.svg){kind=small}
.svg)
.avif)
.avif)
.avif)
No items found.
言語
Articles
9/20/2022
10 minutes
How to Ensure Compliance with Data Security Standards and Regulations
.svg)
.svg)
Almost every organization with a global presence is subject to data privacy regulations, which are legal requirements for how data is processed, stored, and accessed. In addition, a variety of data security standards provide guidance on how to ensure the privacy and security of sensitive data. In this article, we’ll discuss some of the most common data security standards and regulations before offering advice on providing continuous compliance.
The data security regulations you need to comply with will depend on where your business and your customers (or partners, employees, etc.) are located and the types of data you process.
Some common regulations include:
GDPR
CCPA
The General Data Protection Regulation (GDPR) applies to any organization that processes personal data belonging to residents of the European Union. The GDPR requires organizations to follow specific security guidelines to protect personal data and gives consumers the right to request any of this personal data in a universal format so it can be transferred to another vendor (known as data portability).
The California Consumer Privacy Act (CCPA) applies to Californian organizations with at least $25 million in revenue or organizations possessing at least 50,000 California residents’ data. The CCPA gives California residents the right to know what data a company has about them and with which third parties they’ve shared it. Like the GDPR, the CCPA also contains data portability rules that allow consumers to obtain and transfer their personal data.
PCI DSS
CPRA
The Payment Card Industry Data Security Standard (PCI DSS) affects any business that processes, stores, or transmits credit card information. PCI DSS outlines strict requirements for network security, access controls, intrusion prevention, and more to protect card data.
The California Privacy Rights Act (CPRA) is an expansion of the CCPA that will go into effect in 2023. The CPRA prohibits organizations from hanging onto consumer data longer than necessary and gives consumers more rights to opt-out of data collection, among other amendments.
FISMA
HIPAA
The Federal Information Security Management Act (FISMA) applies to federal agencies, contractors, service providers, and vendors who supply and operate IT systems for the above groups. Under FISMA, all data must be categorized based on how harmful it would be if that data were stolen or compromised. FISMA also requires regular risk assessments to meet data security standards.
The Health Insurance Portability and Accountability Act (HIPAA) contains strict guidelines for keeping digital healthcare information private and secure in storage and transit. It also stipulates that patients can request access to their health data at any time, and it’s the provider’s responsibility to confirm the safety and security of that data while it’s being transferred.
Data security standards are voluntary guidelines to help you improve your security policies, practices, and controls. Two major data security standards include:
NIST Cybersecurity Framework
ISO/IEC 27000 Series
The National Institute of Standards and Technology (NIST) created a cybersecurity framework to help organizations protect their data from breaches and attacks. These are voluntary guidelines that are designed to aid in the creation and implementation of data security measures.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly published the 27000-series of data security standards. These voluntary best practices are broad in scope, applying to any organization and covering many different aspects of security and privacy.
The above data security standards and regulations provide specific guidance on bringing your systems, applications, network, and practices into compliance. These best practices will make it easier to achieve and maintain compliance long term.
You need to know which data security standards and regulations apply to what data and where that data is located at all times. Automatic data discovery tools make it possible to locate, tag and classify regulated data quickly and continuously. Next, you can verify that all regulated data is properly secured according to applicable standards. You can also respond more quickly to data requests from your customers.
A compliance test is essentially a practice audit that assesses your data privacy and security to see if it complies with laws and regulations. Performing regular compliance testing helps you identify any new data, systems, or practices that have affected your compliance status. An automatic compliance testing program also continuously monitors your data and systems and will alert you if anything falls out of compliance. This process allows you to remediate the issue immediately and prevent systems from drifting further out of compliance.
Breaches are a risk regardless of how closely you follow data security standards and recommendations. The zero trust security methodology limits the amount of data accessed and exfiltrated when a breach occurs. The zero trust approach restricts account privileges, so a single account is limited in how much and what kind of data it can access. Account identity and trustworthiness are also dynamically assessed using contextual information (such as time of day, login location, behavior, etc.) and multi-factor authentication (MFA).
These measures will restrict the lateral movement of compromised accounts on your network, giving hackers limited access to sensitive and regulated data. Zero trust makes it easier to comply with data security regulations, and in fact, is now a requirement for U.S. Federal Government agencies and suppliers.
Your entire organization needs to take ownership of the security and privacy of sensitive data for a data compliance program to be successful. Anyone who accesses or processes regulated data needs training on common cybersecurity risks like phishing, malware, and weak passwords. It’s also important for everyone to understand the applicable regulations and what requirements they must follow to maintain compliance.
Crucially, you also must establish a culture that rewards honesty without punishing innocent mistakes. If an employee falls for a phishing scam or unintentionally installs a virus, you should encourage alerting management as soon as possible. This provision will guarantee you can take action immediately and limit or prevent damage.
.svg)
.svg)
.svg)