EMA & JetPatch Joint Webinar: June 29, 12 PM EST. Register Now!

X

The Evolution of Compliance: How to Get Compliant and Stay Ahead

Compliance and Regulation

Looking back, technology historians may well view the last 10 years as the decade of compliance. From a nearly unknown quantity back in 2010, the field has exploded to the point where many enterprises now have a full-time dedicated Chief Compliance Officer (CCO) to ensure they are in line with industry, voluntary, and regulatory standards.

Certain industries are more heavily regulated than others, such as finance, healthcare, and government. But with sweeping regulations like GDPR coming into effect almost everywhere, your business is probably not exempt.

Whether or not you’ve already begun moving toward compliance, the first thing to know is that regulatory compliance demands a new mindset. And in practical terms, on the ground, it demands new approaches to managing risk–including, potentially, new tools that can provide better insight into your organization’s risk profile.

Let’s look at some of the major regulatory developments and what they’ve meant for information security.

Evolution of Regulations

The very first concept when we’re talking about regulatory compliance is “PII,” which stands for personally identifiable information. This term may have been used even earlier in the context of information security, but it was formally defined in 2007 by White House OMB Memorandum M-07-1616 as

“…information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

While definitions vary by jurisdiction, particularly between the U.S. and EU, what you need to know is that essentially all of these new regulations acknowledge the value of PII and put measures in place that attempt to protect it from data breaches.

Let’s first explore a quick overview of some of the regulations that have come into effect, in chronological order, and then we’ll take a look at some of the elements they share in common.

 

Year Where Title Highlights Penalties
1999 USA GLBA (Financial Services Modernization Act)
  • Protecting PII of customers of financial institutions, opening the door to greater protections by recognizing service providers’ responsibility to implement good data handling practices and strict security measures
  • Fines up to $100,000 per violation, along with fines for officers and directors of up to $10,000 per violation
  • Up to 5 years’ imprisonment, revocation of business licenses
2013 USA NIST 800-40 Revision 3
  • Guide to enterprise patch management technologies to be followed by all government agencies
  • Recommends “agent-based patch management technologies are strongly preferred for hosts that are not on the local network all the time”
  • Highlighted inherent risks of failure to implement a comprehensive patch management program
2014 USA 2014, US, FISMA (amended)
  • Conducting frequent inventories of current security measures, analyzing existing or anticipated threats, performing risk assessments, creating working security plans and procedures 
  • Designating security professionals to oversee implementation of plans and monitoring of effectiveness 
  • Instituting procedures to review security plans and periodic assessment of SecOps
  • Low score leads to censure, loss of work, loss of federal funding
2014 Global Payment Card Industry Security Standards Council (PCI DSS)
  • Six categories of goals including (1) Build and Maintain a Secure Network and Systems and (3) Maintain a Vulnerability Management Program
  • Fines from $5K-$10K if critical patches are not deployed within a month, fines
2016 North America NERC CIP-007
  • For energy providers, mandates patch management process for tracking, evaluating, and installing cybersecurity patches for applicable cyber assets
  • Up to $1M per day per violation
2017 Luxembourg CSSF Circular 17/655
  • Banks and investment firms are required to implement a patch management procedure allowing for timely correction of significant vulnerabilities
  • Fines between €250 and €250,000 and other censure measures
2018 EU (and anyone doing business in the EU) General Data Protection Regulation (GDPR)
  • Rights, PII minimization, consent and opt-out, data protection “by design and default” – including tools to combat vulnerabilities
  • Fines up to €20 million or 4% of worldwide annual revenue
2018 USA Sarbanes-Oxley Act (SOX) 302
  • Auditing and financial accountability for public companies, internal controls, high security standards including certifying the effectiveness of vulnerability detection and remediation
  • Fines up to $1M and/or prison term, even if done by mistake
2018 USA Health Insurance Portability and Accountability Act (HIPAA)
  • Four general rules, including (2) “Identify and protect against reasonably anticipated security threats,” and (3) “Protect against reasonably anticipated, impermissible uses or disclosures”
  • Includes requirement for audit controls and protection from malicious software
  • Ensure compliance by workforce and business associates 
  • These facets of HIPAA were reiterated in 2018 following Spectre/Meltdown vulnerability exploits
  • $100 to $50,000 per violation up to a maximum of $1.5M/year
  • Possible criminal charges and prison term
2020 USA (California) California Consumer Privacy Act (CCPA)
  • Similar to GDPR in terms of privacy and rights, plus price protections
  • Civil penalties ranging from $2,500 for a non-intentional violation to $7,500 for an intentional violation
  • Statutory damages defined in the California Civil Code ranging from $100 to $750 per consumer per incident or actual damages, whichever is greater, with no ceiling on the number of violations (e.g., If 100,000 users were impacted, fines could easily reach $750 million)

 

This is by no means an exhaustive list! Depending on where you are, you may or may not be aware of parallel regulations that are now in place or coming into force in most other jurisdictions, like Canada (PIPEDA), Australia (Privacy Act/APPs), Brazil (LGPD), South Africa (POPI), and many other countries. 

As with GDPR in the EU, it’s important to read the fine print. Just because a regulation applies in a foreign jurisdiction doesn’t mean you can ignore it. If you’re doing business in that jurisdiction–selling products, signing up users, or even hosting website visitors–you may be subject to that jurisdiction’s rules.

If there’s one thing you can take away from this timeline, it is that the pace of implementing compliance standards is accelerating. So wherever you do business, the most urgent question is: How can your organization protect itself and stay ahead of the pack?

What Do All These Regulations Have in Common?

As we’ve seen in many of the regulations above, whether they state it explicitly or simply suggest it implicitly, data protection begins with cyber hygiene practices. In many cases, this comes down to truly basic elements that are too often overlooked.

What kind of basic practices offer the most ROI when it comes to protecting your business?

According to a recent roundtable of compliance officers, there are a few ways you can be more proactive when it comes to meeting today’s compliance standards:

  • Leonard Shen, CCO, Visa: “The global regulatory environment has become more intensive, with higher expectations, articulated in more granular and prescriptive guidance and enforcement actions.”
  • Andrea McGrew, CCO/CLO, USA Financial: “Cyber-security is our biggest challenge now, and it will be even more so in the next five years. We’re fighting for the safety of our investors’ information, and our opponents are faceless, nameless ghosts (who are smart, sophisticated, and patient as well).”
  • Michael Blackshear, Global CCO, Ryan Specialty Group: “People create the greatest compliance risk to an organization. People make mistakes, engage in intentional unethical acts, and are subject to extreme pressures to perform.”

As these executives understand all too well, your security team is working hard to meet more compliance standards than ever before. Whether we’re talking about meeting prescriptive guidance, avoiding enforcement, ensuring the safety of your users’ data, or minimizing compliance risks, JetPatch has you covered–we’ve created tools to help you comply more easily with present and future regulatory requirements.

How JetPatch Helps You Meet Regulatory Standards

Whatever industry you’re in, you can’t afford to ignore the last decade’s wave of regulatory guidelines. Compliance requirements of various agencies, along with potential fines, are a major consideration for any organization handling user data.

There is one pretty big upside as well. Every step you take toward compliance is also a step toward building trust with your users. Many regulatory standards are designed not only to protect the general public but to also call attention to users’ rights when it comes to their PII, as GDPR does by allowing users to view and delete any information you have stored about them.

As the public becomes more aware of the value of their data and more sensitive as to how it’s being used, they’ll want to align themselves with companies that follow the strictest precautions available. With patching at the heart of your organization’s compliance strategy, you can be sure that any PII your organization handles is as secure as possible. And JetPatch makes it easy. Regardless of the regulatory standard, we’ll help you achieve total compliance by… 

  • Giving you a handle on all of your organization’s assets
  • Tracking the most recent patches for all relevant software/environments
  • Using intelligent prediction to minimize downtime
  • Automating patching to eliminate human error/fatigue
  • Speeding time to remediation for more responsible data handling

And with a comprehensive patching program, you’ll be saving your company the expense–not to mention the humiliation–of a major breach.

JetPatch has been designed to additionally ensure compatibility with all of your other security tools. And with JetPatch in place, you’re guaranteeing a smooth transition toward any future data compliance standards as well. So no matter what your—or any other—jurisdiction throws at you, you’ll be ready to roll it out, hassle-free.

Danny Miller
Danny Miller
Danny is the Chief Marketing Officer & Biz Dev at JetPatch. He has 20 years of technology experience in product and corporate marketing with a strong focus on cybersecurity in recent years. https://www.linkedin.com/in/danny-miller-2012331/
schedule demoORlearn more
Start Patching the Right Way
Free Trial