Compliance

Maintain cyber security compliance across all access layers
based on your own unique NAC policy settings.

AdobeStock_275259045_web

Cyber security compliance has become more important than ever for both organizations and governments.

With the increasing trends of Bring-Your-Own-Device (BYOD), remote workforces and the rapid growth of the Internet of Things (IoT), there are more devices on corporate networks than ever before. These trends, while great for innovation and productivity, have made securing corporate networks and their data extremely complex. Each of these devices are a potential point of entry for hackers. To combat these threats, organizations must adhere to strong cyber security compliance standards.

Cyber Security Compliance

The latest count from the Identity Theft Resource Center (ITRC) indicates there have been 456 data breaches recorded this year through April 18 and that nearly 8 million records have been exposed since the beginning of the year. The total represents a 31% increase in the number of breaches to date compared with 2015.

Ensuring compliance and protecting sensitive data and intellectual property should be at the forefront of every security discussion. Oftentimes organizations view compliance as a headache, but without it, they would not be able to successfully run their business, work with customers and partners, and if they are a SMB, it would prohibit them from working with large enterprises. The perception of compliance can often lead to security as an afterthought.

But compliance has become so important that the discussions and decisions have shifted from security officers and IT manager titles to the C-Suite, underscoring the fact that compliance is a strategic decision for organizations. Those that include compliance in their overall security strategy from the start, rather than a siloed or reactionary approach, are in an even better position for business success.

The State of Compliance in the US & EU

Protection of private information has become so important that both governments and organizations across industries have formalized data security rules associated with penalties for data exposure.

Within the United States, there are laws and industry agreements that require organizations to institute policies and procedures for identifying data exposure risks. These risks must be further classified based on their level of severity and the rules require instituting specific safeguards and controls to protect that data. If a breach occurs, companies are required to provide public reports of the data exposure and whether it was done accidentally or through malicious intent.

In the EU, organizations are facing GDPR becoming law in May 2018 that will significantly affect how companies deal with information it holds on any EU citizen. Under GDPR, all companies and organizations will need to adopt strict procedures when it comes to collecting, protecting, and storing data. Like the US, if a breach does occur, GDPR requires companies to notify customers which data it holds within 72 hours of the breach.

Compliance in Healthcare

Since 2010, the number of attacks against healthcare providers has risen over 125% and risk levels in the industry are now at the highest ever. In fact, just last year, cyber criminals hacked over half a million patient records and began selling them over the Dark Web for profit at approximately $365 per record.

That is about a third more costly than selling stolen financial records, so it is no wonder that this form of theft is growing at a dizzying speed. Part of the big issue is that hospitals, private clinics, vendors and insurance companies all share digital information, which of course creates the perfect conditions for cybercriminal activity. Access to a health system’s network means access to social security numbers, leverage in ransomware attacks, and loss of valuable information.

Cybersecurity in healthcare is crucial, because the access to a healthcare system’s information not only impacts the organization, but has the potential to impact each of their patients, considering the crown jewels of data are individual’s personal health records. If a healthcare system is not adhering to their respective cyber security compliance standards, it’s not just their own data they risk being exploiting.

Patient data can be accessed through various platforms, including EHRs, patient portals, diagnostic systems, and more. The Health Insurance Portability and Accountability Act (HIPAA) works to prevent this, by requiring privacy and security provisions over medical information, ultimately protecting patients. The medical industry is struggling to uphold HIPAA regulations regarding privacy, security and enforcement.

As the web of the medical industry connected devices continues to grow, a solution that is scalable across a wide range of institutions is a must. It is crucial that every institution sharing this data implements a solution that enables security teams to have complete visibility of all connected devices in real time, including switches, wireless controllers, VPN gateways and routers.

HIPAA compliance is most often referred to HIPAA Title II, which includes:

  • National Provider Identifier Standard
  • Transactions and Code Sets Standards
  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule

Let’s dive into the HIPAA Security Rules

The HIPAA Security Rule, also known as the Security Standards for the Protection of Electronic Protected Health Information, ensures that all patient data stored or transferred electronically is secure, by means of both physical and electronic safeguards.

The HIPAA Security Rule applies to health plans, healthcare clearing houses and to any healthcare provider or system that transmits health data electronically. The rule is intended to ensure the confidentiality and integrity of all electronic protected health information (e-PHI), protect against any anticipated security threats and protect against misuse of information.

The HIPAA Security Rule Requires Health systems to:

  • Perform risk analysis and management by evaluating the likelihood of risk, and implementing electronic and physical security measures. This should be an ongoing process
  • Deploy administrative safeguards including a security management program, security personnel, information access management, and implement workforce trainings to ensure staff are aware of proper security measures
  • Implement physical safeguards including securing workstations and devices as well as limiting facility access
  • Implement technical safeguards including access control, auditing of devices, and security measures over devices
  • Take steps to remediate a breach if detected

Compliance in Retail

Cyber beaches in retail came to the forefront of the public eye in 2013 and 2014, with attacks on major stores including Target, Neiman Marcus, Michaels and Home Depot. Prior to this, the average shopper hardly thought twice about whether their credit card information was at risk when making a purchase.

Retailers are increasingly becoming the victim of cyberattacks, particularly with the growth of new payment technologies like Apple Pay and Level Up. Even without the vulnerabilities that these new systems bring, retailers can get hacked through credit card magnet strips, backdoors in point of sale systems, phishing attacks on network devices and more.

If a retailer falls victim to a cyberattack, they risk exposing their customer’s personal payment information, and may even result in settling with customers for a considerable sum of money. Customer loyalty is also at risk, considering the increase of breaches getting in front of the public eye over recent years. Nineteen percent of customers said they would stop shopping at a retailer that experienced a cyberattack, even if the company remediated the hack.

In order to protect against financial fraud, companies that accept credit-card payments must follow Payment Card Industry Data Security Standards (PCI DDS) regulations.

Let’s Dive into the PCI DSS Security Standard Regulations

The PCI DSS Security Standard is is a cyber security compliance standard aimed at building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.

To meet these goals, PCI DSS requires:

  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Install and maintain a firewall configuration to protect cardholder data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update antivirus software or programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel

Cybersecurity Compliance in Finance

Compliance functions are struggling to keep pace with today’s customers demand for digital services such as online banking, online advice and the online purchase of insurance products. While it is driving an increase in online business volume across financial services, it is putting stress on control frameworks and giving rise to new risks related to cybersecurity and data privacy, making compliance risk one of the most significant ongoing concerns for financial institution executives.

In addition to addressing general cybersecurity concerns, financial institutions must also minimize the risk of a data breach that could compromise customer financial or personally identifiable information. The standards financial institutions adopt for housing sensitive data must comply with privacy regulations, as well as with traditional federal and state privacy statutes that require privacy notices and restrict sharing customer information for marketing purposes.

Traditionally, financial institutions have met strict security requirements through security best practices and traditional security products such as firewalls, data loss prevention and anti-virus software. However, considering today’s growing threat climate and the long list of breaches at prominent financial institutions, traditional thinking needs to change.

Today, new approaches are being considered to raise security, and enhance accountability and visibility. To meet the challenges of data security and regulatory compliance – protecting sensitive data and avoiding fines and penalties – organizations need to see, control and automate their networks.

But before companies can become compliant, they need to be familiar with the regulations. There are many US regulatory and industry standards such as GLBA and SOX, as well as a long list of SEC requirements where relevant, that financial institutions need to be aware of.

Let's Dive into GLBA

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Financial institutions must give their customers - and in some cases their consumers - a “clear and conspicuous” written notice describing their privacy policies and practices.

It is particularly important to ensure that customers’ nonpublic personal information, or NPPI, remains secure. GLBA requires financial institutions to:

  • Securely store NPPI
  • Advise customers of information-sharing practices
  • Provide certain opt-out rights to customers

The regulations implementing the GLBA require a range of disclosures in privacy notices. Financial institutions must provide certain disclosures when they collect data, and then on an annual basis for ongoing customers.

Try Portnox Cloud for Free Today

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!