Looking back, technology historians may well view the last 10 years as the decade of compliance. From a nearly unknown quantity back in 2010, the field has exploded to the point where many enterprises now have a full-time dedicated Chief Compliance Officer (CCO) to ensure they are in line with industry, voluntary, and regulatory standards.
Certain industries are more heavily regulated than others, such as finance, healthcare, and government. But with sweeping regulations like GDPR coming into effect almost everywhere, your business is probably not exempt.
Whether or not you’ve already begun moving toward compliance, the first thing to know is that regulatory compliance demands a new mindset. And in practical terms, on the ground, it demands new approaches to managing risk–including, potentially, new tools that can provide better insight into your organization’s risk profile.
Let’s look at some of the major regulatory developments and what they’ve meant for information security.
Evolution of Regulations
The very first concept when we’re talking about regulatory compliance is “PII,” which stands for personally identifiable information. This term may have been used even earlier in the context of information security, but it was formally defined in 2007 by White House OMB Memorandum M-07-1616 as
“…information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
While definitions vary by jurisdiction, particularly between the U.S. and EU, what you need to know is that essentially all of these new regulations acknowledge the value of PII and put measures in place that attempt to protect it from data breaches.
Let’s first explore a quick overview of some of the regulations that have come into effect, in chronological order, and then we’ll take a look at some of the elements they share in common.
|1999||USA||GLBA (Financial Services Modernization Act)|| || |
|2013||USA||NIST 800-40 Revision 3|| || |
|2014||USA||2014, US, FISMA (amended)|| || |
|2014||Global||Payment Card Industry Security Standards Council (PCI DSS)|| || |
|2016||North America||NERC CIP-007|| || |
|2017||Luxembourg||CSSF Circular 17/655|| || |
|2018||EU (and anyone doing business in the EU)||General Data Protection Regulation (GDPR)|| || |
|2018||USA||Sarbanes-Oxley Act (SOX) 302|| || |
|2018||USA||Health Insurance Portability and Accountability Act (HIPAA)|| || |
|2020||USA (California)||California Consumer Privacy Act (CCPA)|| || |
This is by no means an exhaustive list! Depending on where you are, you may or may not be aware of parallel regulations that are now in place or coming into force in most other jurisdictions, like Canada (PIPEDA), Australia (Privacy Act/APPs), Brazil (LGPD), South Africa (POPI), and many other countries.
As with GDPR in the EU, it’s important to read the fine print. Just because a regulation applies in a foreign jurisdiction doesn’t mean you can ignore it. If you’re doing business in that jurisdiction–selling products, signing up users, or even hosting website visitors–you may be subject to that jurisdiction’s rules.
If there’s one thing you can take away from this timeline, it is that the pace of implementing compliance standards is accelerating. So wherever you do business, the most urgent question is: How can your organization protect itself and stay ahead of the pack?
What Do All These Regulations Have in Common?
As we’ve seen in many of the regulations above, whether they state it explicitly or simply suggest it implicitly, data protection begins with cyber hygiene practices. In many cases, this comes down to truly basic elements that are too often overlooked.
What kind of basic practices offer the most ROI when it comes to protecting your business?
According to a recent roundtable of compliance officers, there are a few ways you can be more proactive when it comes to meeting today’s compliance standards:
- Leonard Shen, CCO, Visa: “The global regulatory environment has become more intensive, with higher expectations, articulated in more granular and prescriptive guidance and enforcement actions.”
- Andrea McGrew, CCO/CLO, USA Financial: “Cyber-security is our biggest challenge now, and it will be even more so in the next five years. We’re fighting for the safety of our investors’ information, and our opponents are faceless, nameless ghosts (who are smart, sophisticated, and patient as well).”
- Michael Blackshear, Global CCO, Ryan Specialty Group: “People create the greatest compliance risk to an organization. People make mistakes, engage in intentional unethical acts, and are subject to extreme pressures to perform.”
As these executives understand all too well, your security team is working hard to meet more compliance standards than ever before. Whether we’re talking about meeting prescriptive guidance, avoiding enforcement, ensuring the safety of your users’ data, or minimizing compliance risks, JetPatch has you covered–we’ve created tools to help you comply more easily with present and future regulatory requirements.
How JetPatch Helps You Meet Regulatory Standards
Whatever industry you’re in, you can’t afford to ignore the last decade’s wave of regulatory guidelines. Compliance requirements of various agencies, along with potential fines, are a major consideration for any organization handling user data.
There is one pretty big upside as well. Every step you take toward compliance is also a step toward building trust with your users. Many regulatory standards are designed not only to protect the general public but to also call attention to users’ rights when it comes to their PII, as GDPR does by allowing users to view and delete any information you have stored about them.
As the public becomes more aware of the value of their data and more sensitive as to how it’s being used, they’ll want to align themselves with companies that follow the strictest precautions available. With patching at the heart of your organization’s compliance strategy, you can be sure that any PII your organization handles is as secure as possible. And JetPatch makes it easy. Regardless of the regulatory standard, we’ll help you achieve total compliance by…
- Giving you a handle on all of your organization’s assets
- Tracking the most recent patches for all relevant software/environments
- Using intelligent prediction to minimize downtime
- Automating patching to eliminate human error/fatigue
- Speeding time to remediation for more responsible data handling
And with a comprehensive patching program, you’ll be saving your company the expense–not to mention the humiliation–of a major breach.
JetPatch has been designed to additionally ensure compatibility with all of your other security tools. And with JetPatch in place, you’re guaranteeing a smooth transition toward any future data compliance standards as well. So no matter what your—or any other—jurisdiction throws at you, you’ll be ready to roll it out, hassle-free.