Establishing a Robust Cybersecurity Program
Creating and maintaining a robust cybersecurity program is straightforward and beneficial:
|Improve access to cyber insurance
|Improve competitive posture
|Maintain trust among all parties
|Avoid penalties and legal repercussions
When fiscal pressures mount, however, many CISOs begin to face from stakeholders (including CEOs, CFOs, and Boards of Directors) questions such as:
- What happens if we don’t comply with cybersecurity regulations?
- What happens if our certifications lapse?
Let’s review the risks and penalties for non-compliance with common IT Security Standards.
Risks of Insecure IT Security
Some risks can be generalized over multiple standards and are commonly encountered as a result of:
- Lapse in certification
- Dismantling of an IT security program
Risks of Non-Compliance with IT Security Standards
There are risks that can and will occur when an organization:
|To whom does this apply?
|Specific Risks of Non-Compliance, a Data Breach, and/or a Lapse in Compliance
|PCI DSS provides technical and operational requirements to protect cardholder data and reduce fraud.
|PCI DSS applies to all entities that store, process, or transmit cardholder data, and includes requirements for software developers and manufacturers of applications and devices used in those transactions.
|SOC 2 reports help service organizations that provide services to other entities build trust and confidence in the services performed and establish controls related to the services through a report by an independent CPA.
|The service organizations that utilize SOC are typically in the finance, healthcare, and business analytics industries.
|ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an organization’s ISMS.
ISO 27001 outlines requirements tailored to the organization’s needs for assessing and treating information security risks.
|Organizations across all sectors seeking to establish an ISMS, apply a risk management process adapted to their size and needs, and scale it as necessary as those factors evolve utilize ISO 27001.
|HIPAA sets standards to safeguard individuals’ medical records and other confidential information. It also limits the use and disclosure of such information without the individual’s consent.
|HIPAA applies to health plans, healthcare clearinghouses, and providers that conduct certain healthcare transactions electronically.
|Civil Penalties:There are four tiered ranges of penalties for violating HIPAA. There are maximum penalty caps of up to $1.5 million for all violations of an identical provision during a calendar year.
Criminal Penalties: A HIPAA violation can also result in criminal penalties. According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR):
|The GDPR establishes rules protecting the processing and free movement of personal data.
|The GDPR applies to the processing of all personal data, automated or not.
A whole group can be treated as one undertaking with its total worldwide annual turnover used to calculate the fine for a GDPR infringement of one of its companies.
|FedRAMP® promotes secure cloud services in US federal agencies by providing a standardized, cost-effective, and risk-based approach to security authorizations and threat assessments for cloud technologies.
|Cloud Service Providers using a Cloud Service Offering by the US federal government should consider obtaining a FedRAMP® Authorization.
|NIST 800-171 provides a voluntary framework consisting of standards, guidelines, and best practices for organizations to better manage and reduce cybersecurity-related risks.
|US federal agencies, contractors, and subcontractors working with the US federal government are required to adhere to NIST compliance.