: PCI-DSS and PA-DSS Compliance
-
Federal Government: NIST Standards & Other Security Frameworks
-
Utilities and Energy: NERC Standards & Other Security Frameworks
-
Higher Education: HEOA & Other Security Frameworks
-
What Is Regulatory Compliance?
Regulatory compliance for organizations is the ongoing process of adhering to relevant state, federal, and international laws, security frameworks, and industry mandates. Companies must demonstrate compliance not only to the requirements that govern their specific sector, but also to regulatory standards that apply across industries.
Recent regulatory compliance stems primarily from the 1990s and early 2000s, when a number of notable scandals, data breaches, and fraud prevention efforts required major changes in the way companies operated, from the way sensitive health information is protected across healthcare organizations to the way companies are required to report internal accounting controls to the Securities and Exchange Commission (SEC). Over the years, regulatory requirements and industry mandates have intensified, and additional legislation has gone into effect across various industries.
Here we will examine broad-reaching regulatory compliance and also explore specific regulations across various industries.
What Is Sarbanes-Oxley (SOX) Compliance?
During the late 1990s and early 2000s, major financial fraud was uncovered in a number of large public corporations, most notably from the Enron scandal. In response, the landmark passage of the Sarbanes-Oxley (SOX) Act of 2002 led to broad oversight, requiring all publicly traded companies and some privately-held companies to create and report on their internal accounting controls to the SEC.
To comply with the law, companies must disclose their financial practices and have controls in place to ensure the accuracy and legality of their finances and financial reporting. They must also submit reports for evaluation to an independent, third-party auditor. In general, the Sarbanes-Oxley Act requires publicly traded companies to be more financially accountable and holds top executives responsible for the accuracy of financial data.
Read the SOX Compliance Checklist >
SOX Auditing and Reporting
Complying with Sarbanes-Oxley (SOX) is challenging—unless you have a simple way to document and report on internal controls. From the perspective of most IT security officers, SOX requires evidence that financial applications and supporting systems and services are adequately secured.
Sections 302 and 404 of SOX indicate that companies need to provide an annual report on internal controls and procedures for financial reporting and assess the effectiveness of such controls and procedures, confirmed by an external auditor. This places a tremendous burden of documentation and process improvement on cybersecurity staff and CIOs.
SOX auditors are looking for proof that the configuration of systems and the use of financial applications and financial data on that system match the organization’s security policy. Most IT departments are now using the SEC-approved Control Objectives for Information Technologies (COBIT) or ISO 27002 frameworks to define their security policy.
Section 302 requires quarterly audits comparing system configuration to policy, logs of security events and user activity, and verification of proper user profile management. Any exceptions to an organization’s security policy should be corrected or documented with an explanation for accepting the risk.
What Are Important Regulations by Industry?
Nearly every industry today has regulatory requirements and security mandates that organizations in that sector must comply with. In this section, we will examine major regulations for the healthcare, financial services, retail, government, utilities and energy, and higher education sectors.
Healthcare: HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) was initially passed in 1996 to enhance and improve the portability of health coverage and insurance for individuals in between jobs. This legislation required healthcare organizations to also secure patient data, prevent fraud, and limit waste.
Since its introduction, HIPAA has added new legislation and standards that seek to expand protections for personal health information, known as Protected Health Information, or PHI. HIPAA Security and Privacy Rules were added between 2003 and 2005 to guide how PHI should be disclosed and how electronic personal health information (ePHI) should be stored and managed.
Read What Compliance Means to a Healthcare CISO >
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted, mandating ‘the meaningful use of electronic health records (EHRs) throughout the United States healthcare delivery system as a critical national goal,’ according to the CDC. With monetary incentives to adopt EHRs, healthcare organizations have spent the last 10 years capturing patient data electronically, providing patients with electronic health information, increasing health information exchange between providers, and reporting on their participation.
The threat of federal fines from data breaches and the potential for civil actions at the state level have added to the complexity healthcare providers encounter for digital adoption across their organizations. According to a survey of top healthcare executives reported in Becker’s Hospital Review, adopting and promoting the digital healthcare organization is one of the top five challenges healthcare organizations face today, Since many organizations have now implemented EHR systems, it is critical that they actively evaluate user access to the sensitive information contained in these electronic systems.
HIPAA Auditing and Reporting
With a series of high-profile data breaches in the healthcare industry, healthcare organizations are under tremendous scrutiny to protect sensitive health information. Today’s IT networks and the volume of electronic records stored by healthcare organizations are also larger and more complex than what existed when the Health Insurance Portability and Accountability Act (HIPAA) was first enacted 20 years ago.
Healthcare organizations are required to collect information related to data access controls, methods of monitoring activity related to electronic personal health information, integrity monitoring, authentication, and transmission security.
To pass a HIPAA audit, you need to stay on top of the latest requirements and produce the reports your auditor needs. This involves collecting information related to:
- Data access controls
- Methods of monitoring activity related to electronic personal health information (ePHI)
- Integrity monitoring
- Authentication
- Transmission security
Without tools to increase accuracy and efficiency, HIPAA reporting can become a burden that consumes security teams. Since compliance is strictly enforced, with penalties including substantial fines and, in rare cases, even prison sentences, finding an effective way to meet these challenges is imperative.
Financial Services Regulatory Compliance & Other Security Frameworks
Over the last two decades, and particularly since the 2008 financial crisis, the financial services sector has seen increasing regulatory compliance to ensure sensitive financial information is protected. Early legislation from the Sarbanes-Oxley Act (SOX) in 2002 introduced significant changes to regulating financial practices and corporate governance, while the Dodd-Frank Act of 2010 improved accountability and transparency across the financial system.
As payment fraud began to increase, the Payment Card Industry Data Security Standard (PCI-DSS) was established in late 2004, and has continued to intensify, with the current version of PCI-DSS 3.2.1 now mandating that organizations use multi-factor authentication for all non-console administrative access.
Mandates have increased in recent years and additional legislation has either gone into effect like the General Data Protection Regulation (GDPR) in the European Union, or the new consumer privacy law from the California Consumer Privacy Act of 2018 (CCPA) that went into effect in early 2020.
The New York State Department of Financial Services (NYDFS) has also created a baseline of minimum requirements taken from best practices in Tier 1 Banks and financial institutions registered in the State of New York. The NYDFS requires that all banks, credit unions, mortgage companies, insurance companies, and other financial institutions operating within New York to be registered or licensed by the DFS, and meet ongoing regulatory compliance. This means any financial institution that does business in the state is subject to these new regulations—affecting more than 1,400 U.S. banks, 1,800 insurance companies, and 75,000 financial-related organizations.
Read How to Deal with Changing Financial Cybersecurity Regulations >
Financial Services Security Frameworks
In addition to regulatory compliance, there are other regulatory frameworks, including Basel III from 2009, which oversees capital ratios that banks must maintain, and the Current Expected Credit Losses (CECL) Methodology from 2016, providing a new accounting standard across financial services organizations.
Even as a commercial entity, new SWIFT standards require banks and financial houses to verify internally they are compliant. If an organization’s installation is non-compliant, SWIFT reserves the right to withdraw services from that organization. Financial institutions have a limited time to remediate and completely certify their installations. Over time, these new SWIFT regulations will move toward external auditors certifying financial institution infrastructure, and continue to intensify in their mandates.
While not exhaustive, these standards and frameworks reflect that compliance today is extremely complex for financial services organizations. They require financial services companies to collect information related to data access controls, and monitor activity related to financial information, authentication, and transmission security. This reinforces the need for financial services organizations to leverage more effective and efficient security controls and systems to meet these increasing regulatory demands.
Retail: PCI-DSS and PA-DSS Compliance
Data breaches in the retail industry happen less regularly than those in financial services or government, but when they do occur, they are often highly publicized and have significant costs associated with them. Typically, a retail data breach occurs when sensitive data or transaction information is stolen. This leads to considerable consumer distrust and reputational damage. Depending on the data that was exposed, retail organizations may be required to comply with breach notification laws—an expensive and time-consuming project that further hurts a retailer’s reputation. More important than the sheer volume of data that retail organizations process is the value of the data they manage. Securing sensitive information is the focus of the Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS).
Read the PCI-DSS & PA-DSS Compliance Checklist >
PCI-DSS
PCI-DSS was created to increase controls over cardholder data and reduce fraud. It helped uncover industry-wide shortcomings in data protection. Unlike other regulations, the PCI standard comes from private industry rather than government mandate, which may account for its severe penalties and stringent requirements.
PCI-DSS Security mandates that retail organizations store, process, and transmit cardholder data to maintain payment security set by the PCI security standards. Attaining and adhering to PCI compliance requires retailers to demonstrate they have the right systems and processes that ensure customer data is securely handled at all times. The PCI standards currently consists of 12 main requirements, and over 200 sub-requirements.
Read More on the Importance of PCI Compliance >
PCI-DSS was created to increase controls over cardholder data and reduce fraud. It helped uncover industry-wide shortcomings in data protection. Unlike other regulations, the PCI standard comes from private industry rather than government mandate, which may account for its severe penalties and stringent requirements.
PCI-DSS Security mandates that retail organizations store, process, and transmit cardholder data to maintain payment security set by the PCI security standards. Attaining and adhering to PCI compliance requires retailers to demonstrate they have the right systems and processes that ensure customer data is securely handled at all times. The PCI standards currently consists of 12 main requirements, and over 200 sub-requirements.
Read More on the Importance of PCI Compliance >
PA-DSS
PA-DSS Security, previously known as the Payment Application Best Practices (PABP), seeks to guide application developers and software companies that ‘develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data.’ This can include ’authorization when the applications or sold, distributed or licensed to third parties.’ PA-DSS is another checkpoint in complying with the overall PCI Security and Compliance Standards, ensuring payment applications are tested and approved for use by the merchant or retail organization.
PA-DSS Security, previously known as the Payment Application Best Practices (PABP), seeks to guide application developers and software companies that ‘develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data.’ This can include ’authorization when the applications or sold, distributed or licensed to third parties.’ PA-DSS is another checkpoint in complying with the overall PCI Security and Compliance Standards, ensuring payment applications are tested and approved for use by the merchant or retail organization.
Federal Government: NIST Standards & Other Security Frameworks
Federal agencies are prime targets for attackers to infiltrate and obtain access to their environment, to steal valuable data, or to leak sensitive or confidential information. With cyberattacks across the public sector on the rise, there are also countless regulations or security frameworks that governmental organizations must adhere to. Below are resources highlighted for a number of governing bodies, institutes, and security frameworks relevant to federal agencies.
While not exhaustive, this list of standards and frameworks reflect that compliance today is both complex and essential. Governmental organizations leverage these mandates to help them assess their own practices and establish standardized criteria, provide clear specifications, improve information security, encourage reciprocity between agencies, address gaps in their current operations, and develop plans to optimize their security posture.
But with so many unique regulations, standards, and revisions to keep track of, it is virtually impossible to manually oversee and manage compliance. And the increasing number of mandates that government agencies face today means there is also more auditing, compliance reviews, and reporting to be completed by each governmental organization than ever before. This reinforces the need for federal agencies to use more effective and efficient security controls and systems to meet these increasing regulatory demands.
Utilities and Energy: NERC Standards & Other Security Frameworks
Utility and energy companies, alongside standards organizations, are taking extreme measures to protect critical infrastructure devices, to safeguard supervisory control and data acquisition (SCADA) networks, and to ensure that critical application servers are insulated from potential threats. Organizations in these sectors are essential to national infrastructure, so they must be proactive in focusing on likely threats based on the combination of access risks, vulnerabilities, attack patterns, and known exploits.
This also means organizations in the Utilities and Energy sector are subject to a number of standards, regulations, and industry mandates, primarily through the North American Electric Reliability Corporation (NERC), a non-profit international regulatory body whose ‘mission it is to assure the effective and efficient reduction of risks to the reliability and security of the grid.’
NERC enforces nearly 100 standards across 10 different categories, known as NERC Reliability Standards, and is authorized by the Federal Regulatory Commission (FERC) through the Federal Power Act. NERC also provides NERC CIP Standards, offering framework for operators to protect critical national infrastructure. Version 5 of NERC CIP includes 14 specific standards, covering everything from cybersecurity to physical infrastructure security.
Higher Education: Higher Education Opportunity Act & Other Security Frameworks
Institutions in the higher education sector face a litany of complicated security challenges, primarily driven by the need to protect, support, and manage an expansive volume of digital assets and valuable personal information that are constantly vulnerable to attack. IT and security teams at colleges and universities are tasked with protecting intellectual property, sensitive personal information like academic, health, and financial data, and a wide range of academic and research pursuits. They must also uphold the mission of higher education to welcome and operate in an open learning environment for students, faculty, and the communities and regions they serve.
In addition to the tremendous amount of data, networks, and assets they support, higher education organizations are also threatened constantly by threat actors who seek to gain access to devices and networks, and take advantage of an institution through phishing or other social engineering attacks.
Because institutions are highly subject to attack, regulatory compliance has also significantly increased for colleges and universities. In fact, organizations in the higher education sector are continuing to see increased compliance requirements at the local, state, and national level. Here we examine notable higher education regulations, regulatory bodies, and financial standards that govern compliance in higher education.
Higher Education Opportunity Act
The Higher Education Opportunity Act (HEOA) of 2008 reauthorized the Higher Education Act of 1965, and required ‘many new reporting requirements for institutions, grant programs for colleges and students, and provisions designed to lower the cost of a college education.' The updated law also sought to address 'simplifying federal aid applications, developing campus safety plans, and rules regarding relationships between higher education institutions and student lenders.’ In short, this act established new reporting and disclosure requirements, particularly around student lending, with penalties or fines for those colleges and universities for non-compliance, which could consequently affect their participation in Title IV financial aid programs.
The Higher Education Opportunity Act (HEOA) of 2008 reauthorized the Higher Education Act of 1965, and required ‘many new reporting requirements for institutions, grant programs for colleges and students, and provisions designed to lower the cost of a college education.' The updated law also sought to address 'simplifying federal aid applications, developing campus safety plans, and rules regarding relationships between higher education institutions and student lenders.’ In short, this act established new reporting and disclosure requirements, particularly around student lending, with penalties or fines for those colleges and universities for non-compliance, which could consequently affect their participation in Title IV financial aid programs.
FERPA
With an incredible amount of sensitive data to protect, institutions in higher education operate under strict compliance guidelines for how personal information is used, accessed, and stored. Regulations like the Family Educational Rights and Privacy Act (FERPA) applies to schools that receive funds under the U.S. Department of Education and seeks to protect the privacy of student education records. Educational institutions must prove their compliance to FERPA annually and safeguard personally-identifiable information (PII), educational information, and directory information.
With an incredible amount of sensitive data to protect, institutions in higher education operate under strict compliance guidelines for how personal information is used, accessed, and stored. Regulations like the Family Educational Rights and Privacy Act (FERPA) applies to schools that receive funds under the U.S. Department of Education and seeks to protect the privacy of student education records. Educational institutions must prove their compliance to FERPA annually and safeguard personally-identifiable information (PII), educational information, and directory information.
HECA
With the complexity of regulations and mandates that higher education institutions must comply with, organizations like the Higher Education Compliance Alliance (HECA) provide centralized content and information to help institutions with federal laws and regulations. Increasing regulatory compliance and demands on security teams can cause strain to keep up with not only cyberattacks, but also obligations to auditors at each level of government, so HECA supports and assists institutions with compliance matrices to keep up with the demands of regulatory compliance.
With the complexity of regulations and mandates that higher education institutions must comply with, organizations like the Higher Education Compliance Alliance (HECA) provide centralized content and information to help institutions with federal laws and regulations. Increasing regulatory compliance and demands on security teams can cause strain to keep up with not only cyberattacks, but also obligations to auditors at each level of government, so HECA supports and assists institutions with compliance matrices to keep up with the demands of regulatory compliance.
PCI-DSS
Standards set from the Payment Card Industry (PCI) Security Standards Council, including the PCI-Data Security Standard (PCI-DSS), also apply to higher education institutions. Applied at this level, PCI-DSS standards help to ensure that educational organizations accept and use payment card information appropriately to protect valuable personal and financial information and data.
Standards set from the Payment Card Industry (PCI) Security Standards Council, including the PCI-Data Security Standard (PCI-DSS), also apply to higher education institutions. Applied at this level, PCI-DSS standards help to ensure that educational organizations accept and use payment card information appropriately to protect valuable personal and financial information and data.
