Data is your company’s most valuable asset, but how do you protect it? Where do you even begin!? Have no fear—Tugboat Logic is here! We’ve rounded up a list of today’s top security frameworks to help you figure out the best course of action for your organization. The more knowledge we can empower you with, the better equipped you are to tackle the maze of InfoSec and compliance. So, we’re going to help you navigate the regulatory landscape.
Why are security frameworks important? They give you a measure of where you are and where you need to go regarding protecting your data assets. While some frameworks are legally required to conduct business, like GDPR and CCPA, which cover specific jurisdictions, others are optional, like SOC 2. However, some companies may need you to be SOC 2 compliant.
But as always, safer data benefits everyone, especially your bottom line!
SOC 2: Systems and Organization Controls 2
SOC 2 is an audit process that evaluates your company’s ability to securely manage the data you collect and use during business operations.
Formed by the American Institute of CPAs (AICPA), this standard specifically relates to service providers that store customer data in the cloud. Therefore, SOC 2 applies to the vast majority of SaaS companies and businesses using the cloud to store customer data.
You hire a certified public accountant (CPA) to perform the audit, and they’ll provide you with your SOC 2 report. It documents your controls and which of the Trust Service Criteria have been chosen for your organization.
By completing SOC 2, you’re demonstrating to customers that you’re dependable and can be trusted with their data, but completion can take time. Some broad timeframes as a reference point? A SOC 2 Type 1 audit typically takes between one to three months, including prep time, while a SOC 2 Type 2 audit can take between six to 12 months or longer. The SOC 2 report is valid for a year.
Published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC), ISO 27001 is recognized worldwide which is how it made our top security frameworks list! It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Any organization that collects sensitive information, small or large, government or private, profit or non-profit, can advance their business from ISO implementation. Some vendors may require some companies to attain certification before starting a working relationship. Still, many companies pursue ISO 27001 by choice.
The fundamental goal of ISO 27001 is to protect three aspects of information:
An accredited certification body will independently audit your organization. To achieve certification, you’ll undergo an ISO 27001 audit, and to pass, you’ll need to have implemented several critical items. As with any certification, time varies from company to company and depends heavily on your existing circumstances.
Stage 1, where auditors focus mainly on documentation, can take up to six months (ten employees or less) to 14 months (over 200 employees) of preparation before the audit. The audit itself only takes a day or two to complete. Your auditor will leave you with a document citing nonconformities to address before the next audit.
A month after Stage 1, the auditor returns to evaluate the management system’s implementation. And the list of issues to address that they left you with. The Stage 2 audit typically takes around a week. It’s very in-depth and involves going through your ISMS, talking with employees, and digging deeply into all your policies. The auditors will summarize their findings, especially the non-conformances, in an audit report.
ISO certification is valid for three years, and companies are required to do surveillance audits for two years, and in year three, they’ll complete a recertification audit.
PCI DSS: Payment Card Industry Data Security Standard
When your payment systems are secure, customers can trust you with their cardholder data information. Any organization that stores, processes, or transmits payment card data needs to comply with Payment Card Industry Data Security Standard (PCI DSS). This top security framework applies even if you only have a single transaction a year!
The Payment Card Industry Data Security Standard is an information security model for organizations that handle credit cards. Payment Card Industry Security Standards Council doesn’t enforce compliance; they just make the rules. Council-trained and validated assessors support merchants and service providers by appraising the effectiveness of how vendors have implemented PCI controls and processes. These include Qualified Security Assessors, Approved Scanning Vendors, PCI Forensic Investigators, and more.
The PCI DSS Assessment can take six to eight weeks, but timelines vary depending on the project’s size, the number of systems, and how many security measures and policies are already in place. The PCI compliance certificate is valid for one year, and you’re required to complete the PCI DSS self-assessment questionnaire annually.
NIST CSF: Cybersecurity Framework
The National Institute of Standards and Technology (NIST) published this voluntary set of guidelines for organizations to manage and reduce cybersecurity risks. It covers five areas: Identify, Protect, Detect, Respond, and Recover. The Cybersecurity Framework (CSF) is for organizations of all sizes, sectors, and maturities. And it’s customizable.
Basically, the CSF was created to acknowledge and standardize specific controls and processes. Most have already been covered and duplicated in existing frameworks. It builds on and does not replace security standards like NIST 800-53 or ISO 27001. But it’s a great place to start if you’re looking to improve your cybersecurity.
Each organization’s cybersecurity resources, capabilities, and needs are different. So the time to implement the framework will vary among organizations, ranging from as short as a few weeks to several years. And how often you monitor to maintain compliance is dependent on how/what you decide to implement.
HIPAA: The Health Insurance Portability and Accountability Act
With the rapid adoption of technology in healthcare, the medical workforce is more mobile and efficient than ever. And data is more at risk. The Health Insurance Portability and Accountability Act (HIPAA) is the United States’ federally mandated legislation that protects healthcare information. HIPAA encourages healthcare providers to adopt new technology. But safeguarding private health information is equally important as the quality and efficiency of medical services.
There are three distinct and separate regulations under HIPAA:
- HIPAA Privacy
- HIPAA Security
- HIPAA Breach Notifications
All organizations that work with health care information must comply with HIPAA Privacy regulations since privacy involves safeguards from a people standpoint. But only those who store or transmit protected health information electronically must comply with HIPAA Security regulations’ requirements.
The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) administers and enforces these standards. They conduct complaint investigations and compliance reviews regularly.
Implementing HIPAA can take anywhere from six months for single locations to almost three years for hospitals and larger organizations, and maintaining it is done internally.
NERC 1300: North American Electric Reliability Corporation
Almost 400 million North Americans depend on electricity to live their daily lives! And when the power is out, everything comes to a screeching halt.
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose standards apply to users, owners, and bulk power system operators. Their mission is to assure the effective and efficient reduction of risks to the grid’s reliability and security. NERC covers more than just the USA. It includes Canada, Mexico, and as of 2016, the European Commission’s Directorate General for Energy. They’re collaborating on grid reliability with NERC!
The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP = Critical Infrastructure Protection) and there are 11 legally enforceable standards. Understanding these is essential for achieving compliance. The complete list can be found here.
Businesses are accountable for demonstrating compliance through self-certification submitted to NERC annually.
ISA/IEC 62443: Industrial Communication Networks
The International Society of Automation (ISA) released ISA-62443, but it also goes by International Electrotechnical Commission (IEC) IEC-62443.
It’s a flexible top security framework addressing current and future security vulnerabilities in industrial automation and control systems (IACSs). The standard covers operational technology in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare, and transport systems.
The compliance process is a little different with this standard. A Conformity Assessment (C.A.) is conducted instead. It confirms that a product or service meets requirements in a specification. A specification is the technical description of the characteristics that a product or service must meet to be compliant and become certified.
GDPR: General Data Protection Regulation
Suppose you sell to customers with operations in Europe or have employees in Europe. In that case, GDRP compliance is a must-have. Or face lost business and regulatory fines of up to four percent of revenue!
The General Data Protection Regulation was created to give E.U. citizens more control over their personal data. Under GDPR, companies must ensure that personally identifiable info (PII) is collected legally and that the data is appropriately managed and safeguarded. Organizations complete self-directed GDPR assessments. Accountability is one of the data protection principles. You’re responsible for complying with the UK GDPR, and you must be able to demonstrate your compliance. To help, you can apply for certification, but it’s voluntary.
Timelines for implementation vary between processors and controllers and are impacted significantly by company structure, but the process can take anywhere from six to 36 weeks!
CCPA: California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) provides a regulatory framework to online privacy rights in the United States. This data privacy law regulates how businesses worldwide handle the personally identifiable information (PII) of California residents. However, unlike the GDPR, which applies to all organizations regardless of size, CCPA excludes some small businesses.
If you collect consumers’ personal information, alone or jointly with others, do business in the State of California, and satisfy one or more of the following thresholds:
- Have an annual gross revenue of over 25 million dollars
- Annually buy, receive, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derive 50 percent or more of your annual revenues from selling consumers’ personal information
Then, CCPA is for you! Similar to GDPR, compliance is mandatory.
Timelines for CCPA vary between collectors and sellers, impacted significantly by company structure and how much personal data is being processed. Still, it can take anywhere from four to 26 weeks to complete implementation!
Pulling it All Together
A Beginner’s Guide to Today’s Top Security Frameworks is just a handful of the hundreds of complex laws and regulations worldwide that organizations find themselves required to follow. Your Information Security Program should constantly be evolving to sustain customer trust and meet compliance obligations.
Tugboat Logic can help you out! With over 100 years of combined experience working in security, let our team of ex-auditors and security veterans assist you on your compliance journey, regardless of what framework you require. Our platform works a little bit like Connect The Dots. We’ve mapped the controls of different InfoSec frameworks to a single body of evidence tasks. For example, when you complete SOC 2, you’re over 50 percent on your way to achieving ISO 27001, PCI DSS, HIPAA, etc. We’ve even associated business risks with mitigating controls so you can track your operational state in real-time.