Shocker #1: A threat actor does not care about the law, compliance, regulations, and definitely not about National Cybersecurity Awareness Month. In fact, they are hopeful that your organization is lax such things in order to exploit your weaknesses for malicious intent.
Shocker 2: Compliance does not equal security. Although compliance regulations are designed to provide legally binding guidelines between industries, governments, and organizations, they do not provide the necessary means to stay secure. Regulations generally only provide best practices that point toward good cyber hygiene, but implementing compliance without good processes, people, training, and diligence will leave you susceptible to a breach.
OK, now that we have those two axioms out of the way, let’s look at compliance considerations in light of cybersecurity. Consider:
- How they apply to your organization based on laws, sensitive information, contracts, industry, and geography.
- What overlaps exist between them and what processes can satisfy multiple requirements.
- Adopting the strictest guidelines for your initiatives. The strictest and most comprehensive requirement should always win since it will exceed any looser requirements.
- Scoping out your real IT risk management needs first. Just applying the rules to sensitive systems is often not enough to provide good security. Consider the effort and cost of increasing the scope to mitigate risks through any connected system that could affect the legislative required scope.
Keep in mind that any regulatory compliance requirements are the absolute minimum your organization should be doing. Also, consider training a key component of any compliance process. If you are not meeting the minimums or have lapses in the requirements, you are an easy target for a vulnerability and exploit.
Mapping regulatory compliance requirements to cybersecurity
To simplify awareness training, the table below summarizes the leading regulatory compliance initiatives and when they may explicitly call for vulnerability management, patch management, or reference third party solutions.
|Name||Acronym||Description||Vulnerability Management||Patch Management|
|Payment Card Industry||(PCI)||The PCI Security Council maintains, develops, and promotes the Payment Card Industry Security Standards. The council provides the guidance needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.||PCI DSS Requirement 11.2.2||PCI DSS Requirement 6.2|
|Health Insurance Portability and Accountability Act||(HIPAA)||HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.||Risk Analysis Requirement 45CFR§164.308 (a)(1)(ii)(A)||Risk Management Requirement 45CFR§164.308 (a)(1)(ii)(B)|
|Sarbanes-Oxley Act||(SOX)||The Sarbanes-Oxley Act of 2002 is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.||Section 404|
|Gramm-Leach-Bliley Act||(GLBA)||The Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.||Title V, Subtitle A, Sections 501 (a) & (b)|
|National Institute of Standards and Technology||(NIST*)||NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards.||RA-5||SI-2|
|International Organization for Standardization||(ISO*)||ISO is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country.||Section 12.6.1||Sections 12.5.1 and 12.6.1|
|Australian Signals Directorate||(ASD)||The Australian Signals Directorate is an intelligence agency in the Australian Government Department of Defense.||Top 4 - (2) & (3)|
|Monetary Authority of Singapore||(MAS)||The Monetary Authority of Singapore is the central bank of Singapore. Their mission is to promote sustained non-inflationary economic growth, and a sound and progressive financial center.||Chapters 9.4 & 10.1||Chapter 9.5|
|Society for Worldwide Interbank Financial Telecommunication||(SWIFT)||SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services||Control 2.7A||Control 2.2|
|Republic of the Philippines, Data Privacy Act of 2012||(Act 10173)||The goal of the Philippines Data Privacy Act is to combat the ever-growing threat posed by the theft of personal information by nation-states, terrorist organizations and independent criminal actors.||28.d and 28. f||28.d|
|New York State Dept of Financial Services||(NYDFS)||The New York State Department of Financial Services is a department of the New York state government responsible for regulating financial services including those subject to insurance, banking, and financial services.||Sections 500.05 and 500.09||Section 500.09|
|North American Electric Reliability Corp||(NERC)||The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel.||CIP-010||CIP-007-5|
|Federal Energy Reg. Comm.||(FERC)||The Federal Energy Regulatory Commission(FERC) is a United States federal agency that regulates the transmission and wholesale sale of electricity, natural gas, and oil and transported between states in the wholesale market.||FERC references NERC, ISO, and security for ICS implementations. They do not provide unique guidance.|
|Health Info Technology for Economic and Clinical Health||(HITECH)||The HITECH Act established the Office of the National Coordinator (ONC) into law and provides the U.S. Department of Health and Human Services with authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange.||Technical Safeguards - §164.312 (HIPAA)|
|European Union Data Protection Regulation||(GDPR)||The EU General Data Protection Regulation (GDPR) supersedes the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.||GPDR Risk Assessment infers the requirements for vulnerability and patch management to protect data.|
|Defense Federal Acquisition Regulation||(DFARS)||DFARS provides Department of Defense (DoD) specific acquisition regulations that government acquisition officials and those contractors doing business with DoD, must follow in the procurement process for goods and services.||DFARS is a regulatory vehicle for procurement and will reference NIST 800-53 and NIST 800-171 in order to be compliant|
|Adversarial Tactics, Techniques, and Common Knowledge||(ATT&CK™)||MITRE’s Adversarial Tactics, Techniques, and Common Knowledge is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.||ATT&CK phases from persistence, privileged escalation, defense evasion, credential access, discovery, lateral movement, execution, collection, exfiltration, and command control can be mapped to vulnerabilities, exploits, and remediation strategies.|
Source: Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations, Haber and Hibbert, Apress Media, ISBN: 1484236262
As a side note, standards like NIST and ISO are actually not regulatory compliance initiatives, but rather regulatory frameworks. Organizations implement them due to contractual requirements and best practices, and they tend to blur the line between frameworks, regulations, contracts, and legal requirements. In addition, it is important to note that NIST and ISO are also referenced and form the basis for many other regulations like NIST 171 and 800-53.
Your teams should be educated on the reasons they need compliance and the rationale behind regulations. Understanding how they may impact your business will help teams with audits, security, and compliance.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.