How to Choose Between HIPAA, SOC 2, GDPR & More
With the increasing amount of data and information businesses are managing, finding acceptable cybersecurity is the most critical component of IT. Experts say cyber attacks will cost companies over five trillion dollars in the next five years.
Because of this, it’s crucial to select a framework to guide your cybersecurity program to reduce these types of risks for your company. Choosing only one type of framework and ensuring you are complying to its standards is difficult when there are so many options to choose from. When making a final decision, you should select a cybersecurity framework that is closely informed by your business needs, your tolerance for risk and industry specific compliance requirements.
Some of the top choices for cybersecurity frameworks are listed below to help you understand each one, so you can make the best decision for your business.
Designed specifically for service organizations and created by the AICPA (American Institute of Certified Public Accountants), SOC 2 applies to companies who store customer information in the cloud. This framework protects customer data with policies and procedures addressing security, processing, availability, confidentiality, and integrity. If you are a SaaS organization that stores customer data in the cloud or are a cloud-computing provider or even partner with an organization that owns infrastructure hosting other companies’ customer data, SOC 2 compliance may be a great choice.
The Center for Information Security (CIS) developed CIS v7, which lists 20 actionable security requirements all organizations can use to serve as a baseline for their cybersecurity program. In this framework, the 20 items listed are organized into basic, easy-to-understand recommendations. This is an optimal match for your first framework when building a cybersecurity program.
While CIS v7 is a great starting point, the GDPR, on the other hand is a bit more complicated. One of the most recent and comprehensive security regulations available, the General Data Protection Regulation (GDPR) was created by the European Union (EU) to protect citizens from security breaches. It contains almost 100 articles and 11 chapters outlining various topics on requirements for privacy and security. Companies could potentially face fines due to non-compliance. If you’re looking to follow the GDPR, you will need controllers and processors of data established in the EU and not established in the EU when you’re offering products or services located in the EU.
HIPAA, the Health Information Portability and Accountability Act was signed into law in the US in 1996. It outlines how PHI (Protected Health Information) can be handled and used within healthcare and medical organizations. In this framework, there are five main areas covering policies and procedures for administrative, general, physical, organizational and technical purposes. To meet HIPAA compliance doctors, dentists, health insurance providers, and more must monitor and securely discard patient health information.
The International Standardization Organization (ISO) created ISO 27001 with the International Electrotechnical Commission (IEC) to provide an international standard outlining how to properly manage information security. Commonly used as an industry best-practice, this cybersecurity framework can be adopted by any organization. Many companies choose to become ISO certified and typically add other security frameworks to supplement this baseline. ISO compliance through the ISO 27001 framework is a great place to start when looking to revamp your company’s cybersecurity.
NIST Cybersecurity Framework Version (CSF) 1.1
Designed in response to the Cybersecurity Enhancement Act (CEA) of 2014, the NIST Cybersecurity Framework Version (CSF) 1.1 was created by the National Institute of Standards and Technology (NIST). Released in 2018, Version 1.1 includes requirements related specifically to supply chain security and identity management. Often referred to as a “lighter” portion of the NIST 800-53 framework, CSF is an established framework used for best practices, and is sometimes required for contractors of the US federal government.
Also created by the National Institute of Standards and Technology, the NIST 800-53 includes a set of guidelines for federal information systems to help organizations meet Federal Information Security Management Act (FISMA) compliance. This framework contains over 900 requirements and is the “heaviest” or largest cybersecurity framework a company can implement. The NIST 800-53 is popular in federal agencies and organizations that operate or maintain federal information systems, in addition to those seeking to comply with FISMA.
The NIST 800-171 framework was created by the National Institute of Standards and Technology to address solutions for the US Department of Defense (DoD) and their contractors. The security guidelines included in this framework meet requirements assigned by the Defense Federal Acquisition Regulation Supplement (DFARS). Companies who should follow NIST 800-171 guidelines include DoD contractors who store, process, or transmit CUI (Controlled Unclassified Information). If your business does not work with the US Department of Defense, a different type of cybersecurity framework may be best.
Designed by the New York Department of Financial Services (NYDFS), the NYDFS 500 was created to address the influx of security breaches in the financial services industry. Financial institutions such as private bankers, state-chartered banks, mortgage and insurance companies, and other organizations, including foreign banks licenced to do business in New York can use this framework as a guide to enforcing security requirements.
The Payment Card Industry Data Security Standard (PCI) was created by the Payment Card Industry Security Standards Council (PCI SSC) to limit credit card fraud. Its framework offers a list of comprehensive security requirements. Organizations that follow PCI DSS compliance are often companies that transmit, process, or store credit card data. If you are a merchant or service provider, you must comply to PCI and will have certain requirements you should meet annually and quarterly to receive certification.
The US Securities and Exchange Commission (SEC) created an outline to guide firms registered with the SEC on specific security measures and recommendations called the “Investigative Report on Cybersecurity.” In recent years, the SEC has transitioned its focus on cybersecurity and in 2017 officially established their first Cyber Unit. If your organization would like to register with the SEC, you should start by complying to the SEC cybersecurity framework.
Choosing a Cybersecurity Framework for Your Business
If you’d like to discuss cybersecurity frameworks and would like assistance in choosing one for your business, contact ProviDyn. Our team is always glad to help. 404-551-5492