Is it better to focus on compliance or a on a framework system?
I.e. PCI or HIPAA compliance versus ITIL or COBIT for example.
There are more regulations coming so let’s add a couple of the US based ones. SHIELD(Stop Hacks and Improve Electronic Data Security) and CCPA(California Consumer Privacy Act).
- SHIELD – Stop Hacks and Improve Electronic Data Security Act , became law in New York(January 2019). Must adopt “reasonable safeguards to protect security, confidentiality and integrity” of private information.
- CCPA – becomes law in January 2020 and requires broad protection of information (job description, ip addresses, web browsing history, and more personal data like addresses and more)
Red Gate software has an interesting comparison of the compliance and regulation issues in the USA.
In the case of ‘who’ is most affected by compliance or framework focus we need to define the audience first. The audience for this blog post is the small medium business (SMB) person in charge of the business or the top IT person. An enterprise business will perform a framework, compliance, and all regulations eventually, the larger one is the more likely a framework has to make sense.
What will a SMB entity decision require?
- Depends mostly on organization -how big
- How many people, computers, type of must have compliance
- The issue is how decisions are made from the business to IT
In the past for me I have been in these situations where I am in charge of the IT department and the decision process leads to the Operations Officer or President. Some business need is presented to either Officer and then I am tasked as IT to provide a solution to the basic business need (new computer system) or a bigger task like adding a new branch.
These basic decisions are not complicated decisions. But they do set a direction of the company. When buying a new device does it get checked to see if it is configured for security? When designing a new branch system how will the new branch be integrated into the current systems?
Under PCI compliance all one needs to do is segment the network that the payment system is on and now compliance is easier to prove. Of course if that can’t be done due to business needs which integrate credit card payment and customer information then there is no segregation of credit card data with the other streams of data in the company.
Whenever the lines between the compliance needs and the rest of the company become blurred is when a framework could help with a solution.
Governance is when a group of people(the board) make decisions with a future direction in mind. The decisions become more strategic, as several items are weighed: Business needs (CEO/COO), Cybersecurity (CISO), Information Technology(CIO), and other business leaders – depending on specialization. Each new direction or decision, like starting to create branches of the company can be built in many different ways using technology. The governance board will publish the decisions and create a security policy which talks about bringing your own devices on the network (only to go on guest network for example).
What is COBIT for example: “COBIT is an IT management framework developed by the ISACA to help businesses develop, organize and implement strategies around information management and governance.” CIO.com has an article that gives a decent overview (a third party looking at COBIT – instead of ISACA review)
So 40 governance and management system objectives for establishing a new governance program. And most interesting we can use maturity and capability measurements. One can now truly keep all company factors in mind to create an IT governance strategy.
The difference with PCI compliance is stark, as PCI compliance needs a quarterly report with a method to review and solve vulnerability assessments with a patching program. Basically a vulnerability management program will write the PCI compliance report without too many additional points.
So PCI compliance does not address how to make future decisions, although one can see how a decision could affect the compliance report. There is no mechanism that says with A,B, and C you should do “this acme action”. In fact only Credit Card(CC) data is focused with the Compliance standard. The problem in an integrated environment (without segmented areas of the network to keep the CC data in) is to make open all devices to vulnerability management.
There are more regulations that focus on privacy data like ip addresses, physical addresses of customers, cookies, and any other possible privacy revealing data of possible customers. This would be the CCPA the California.
Another regulation is the NY SHIELD law which is a minimum cybersecurity requirements. It also revises the current NY data breach notification law.
Courtney Bowman has a good blog post discussing this Act.
Don’t forget to include a pervasive testing regimen to help your IT staff validate the environment. The PCI compliance requires it and thus it is also in all governance initiatives.
Here is our focus (the testing of the environment) and we use tests and reports to help the governance board to make decisions to complete business goals.
Contact Us to discuss