Cybersecurity Compliance:
A Comprehensive Guide

What does Cybersecurity
Compliance mean?

Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of sources including CIS, the NIST Cybersecurity Framework, and ISO 27001. To read more about Cybersecurity Frameworks, check out our comprehensive guide. If you’re interested in specific niches, it’s worth taking a look at our post on healthcare cybersecurity. 

How do I start a Cybersecurity
Compliance Program?

1. IDENTIFY WHAT TYPE OF DATA YOU WORK WITH AND WHAT REQUIREMENTS MAY APPLY
   
   To begin working towards compliance, it’s important to first figure out what regulations or laws you need to comply with. To start with, every state in the U.S. has data breach notification laws that require you to notify customers in the event that their personal information is compromised. You can find the specific laws and requirements for your state here.
   
   Compliance requirements vary vastly from state to state, and some apply regardless of whether your business is located in the state. For instance, The California Consumer Privacy Act and the NYDFS Cybersecurity Regulation impose requirements that can apply to your business in any state if you deal with data pertaining to these acts. If your business deals with financial information of a resident of New York, for example, you would be subject to the set of requirements laid out by the NYDFS Cybersecurity Regulation regardless of which state your business is in.
   
   Next, it’s important to determine what type of data you are storing and processing, as well as which states, territories, and countries you are operating in. In many regulations, specific types of personal information are subject to additional controls. PII stands for personally identifiable information, and includes any data that could uniquely identify an individual. Examples include:
   • Social Security Numbers
   • First/Last Name
   • Date of Birth
   • Address
   • Mother’s Maiden Name
   PHI stands for Personal Health Information and consists of any information which can be used to identify an individual or their medical treatment. Some examples of PHI include:
   • Medical Appointment Information
   • Medical History
   • Admissions Records
   • Prescription Records
   • Insurance Records
     
     
2. APPOINT A CISO
   
   The vast majority of company’s are far too small to justify hiring a six-figure CISO to manage cybersecurity and compliance for them. However, any employee with the right knowledge and work ethic can be appointed to manage cybersecurity as a part time duty. By appointing an individual to be responsible for organizational cybersecurity and compliance you can get regular updates regarding the state of your cybersecurity program and compliance efforts. Furthermore, other employees know who to contact in the event of a suspected breach. Your CISO may want to consider consulting with a cybersecurity company or attorney to ascertain what compliance requirements may apply to your company. Some roles that may be able to serve as a dual CISO:
   • Chief Technology Officer
   • Chief Information Officer
   • Chief Operating Officer
   • IT Manager
     
     
3. CONDUCT RISK AND VULNERABILITY ASSESSMENTS
   
   Almost every major cybersecurity compliance requirement requires a risk assessment and vulnerability assessment. These are critical in determining what your organization’s most critical security flaws are, as well as what controls you already have in place. You can find a complete guide on how to conduct a comprehensive Risk Assessment here. You can also find templated risk and vulnerability assessments on our cybersecurity resources page. When conducting vulnerability assessments, it’s also worth carefully considering your risk from ransomware attacks.
   
   
   
4. IMPLEMENT TECHNICAL CONTROLS BASED ON REQUIREMENTS AND TOLERANCE
   
   Your next step should be to begin implementing technical controls based on your risk tolerance (as identified in the risk assessment) and the cybersecurity regulation you are adhering to. Alternatively you can use a cybersecurity framework as a guideline, then add additional technical controls to meet specific requirements. Here are some examples of technical controls:
   • Standardized Anti-Virus across all endpoints
   • Implementing a Firewall
   • Implementing Network Monitoring Software
   • Implementing Log Aggregation Software
   • Encrypting Sensitive Data
     
     
5. IMPLEMENT POLICIES, PROCEDURES, AND PROCESS CONTROLS
   
   Cybersecurity isn’t just about technology. Having policies and procedures in place to mitigate risk is also crucial for both compliance and safety. No technical safeguard in the world can stop an employee who is determined to download malware onto corporate computers or visit risky websites. Some examples of non-technical controls include:
   • Mandatory Employee Cybersecurity Training
   • Fully Documented policies and procedures (you can find templates here)
   • Audit and Accountability Proccesses
   • Appointing a CISO
   • Conducting Risk and Vulnerability Assessments
     
     
6. REVIEW AND TEST
   
   Review applicable requirements that you need to meet and ensure that you regularly test your controls. As businesses change and expand it can be easy to let cybersecurity slip, but by conducting regular tests you can make sure you stay compliant. It is wise to continually evaluate compliance as new requirements are propagated and existing ones change, as well as to conduct regular tests of both technical and process controls. If you are unsure about whether you are meeting a compliance requirement we recommend you consult with an attorney specializing in cybersecurity compliance.

What are the major cybersecurity compliance requirements?

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. This law was passed by Congress in 1996 and specifically includes regulations designed to ensure the confidentiality, integrity, and availability of Personal Health Information (PHI). HIPAA applies to healthcare providers, health clearinghouses, healthcare plans, and business associates handling PHI. If you are unsure if HIPAA applies to you, we recommend that you consult with a licensed attorney with experience in regulatory compliance.

NYDFS Cybersecurity Regulation

In 2017 the NY Department of Financial Services released the NYDFS Cybersecurity Regulation (23 NYCRR 500). The NYDFS Cybersecurity Regulation includes 23 sections that outline requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address these risks. The NYDFS Cybersecurity Regulation has requirements for basic principles of data security such as risk assessments, documentation of security policies, and assigning a chief information officer (CIO) to manage the program and remain responsible for it. The NYDFS Cybersecurity Regulations align with the industry best practices and ISO/IEC 27001 standards. 

The NYDFS Cybersecurity Regulation applies to all entities operating or required to obtain DFS licensure, registration or charter, or which are otherwise regulated by the DFS and all unregulated third party service providers to regulated entities. As you can imagine, the NYDFS Cybersecurity Regulation covers a wide range of businesses and organizations who may or may not reside in NY.

SOME OF THESE COVERED ENTITIES INCLUDE: 

• Service Providers

• Mortgage Companies

• Insurance Companies

• Foreign banks licensed to operate in New York

• Private Banks

• Licensed Lenders 

• State Chartered Banks

• Credit Unions

• Life Insurance Companies

• Health Insurers

The NYDFS Cybersecurity Regulation does have some exceptions, however. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York Operations in each of the past three years, or hold less than $10 million in year-end total assets are excluded from certain requirements of the NYDFS Cybersecurity Regulation. If you are unsure if the NYDFS Cybersecurity Regulation applies to you, we recommend that you consult with a licensed attorney with experience in regulatory compliance.

GDPR

GDPR stands for General Data Protection Regulation and is a set of data privacy regulations enacted by the EU in 2018 to “harmonize data privacy laws across Europe.” The GDPR addresses EU member states, the European Economic Area (EEA) and also addresses the transfer of personal data outside of the EU and EEA areas. This means the obligations of GDPR apply to any organization that collects data or targets individuals in the EU, even if the business or organization is based elsewhere. The primary goal of the GDPR is to give individuals greater control over their personal data and to simplify the regulatory environment for international businesses by unifying regulations within the EU. The GDPR contains regulations relating to personal data privacy, data minimization and security. 

THE GDPR CONTAINS 7 PRINCIPALS: 

• Lawfulness

• Fairness and transparency

• Purpose limitation

• Data minimisation

• Accuracy

• Storage limitation

• Integrity and confidentiality (Security)

• Accountability

   

THE FULL GDPR RIGHTS FOR INDIVIDUALS ARE:

• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights around automated decision making and profiling

GDPR says their regulation is purposely large, far-reaching and light on specifics. The GDPR can levy harsh penalties and fines against offenders and can charge penalties into the tens of millions of euros. This makes GDPR compliance a daunting project for small and medium-sized businesses operating under GDPR. If you are unsure if the GDPR applies to you, or need help to implement GDPR regulations, we recommend that you consult with a licensed attorney or cybersecurity professional with experience in regulatory compliance.

FERPA

FERPA stands for the Family Educational Rights and Privacy Act, a federal law that protects the privacy of student educational records. This regulation applies to all schools that receive funding from the U.S. Department of Education. FERPA gives parents, or students above the age of 18, or those who attend college, university or trade school, certain rights and protections with respect to their educational records. 

FERPA GIVES PARENTS AND ELIGIBLE STUDENTS THE RIGHT TO: 

• Inspect and review the student’s education records maintained by the school

• Request the school correct records which they believe to be inaccurate or misleading 

Schools are not required to provide copies of records unless it is impossible for eligible students or parents to review the records at the school. Schools may charge a fee for copies. Schools may decide to not amend records which eligible students or parents believe to be inaccurate or misleading. The parent or eligible student has the right to a formal hearing at that time. After the hearing, if the school still decides to not amend the record, the parent or eligible student has the right to place a statement within the record with their view of the contested information.

In general, schools must have written permission from the parent or eligible student to release any information in the students record. However, FERPA also allows schools to disclose those records, without consent, to the following parties or conditions:

TO THE FOLLOWING PARTIES OR UNDER THE FOLLOWING CONDITIONS:

• School officials with legitimate educational interest 

• Other schools to which a student is transferring

• Specified officials for audit or evaluation purposes

• Accrediting organizations

• Organizations conducting certain studies for or on behalf of the school

• Appropriate parties in connection with financial aid to a student 

• To comply with a judicial order or lawfully issued subpoena

• Appropriate officials in case of health and safety emergencies

• State and local authorities, within a juvenile justice system, pursuant to specific state law

SCHOOLS MAY ALSO DISCLOSE WITHOUT CONSENT, “DIRECTORY” INFORMATION. THIS INCLUDES:

• Student Name

• Address

• Telephone number 

• Date and place of birth 

• Honors and awards 

• Dates of attendance 

However, schools must tell parents and eligible students about directory information and allow them a reasonable opportunity to request the school not disclose information about them. Schools must also annually notify parents and eligible students of their rights under FERPA. 

CCPA

CCPA stands for the California Consumer Privacy Act. This is a state statute enacted to enhance the privacy rights and consumer protections for the residents of the state of California. This bill was signed into law in 2018 and became effective on January 1, 2020. This is the first law in the U.S. to create comprehensive rules regarding consumer data, similar to the EU’s GDPR. The CCPA applies to any company that operates in California and either makes at least $25 million in annual revenue, makes more than half of its money from collecting user data, or gathers data on more than 50,000 users. This includes any business that collects or sells personal information from users in California, regardless of where the company is based.

Broadly, the CCPA aims to provide California residents with “the right to know” and “the right to say no.” This means that users have the opportunity to see what information data companies have gathered about them, have that data deleted or otherwise opt out of the ability for companies to sell their data to third parties from now on. The CCPA obviously has far reaching consequences given that some of the world's largest tech companies are based in California. This includes not only Google, Facebook and Apple, but also numerous smaller organizations that do business with Californians or are based in California. 

THE CCPA DEFINES PERSONAL INFORMATION AS:

• Real name or alias

• Postal address

• Unique Personal Identifier

• Online identifier

• IP address

• Email address

• Account name

• Social security number 

• Driver’s license number

• Passport number 

• And more

The CCPA does not consider “publicly available information” to be personal information. Publicly available information includes data available and maintained by government records. Although the CCPA was created with tech giants in mind, it also impacts small businesses that operate in California or collect data from Californians. Penalties for CCPA violation can be severe. Companies that fall victim to data theft or other forms of data security breaches can be ordered to pay between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper. Companies can also face fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. Companies do have 30 days to comply with CCPA after regulators notify them of a violation. Depending on the number of records impacted in a breach, this could amount to millions of dollars in fines for some. Because of the far reaching nature of CCPA and the detrimental financial consequences of a CCPA violation, we recommend that you consult with a licensed attorney or cybersecurity professional with experience in regulatory compliance if you have questions about CCPA compliance. 

CMMC

The Cybersecurity Maturity Model Certification 2.0  (CMMC 2.0) is a framework developed by the US Department of Defense (DoD) to safeguard federal contract information (FCI) and controlled unclassified information (CUI) processed by the DIB https://dodcio.defense.gov/CMMC/about/ . DIB contractors that handle CUI will be required, with minimal exception, to pass a formal third-party assessment of their cybersecurity practices. To ensure that appropriate security requirements are met across DIB supply chains, prime contractors will be held accountable for the CMMC 2.0 compliance of their subcontractors.

Specifically, The CMMC 2.0 framework covers the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 2 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. DFARS clause 252.204-7012  specifies additional requirements beyond the NIST SP 800-171 security requirements, such as incident reporting. In summary, CMMC 2.0 is designed to provide assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.