Use your computer fearlessly.

Mission Services Articles Research

business: law

technical: cybersecurity

Compliance with Cybersecurity Regulation

by Brent Kirkpatrick

(Date Published: .)

Following cybersecurity laws cannot guarantee security.

Compliance with regulations about cybersecurity largely revolves around physical security, reporting intrusions, and accounting verification. Compliance does not guarantee security.

For a given company, the type of company (public or private), the sector of its business, and its transactions determine the regulations with which it must comply. Laws pertaining to compliance include, but are not limited to:
FinanceGramm-Leach-Bliley (GLB) Act
Credit CardsPayment Card Industry Data Security Standard (PCI-DSS)
Public CompaniesSarbanes-Oxley (SOX) Act
EnergyNERC Critical Infrastructure Protection Act
HealthHealth Insurance Portability and Accountability Act (HIPAA)
GovernmentFederal Information Security Management Act (FISMA)
European CommerceGeneral Data Protection Regulation (GDPR), European Union Agency, Directive on Security of Network and Information Systems (NIS)

cartoon: gavel declaring a computer guilty of hacking

The reason for compliance to these laws is the enforcement of a minimum security standard. This minimum standard is a procedure for response to intrusions, not a check list of security measures. These laws are designed to help a company detect accounting and security irregularities, report them to those who are effected, and respond with repairs.

Fines for lack of compliance usually come when there is a failure to report or some gross negligence in implementing a commonly accepted security measure. Usually, hackers reveal a lack of compliance. A company is hacked, fumbles, fails to report, or fails to repair vulnerabilities. This is when there are fines.

Compliance does not guarantee security. A company can be fully compliant before, during, and after an intrusion. Compliance during an intrusion requires a timely response that involves: reporting the intrusion and mitigating the vulnerabilities. Reporting means notifying the individuals whose sensitive data was breached. Mitigation means identifying the vulnerabilities used by the hackers and repairing them.

defendIT image

defendIT (TM). AI-driven security measures derived from security incident data.

INC Logo

What Is New? | Contact | Tips

© 2015-2021 Intrepid Net Computing. All rights reserved.