Compliance regulations are critical to any security program, they are in place to help improve security strategies by providing guidelines and practices based on their industry and relative type of data they maintain. Not complying with these regulations can result in severe fines, law suits, or even data breaches.
The difficulty in applying compliance regulations to your organization is because they are written in such a way that an average person cannot easily understand them. With that inherent complexity, it becomes confusing when deciding what regulations your organization falls under. Generally, it becomes necessary to partner with a security professional to translate these regulations into easily understandable language. Many of these professionals have obtained the HISP (Holistic Information Security Practitioner) certification, this denotes a deeper understanding of the regulations and the system controls required therein.
JMC Information Technologies can aid in identifying what regulations and guidelines your organization needs to comply to. While implementing these standards into your organization, security plans and personnel training aid in compliance with the required regulations. Listed below are the most common compliance regulations along with their translated definitions and what data field they apply to. If you have any questions regarding compliance services or would like to enlist our services, please request a quote and we will contact you as soon as possible.
| The Act | What it Regulates | Company Affected |
|---|---|---|
| NIST (National Institute of Standards and Technology) | This regulation provides a customizable guide on managing and reducing cyber security related risks through combining existing standards and practices. It also aids in the communication between stakeholders by creating a common “language” easily understood between different industries. | Voluntary regulation that can be used by any organization looking to reduce overall risk. |
| CIS Controls (Center for Internet Security Controls) | This regulation assists in protecting an organizations assets and data from known cyber attack threats. | Voluntary regulation usable by any organization seeking to strengthen security in the internet of things (IoT). |
| ISO 27000 Family (International Organization for Standardization | The family of standards provide security requirements for the maintenance of information security management systems (ISMS) with the implementation of security controls. | These regulations cover a broad range of industries. All businesses can use the 27000 family for assessments of their cyber security practices. |
| ISO 31000 Family (International Organization of Standardization) | This group of regulations governs the principles of implementation and risk management. | These regulations cover a broad range of industries. All businesses can use the 31000 family for assessments of their cyber security practices. |
| HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule | These acts are a two-part bill, Title I protects the healthcare of people transitioning between jobs. Title II simplifies the healthcare process by shifting to electronic data. This also protects the privacy of individual patients, though this was further expanded through the HITECH / Omnibus Rule. | This regulation pertains to any organization that handles healthcare data. This includes doctor’s offices, hospitals, insurance companies, and extending to employers and beyond. |
| PCI-DSS (Payment Card Industry Data Security Standard) | This is a set of 12 regulations implemented to reduce fraud and protect the customer’s credit card data. | Compliance is required by any organization handling credit card information. |
| GDPR (General Data Protection Act) | This act regulates the data protection and privacy of citizens of the European Union. | Compliance is required by any organization associated with or handling the data of a citizen of the European Union. |
| CCPA (California Consumer Privacy Act) | This act protects the privacy rights of the residents of California. | Compliance is required by any organization doing business in California that collects consumers’ data. |
| AICPA (American Institute of Certified Public Accountants) | Maintenance of the security, integrity, and privacy of systems processing user data. | Compliance is required by any service organization that process data. |
| SOX (Sarbanes-Oxley Act) | This act requires organizations to maintain financial records for up to 7 years. Implemented to prevent another Enron scandal. | Compliance required by U.S public company boards, management, and public accounting firms. |
| COBIT (Control Objectives for Information and Related Technologies) | This framework was developed to aid organizations to manage information and technology by linking business and IT goals. | Compliance is required by businesses processing quality control of information. This includes audit and assurance, compliance, IT operations, governance, and security and risk management. |
| GLBA (Gramm-Leach-Bliley Act) | This act permitted insurance companies, commercial banks, and investment banks to be within the same company. For security, it requires that companies secure the private data of clients and customers. | Compliance required by any organization that offers financial products or services to individuals. i.e. loans, financial or investment advice, or insurance. |
| FISMA (Federal Information Security Modernization Act of 2014) | This act denotes information security as a matter of national security. This mandates that all federal agencies develop a method of protecting their information and data. | Compliance required by all federal agencies. |
| FedRAMP (Federal Risk and Authorization Management Program) | This act regulates all cloud services across the Federal Government. | Compliance required by all executive departments and agencies. |
| FERPA (The Family Educational Rights and Privacy Act of 1974) | Stated in sections 3.1 of the act, regulation and protection of student educational records. | Compliance required by all post-secondary educational institution. |
| ITAR (Internal Traffic in Arms Regulation) | Regulates the sale of defense articles and defense services providing critical military or intelligence capability). | Compliance required by any organization producing or selling defense items or services. |
| COPPA (Children’s Online Privacy Protection Rule) | This rule regulations the online collection of personal information for children under the age of 13. | Compliance required by any person or entity under United States jurisdiction. |
| NERC CIP Standards (North American Electric Reliability Corporation Critical Infrastructure Protection Standards) | This standard regulates the security of North America’s power structure. | Compliance required by all bulk power system owners and operators. |
JMC Information Technologies 