The Importance of Information Security Compliance

Since the high-profile failure of Enron, most large organizations are fully aware of the consequences of not complying with national and international laws and regulatory requirements. More recently, infosec has come under the radar of legislatures around the world, requiring organizations to comply with data security and privacy requirements. Hence being aware of what is information security compliance is critical for every organization, large and small. 

Understanding the information security compliance definition is important for success. Compliance is all about meeting a set of rules or standards. Information security is concerned with protecting the confidentiality, integrity, and availability of information and technology assets within an organization. So, information security compliance means meeting rules or standards about the protection of data and information.

There will be a number of government, industry, and other regulations for any organization that determine the specific security requirements for data and information. Ensuring information security compliance, including IT security compliance, is a vital component of any information security system. Infosec compliance is partly driven by the need to meet the needs of any external regulatory organizations for information security, including any national information security applicable laws and regulations. But information security compliance within an organization must also be driven by the desire to avoid being disrupted by data and security breaches. This article will explore why compliance is required and provide tips on how to achieve and maintain it.

Legal requirements for information security

Most developed countries have legal requirements for information security. Some of these are explicitly concerned with protecting data, such as data protection legislation and computer misuse legislation. Some are concerned with human rights. Others have a broader remit aimed at organizational governance, for example, Sarbanes-Oxley. There are also information technology regulations and compliance that focus more on the technology used in IT.

This means that no matter where you operate, there will be many legal requirements that must be met if you are to get information security compliance. The specific information security laws and practices that you have to comply with will depend on which countries you operate in and your industry sector. Failing to comply with any of them can be very costly and could lead to imprisonment and the shutting down of companies.

The scale of the compliance issue

To get an idea of the scale of the information security regulations, there are hundreds of laws at federal and state levels that exist to protect the personal data of individuals in the USA. The UK has over 16 items of legislation that have to be complied with. No matter what size your organization is, you need to be fully aware of your legal requirements for information security and plan for compliance.

Here is an example of just some of the most common U.S. information security compliance standards, each relating to one or more different industry sectors:

• Sarbanes-Oxley Act (SOX): Compliance with the Sarbanes-Oxley Act requires financial records to be retained for seven years. It is required for all U.S. company boards, management personnel, and accounting firms. This legislation aimed to prevent another scandal like the Enron incident, where fraudulent bookkeeping led to a series of events resulting in the bankruptcy of the major this major U.S. energy, commodities, and services company and the dissolution of their auditors, Arthur Andersen LLP, which had been one of the largest auditing and accounting companies in the world.
• GDPR: The General Data Protection Regulation, or GDPR, aims to protect citizens in the European Union (EU) from data breaches. The GDPR applies to all companies processing personal data for people residing in the EU, even if that company is not physically located or based in the EU. This is a good example of how information security compliance may be required for legislation that arose in another jurisdiction.
• FISMA: The Federal Information Security Management Act of 2002 considers information security to be a matter of national security for all U.S. federal agencies. As part of the bill, all federal agencies are required to develop data protection methods.
• HIPAA: An acronym for the Health Insurance Portability and Accountability Act. This bill establishes several regulations about maintaining the security of healthcare patients records. All companies that handle healthcare data must comply with the HIPAA regulations when handling this data.
• PCI-DSS: The Payment Card Industry Data Security Standard is a set of regulations aimed at reducing fraud, primarily through protecting customer credit card information. PCI-DSS security and compliance is required for all companies handling this information.

Information technology compliance  

IT security compliance standards are specifically aimed at IT systems and components. Most major companies maintain information technology compliance against at least one of the IT regulatory compliance standards. Many of these security compliance standards are mandatory for IT systems, but even when this is not the case, it is a good idea for companies to aim for compliance as this provides a number of benefits:

• Improved security: IT security regulatory compliance helps to improve IT security measures by defining a consistent baseline set of minimum requirements. Adopting this baseline helps to establish a common set of security approaches within a particular industry sector.
• Minimized losses: Improved security of IT systems leads to a reduction in data breaches. This reduces the cost of loss, which can be as high as millions of dollars, including lost business, data restoration costs, legal fees, and compensation.
• Increased control: Improved security requires increased control over the IT estate. Improved controls can help prevent data corruption and loss and minimize the time spent fighting cyber attacks.
• Maintained trust: Customers trust IT to look after their information. Complying with IT security compliance standards will demonstrate that the IT department cares about the customer and wants to keep their information safe.

Information security compliance standards

ISO/IEC 27001, the international standard for an information security management system (ISMS), is the most commonly used IT security compliance standard. It sets out a best practice approach for providing appropriate security for data and information. This information security compliance standard can support all other IT-related regulations by providing independent structured guidance for an ISMS. This encourages a risk-based approach to securing and maintaining the confidentiality, integrity and availability of data and information. The standard also provides an overarching control environment within which the specific controls of the IT systems and information technology rules and regulations can operate effectively.

The standard was originally published in 2005 and revised in 2013. It details the requirements for establishing, implementing, maintaining, and continually improving an information security management system. A new European update of the standard was published in 2017. Organizations can be certified against the standard by an accredited certification body following successful completion of an audit.

This information security compliance standard is based on a principle of controls within a consistent information security management system. This ensures that controls to secure data and information are planned and organized instead of being put in place haphazardly as a reaction to individual incidents. The standard also encourages a holistic approach to infosec that involves many parts of the organization beyond IT, including senior management, business continuity, physical security, and human resources.

To support this, ISO/IEC 27001 requires that management:

• Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts.
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

Other standards in the ISO/IEC 27000 family of standards provide additional guidance on certain aspects of designing, implementing, and operating an ISMS, for example, ISO/IEC 27005 for information security risk management (ISO/IEC 27005).

Cyber security regulatory requirements

In addition to general infosec compliance regulations, there are also specific cybersecurity compliance regulations. These include directives specifically aimed at forcing companies and organizations to implement solutions to protect their systems and information from cyberattacks, including: 

• Viruses
• Worms
• Trojan horses
• Phishing attacks
• Denial of service (DOS) attacks

There are several tools that can be deployed as measures to gain compliance to cyber security regulatory requirements, including firewalls, anti-virus systems, encryption, two-factor authentication, and passwords.

The emergence of specific cyber security compliance standards started in 2011 when the U.S. Department of Defense (DoD) released guidance on ‘Operating in Cyberspace.’ This described five goals: 

• To treat cyberspace as an operational domain.

• To employ new defensive concepts to protect DoD networks and systems.
• To partner with other agencies and the private sector in pursuit of a “whole-of-government cybersecurity strategy.”
• To work with international allies in support of collective cybersecurity. 
• To support the development of a cyber workforce capable of rapid technological innovation.

Then in November 2013, the DoD proposed the new cybersecurity rule (78 Fed. Reg. 69373), which imposed certain requirements on contractors. This included compliance with particular IT standards, mandatory reporting of cybersecurity incidents to the DoD, and a “flow-down” clause that applied the same requirements to any subcontractors. 

Cybersecurity is now on most world powers’ agenda, as it represents one of the greatest threats to business and commerce.

Conclusion

Information security compliance should be an agenda item for every organization, no matter what size it is. As threats to data and information have grown, legislation aimed at protecting data and information has grown too. Infosec has never been as important as it is today, and this will only increase as our lives increasingly transition to digital approaches. Failure to comply with infosec requirements will be costly and could lose you your business, so now is the time to act.

FAQ