When it comes to Cyber Security, an organization needs to ensure that it provides assurance not only to its clients, both internal and external but also to the governing bodies within & outside the organization. That’s the reason the domain Governance, Risk & Compliance, aka GRC, has emerged as one of the most critical domains over the last decade. GRC helps the organizations to maintain the compliance level where the business, the clients, and the Government are satisfied that the organizations are doing enough to secure the data from being compromised.
For an organization to do its business in a country or a region, they need to respect the “Law of the Land” and any other regulations they are aligned to, based on the nature of their business. Compliance in industry helps them to meet many regulatory requirements. But, on the other hand, compliance issues can lead to severe reputational damage, legal issues & loss of revenue for a business.
It is crucial to understand what compliance means and why compliance is required. Based on the nature of an organization’s business, they need to follow specific laws and regulations defined by the Government & the regulatory bodies. There are certain compliance guidelines that organizations need to comply with to do business. For example, an online shopping portal can be registered in any state. Still, if it stores user data, like credit card details, the business needs to ensure compliance with PCI-DSS regulations. Similarly, an organization working in the banking domain needs to follow multiple financial, information security regulations, etc.
Compliance is a direct outcome of government regulations coming into force. Regulations are basically the norms and standards by which the people belonging to various organizations would need to abide by.
Organizations have to comply with the laws and regulations that are applicable to their business. These might vary depending on the organizations’ location, industry, nature of the operation, etc. Organizations need to comply with various types of compliance including environmental, civil, consumer rights, social security taxes, financial institutions (FIs) reporting, anti-money laundering (AML), among others. Wondering how many compliance types are there? Here’s what you need to know –
Any business operating in Banking & Financial Services Industry (BFSI) must follow multiple regulations & guidelines related to financial transactions. This helps the Government keep track of all financial transactions, ensuring compliance with tax liabilities & preventing money laundering. But with the growing digitalization of businesses, these regulations have started spanning over multiple different types of companies. For example, not very long ago, a bank was supposed to follow only the regulations specific to the financial domain to ensure they could track any attempts of tax evasion or money laundering. But now, with the increase in the number of services being provided by the banks like Debit Cards, Credit Cards, Internet Banking, Phone Banking, UPI payment gateways, it has become evident that compliance to only the financial regulations is not enough for the banking sector. They are not under information security regulations as well. These regulations like PCI-DSS help the bank implement enough security controls to avoid any non-conformity during audits and provide a sufficient level of security for the end-users.
Over the last few decades, the IT industry has seen exponential growth. Be it software, hardware, or the networking domain. With the recent thrust to migrate towards Cloud, digitalization has picked up a pace never seen before. But with the change & advancement in technology, the hackers’ opportunity to penetrate the organization’s defense has increased immensely. It has now become very eminent that organizations can’t avoid being breached or compromised forever. But if they follow the regulations or guidelines defined explicitly for the IT industry & they remain in IT compliance, they will be in better shape on the doomsday. Regulations like GDPR & frameworks like ISO 27001 help the IT organizations & others maintain IT compliance by implementing the relevant security controls applicable to their business.
With the organizations’ ever-changing landscape and attack surfaces, they are becoming more accessible targets for cybercriminals. Hence, government agencies worldwide, industry bodies, and stock exchanges are always busy updating industry-specific regulations. These legal & regulatory guidelines should be followed by the businesses to do business in that country or business domain. Legal & regulatory compliance ensures that if there is any breach or compromise, the companies will be entirely accountable for protecting the user data. By putting the legal & regulatory obligation on the organization, the regulatory bodies try to ensure that the organizations will have the required controls in place.
The ITA-2000 (Information technology Act, 2000), also known as the IT Act, is the primary law in India, which the Government of India introduced in the year 2000 & it commenced from 17th Oct 2020. It consists of multiple sections, describes the offense under each section & the penalty applicable for each violation. It covers various cybercrimes like hacking, tampering of documents, cyber terrorism, publishing child porn, breach of confidentiality & privacy, etc. There has been much criticism as well related to the strict data privacy rules. Still, industry experts believe that this will help companies from the US & other countries to outsource their business to India without worrying about data privacy.
The General Data Protection Regulation is a data protection law adopted in the EU in the year 2016 & was enforced from 25th May 2018. This law also addresses the transfer of personal data outside the European Union. GDPR is based on the principle that unless the data subject provides informed consent to data processing, personal data may not be processed unless there is a legal reason to do so. Therefore, GDPR applies to businesses operating within the EU. However, it is also helpful to those data controllers and data processors outside the EU who handle, store, or process data of a data subject within the EU.
The FedRAMP, also known as Federal Risk & Authorization Management Program, is a US federal government program that provides security assessment, authorization, and monitoring guidelines with a primary focus on cloud products & cloud-based services. It has been in place since June 2012. For any cloud-based service to get authorized by FedRAMP, there are two different ways: Joint Authorization Board provisional authorization & through individual agencies.
This is an information security standard precisely for organizations that handle credit cards. This standard was introduced to reduce credit card fraud & increase controls related to the cardholder data. As per the PCI-DSS standard, although it is mandated that all entities that process, store, or transmit cardholder data should implement PCI-DSS, validation of PCI-DSS is not mandatory for all commodities. The method of validating the PCI-DSS compliance includes evaluation and confirmation that the security controls & procedures are implemented as per the recommended policies of PCI-DSS.
The Health Insurance Portability & Accountability Act was introduced in 1996 in the US. It provides guidelines on protecting PII (Personally Identifiable Information), maintained by the healthcare & healthcare insurance industries, from fraud & theft. The HIPAA also provides guidelines for data privacy, where the data subject’s rights are clearly defined. The data controllers or the data processors need to inform the data subject about the use of Protected Health Information (PHI). The data subjects also have the right to correct any inaccurate PHI & the data processors are accountable for maintaining the confidentiality of the data subjects and the communication with the data subjects.
The Australian Prudential Regulation Authority is a statutory authority of the Australian Government, which works independently & provides supervision & guidelines for businesses across banking, insurance, and superannuation. APRA was established in 1998 & it ensures that the financial institutions remain financially sound & can meet all the obligations towards the depositors, fund members & policyholders. APRA has established standards that regulated businesses are obliged to comply with.
This is an international standard specifically articulated to manage information security. It was first published in 2005 by ISO (International Organization for Standards) and IEC (International Electrotechnical Commission) and was later revised in 2013. The standard focuses on having an Information Security Management System (ISMS) to ensure that the controls used within the organization have well-defined accountability & traceability to the actual requirements. ISMS also helps align the business requirements to cyber security requirements. In ISO/IEC 27001, there are 114 controls spread across 14 control groups & 35 control categories. In addition, there are organizations, commonly known as “certification bodies”, which provide compliance services and verify the organizations’ conformity status to provide the certifications.
It can be used to mitigate cyber security risks. It was published by the National Institute of Standards and Technology, first in 2014, which was updated in 2016. NISF CSF is designed for organizations & individual businesses, to help them assess the risks based on their nature of business. NIST CSF is categorized into 3 parts: Core, Profile & Tiers. The framework “Core” deals with the aspects of cyber security & is organized into 5 functions which are further divided into 23 categories. These five functions are Identify, Protect, Detect, Respond and Recover.
This framework was specially drafted for all US federal information systems, except for those related to national security. It primarily focuses on Risk Management and helps selecting the security controls in accordance with the requirements of the federal government & other federal agencies. This covers 18 areas including access control, incident response, disaster recovery & business continuity.
The Cloud Controls Matrix is a framework designed explicitly by Cloud Security Alliance (CSA) for cyber security controls which can be implemented on cloud environments. This is a very cloud agnostic framework & helps the cloud security architects to design a secure cloud platform for the organizations to build their workspace & carry on with their business. CCM consists of 197 control objectives aligned to 17 different domains, covering the key aspects of Cloud Security and helping define the ownership of the cloud security controls within the cloud platform. The Cyber Security Alliance also provides structured guidance on how to implement the commands mentioned in CCM. The organizations can use CCM for internal purposes without purchasing a license, but if they want to build a tool based on CCM that can perform risk assessments for external parties/clients, then a permit will be required.
There are many consequences if an organization fails to meet the compliance requirements. The severeness of the consequences makes it more critical for the organizations to ensure that they meet all the types of compliance requirements. We have listed down a few reasons to understand why compliance is essential.
With the increase in the number of cyber-attacks worldwide, irrespective of the nature of business they are involved in, it has become eminent that hackers don’t discriminate between their targets. They attack the organizations from domains like banking, utilities, health, education, transport, telecom, media, Government & even military with the same zeal and enthusiasm. A cyber-attack is a huge challenge to deal with; on top of that, surviving one takes a lot more effort, especially preparedness. Many businesses find it extremely difficult to recover from cyber-attacks. This explains why compliance is essential to companies. Observation helps the business to operate securely and ensures that in case it is hit by a cyber-attack, it can recover & sustain.
The need to be compliant with the data protection laws across the world is the main concern for organizations & businesses, whether they are working in bigger geographies such as UK, EU & US or in smaller geographies such as India. While lakhs of data breach incidents take place across the world, we find that there are increasing numbers of news about data breaches coming from India. The reason behind this increased number of incidents could be increased usage of digital media, increasing dependency on online mediums for business and transactions, and also lack of awareness and improper implementation and compliance towards the data protection laws and policies.
Any data leak can have further consequences which are very severe in nature for the organizations. Hence, organizations should ensure the proper security controls to prevent any data leak or data compromise.
If an organization or a business fails to comply with the laws & regulations specified by the industry & Government, it results in fines & penalties. This is known as Compliance Risk. Let’s discuss a few well-known Compliance Risks related to cyber security compliance:
Based on the nature of the breach or compromise and the guidelines set by government agencies or regulatory bodies, the organizations are subject to huge fines if the violations are not reported in the stipulated timeframes. Apart from that, cyber security compliance also helps organizations to safeguard themselves from substantial financial losses in the form of payouts.
In Ransomware attacks, the complete data of the users are encrypted using malicious codes. Unless the organization has tried & tested backup solutions in place, they pay massive amounts (sometimes in multi-millions in currency or bitcoins) to the hackers. In many cases, the organizations are asked to pay financial compensation to the users whose data has been compromised because of the lack of cyber security compliance.
Legal and regulatory standards, rules and requirements differ in each country and region. These standards and requirements are set in the form of laws and regulations, and each organization is expected to follow and comply with these standards.
As we know that any business operating from a particular country or region needs to follow the “Law of the Land”, it is equally essential for the companies to abide by regulatory guidelines. For example, if an organization works in Health & Safety, it needs to ensure that it follows the global & local regulations set for the Health & Safety sector. And if any wrong action is taken by the organization, that might end up with huge financial loss due to penalty, or in case of non-compliance, they don’t have any right to operate in that country. The above mentioned aspects are not only for small businesses but also for big businesses. Compliance becomes more critical as the company grows more prominent.
All the points mentioned above emphasize that compliance is essential for any business to operate safely & securely. They provide the details of the impact a data breach can have on the organization, but most importantly, all these losses are tangible. A data breach or a supply chain attack can not only cause substantial financial, legal & regulatory harm to the organization; it also causes a massive loss of reputation for the firm. Any business invests a considerable amount of time in building its brand & trust among the consumers. It takes a lot of effort for the company to gain the investors’ confidence, but a small cyber-attack or a ransomware incident can completely tarnish this reputation. Hence, it is even more critical for organizations to focus on cyber security compliance.
For organizations to remain on top of the compliance requirements, they must keep a close watch on their compliance level. Many organizations (audit firms) accredited by the regulatory bodies provide these kinds of compliance services & compliance risk management. In addition, these audit firms perform external audits to identify the non-conformity & help the organizations to build a strategy & work towards achieving the compliance benchmarks. Many organizations also heavily rely on their internal audit teams/functionality to help them keep a tab on the compliance requirements.
It has taken quite some time for organizations to understand why compliance training is essential. As the senior management decisions are mostly revenue-driven, the ROI (Return on Investment) plays a role in all the decisions, which costs the organization any revenue. But with increasing cyber-crimes, the role of cyber security functionality has grown many folds over the last few years & so did the number of regulations introduced by the regulatory bodies across the world. Therefore, to meet & maintain the compliance requirements, be it compliance in banking, health industry, or security (digital or information), the organizations need to ensure that the awareness and training programs are planned, delivered, & tracked adequately.
Compliance training is the best approach to ensure that your staff is fully aware of the compliances being implemented by your organization. Compliance training programs are crucial in providing that employees can deliver without any further direction or supervision. In addition, this will help the organizations to build the culture of practicing industry best practices from the grass-root level.
For the compliance as mentioned above enablers to function as per the organization’s requirement, the organizations need to maintain compliance governance. The governance role helps businesses keep track of all the compliance requirements, non-conformities & track them to closure. This functionality closely works with the other functionalities to work towards the common goal of achieving required compliance for the business & helping the company grow.
Security always seems to be a touchy subject. Cyber breach is a major concern for every business these days. This is due to the growing number of cyberattacks. The alarming number is a stark reminder of a need to implement cyber security controls in an effort not to be breached by a cyber-criminal.
When put on the spot about how much budget a business should spend on cyber security controls, most of us would answer with a shrug. However, the reality is that Cyber Security is no longer an optional extra for businesses to have but has come to the forefront as a main priority boardroom concern. The cyber-security budget contains all the aspects that are essential to run an information security program from controlling access from outsiders, protecting data from being stolen or lost, monitoring employees’ behavior, handling third-party risk, and much more. Increasingly, it’s becoming one of the most requested mandatory controls by auditors and regulators.