With no shortage of regulations around data security and privacy, it’s no wonder that determining which regulations must be complied with and whether your company has compliance gaps can be a daunting task. Regulatory compliance is mandatory, but can be overwhelming. Where should you start?
Perform a Risk Assessment
Risk assessments are valuable tools for determining which information systems an organization has, the type and location of data that the systems house, and which systems require additional safeguards. When an organization understands all the types of data that it possesses, it’s easier to identify the regulations that require compliance.
Consider the following examples of commonly stored information and their related security regulations:
- Electronic patient health information: Health Insurance Portability and Accountability Act (HIPAA)
- Client personally identifying information in the EU: General Data Protection Regulation (GDPR)
- Consumer private banking information: Gramm-Leach-Bliley (GLBA)
- Government information: Federal Information Security Management Act of 2002 (FISMA)
Then there are regulations that apply to companies of a specific type or size, regardless of industry and stored information:
- Publicly traded corporations: Sarbanes-Oxley Act (SOX)
- Mid-size and large businesses in California: California Consumer Privacy Act (CCPA)
It’s possible that a company will have to comply with at least two of the regulations above. Unfortunately, there is no single generally accepted IT compliance regulation that applies to all IT environments, such as the Financial Accounting Standards Board (FASB) within the financial sector. Instead, businesses must seek guidance on HIPAA (such as guidance for HIPAA IT risk assessments), GDPR, GLBA, and FISMA regulation requirements themselves.
There are a number of regulations that are required, based on the type of work a company does and the type of information that is processed and stored by that company. A thorough risk assessment will identify regulations that require compliance, areas requiring additional safeguards, and estimates of the potential cost of non-compliance.
Identify Regulations & Determine Overlap
There are many similarities between regulations, such as the NIST 800-53 and the Privacy Framework. These are commonly adopted by medium and enterprise-level businesses in the US, as they are a common denominator for other regulatory frameworks. Adopting them covers multiple requirements within other regulations a business may be subject to.
Determining where requirements related to each regulation overlap and ensuring that policies, procedures, and controls address all requirements without duplicating or counteracting any others will simplify the process for all those involved.
For example, it doesn’t make sense to have four different access control policies for each regulation requiring compliance. Instead, understanding each regulation’s requirements around access control and incorporating them into a single access control policy allows employees to be more easily trained and reduces confusion on the requirements outlined within the policy.
A document called a crosswalk can be used as a tool to help determine where the overlap is between standards requiring compliance.
Crosswalking Security Requirements
Creating a document that links the requirements associated with each regulation to the policies, procedures, and controls an organization has in place can help determine whether there are compliance gaps relative to each regulation.
NIST published a useful crosswalk document that compares the NIST Privacy Framework to GDPR, identifying the crossover items. This can be used to identify compliance gaps.
Gaps identified through the crosswalking process can then be used as roadmaps for remediation. The goal of a successful crosswalking exercise is to identify all compliance gaps and ultimately remediate them, to ensure compliance with applicable regulations.
Get Help with Crosswalk Documents
Creating crosswalk documents between different regulatory requirements can streamline compliance. Identifying tools and key roles that should be involved in this process, such as the Chief Risk Officer, is a vital first step.
Another option is to hire third-party auditors, such as Linford and Company, to perform a risk assessment. This still requires work and identification of key tools and roles, though an auditor’s experience with crosswalk documents will help speed up the process.
Summary
There is no doubt that the differences between regulations around information security can be confusing, but there are ways to minimize confusion and gain assurance that all requirements of applicable regulations are being complied with.
By performing a risk assessment to identify applicable regulations and requirements, crosswalking security requirements between each regulation, and remediating any gaps identified, you can ensure that your organization is compliant with all applicable information security regulations.
For more in-depth information about security risk assessments and audits, as well as a free audit quote, contact Linford and Company.
Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.