Are your clients’ payments, medical records and data secure? [US]
Are you compliant, so that the credit card companies and banks continue to allow transactions? Are you ahead of security concerns, or do you struggle to keep up? Two weeks unable to take payments, what would that do to your business?
In this time of increasing level of cybercrimes, rules and regulations are a stepping stones to understand what’s required of you, but they are not safe guards in itself. You need technical solutions, an organizational structure supporting it and of course, knowledge to make the right decisions.
This might need investments on your part, but not having it can be far worse than paying through your nose for it.
The DoD mission
Back in 2011 Department of Defense (DoD) issued a guidance called the Department of Defense Strategy for Operating in Cyberspace which articulated five goals;
- To treat cyberspace as an operational domain.
- To employ new defensive concepts to protect DoD networks and systems.
- To partner with other agencies and the private sector in pursuit of a “whole-of-government cyber security Strategy”.
- To work with international allies in support of collective cyber security.
- To support the development of a cyber workforce capable of rapid technological innovation.
Following a Congressional report finding that there were over 50 statutes relevant to cyber security compliance, the DoD put forward the new cyber security rule (78 Fed. Reg. 69373), which imposed certain requirements on contractors:
- compliance with certain NIST IT-standards,
- mandatory reporting of cyber security incidents to the DoD, and
- a “flow-down” clause that applies the same requirements to subcontractors.
Bills are a platform, not a safeguard
On Federal Government level the process has so far led to a number of acts and legislations, providing a platform. Yet, the regulations do not address numerous computer related industries, such as ISPs (Internet Service Providers) and software companies. Furthermore, the regulations do not specify what cybersecurity measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves much room for interpretation.
On State Government level it has also amounted to a long list of bills, but this only provides a platform, not a safeguard. And it is all very well that it is defined how and what legislation a cyber attack is to be compared to. But you still need to prevent or at least be able to deal with a direct attack in order to keep your information safe. Legislation needs enforcement to actually amount to anything, wouldn’t you say?
Important security laws and regulations concerning US
In order to get a better picture of the process we will look into the top 10 cyber security laws and regulations. The ones concerning the US are foremost;
- The National Strategy to Secure Cyberspace (2003)
- Cyberspace Policy Review (2009)
- International Strategy for Cyberspace. Prosperity, Security, and Openness in a Networked World (2011)
- Draft Strategy for Improving Critical Infrastructure Cybersecurity (2014)
- President’s Executive Order on Drawing up a Strategy for Improving Critical Infrastructure Cybersecurity (2013)
- The Department of Defense Cyber Strategy (2015).
Without digging into the different laws and regulations, the tendency that the legislation increases is a strong sign of the obvious: The threats are increasing in complexity and hence, obviously, the complexity of the solutions are increasing just as fast.
Accepting credit card payments? You need PCI Compliance!
In the case of cyber transactions, one way of dealing with the security is by PCI Compliance. The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments.
If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider. In close relations with this you will find a number of payment processors like Stripe or 2checkout, which will get the job done.
Dealing with health information? You need HIPAA!
Along with PCI you also have the HIPAA-standard addressing other security issues. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Make scenarios and plan for the worst case
All IT-solutions need to be put in perspective of not only who will use it but more importantly, who will abuse it? Make scenarios and plan for the worst case. This, and taking care of compliance as well as building your IT-Security team. Implementing the right cyber security team structure is crucial to managing the two essentials of business: risk, and cost.
The arrival of technology and the emergence of the Fourth Industrial Revolution (4IR) has enabled cybercrime to increase – fundamentally altering how organizations must enhance security measures. Managing risk now means managing cyber risk, which comes at a cost. But the cost of ignoring this new reality is far higher.