‍

Data security standards, regulations and compliance frameworks are sets of controls and policies created by an organization or legal entity, detailing how an organization should protect its assets and create a secure ecosystem.

Often, these policies will refer to elements of physical security, education, documentation, secure development and deployment, compute security, monitoring, incident response and others.

‍

Why are there so many of them?

• Different levels of authority – Countries/states, non-profit organizations, market owners, etc.
• Different scope – Data types and processes driven, such as PII, PCI, PHI, Financial, SDLC, etc.
• Different audiences – End consumers, insurance, CISOs, etc.

‍

Are these the only guidelines?

Usually – no. Most controls do become industry standards, however, as having a certification or attestation enables trust between the organization and others, declaring how well assets are protected.

Often, periodical audits are required to maintain the level of certification, and as such become gateways to specific environments.

‍

Common standards, regulations and compliance frameworks

PCI DSS - Payment Card Industry Data Security Standard

• Mandated by the card organizations brand but administered by the Payment Card Industry Security Standards Council.
• Primary aim - Information security standard for handling branded credit cards from the major card schemes.

HIPAA - Health Insurance Portability and Accountability Act of 1996

• Mandated by the United States Congress.
• Primary aim - Detailing methods to protect personally identifiable information maintained by the healthcare and healthcare insurance industries from fraud and theft.

GDPR -  General Data Protection Regulation

• Mandated by the European Union and the European Economic Area Law.
• Primary aim - Enhancing individuals' control and rights over their personal data and  simplifying the regulatory environment for international business.

NIST - National Institute of Standards and Technology

• Mandated by the regulatory agency of the United States Department of Commerce.
• Primary aim - NIST 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.
• Primary aim - NIST 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.

SOX - Sarbanes–Oxley Act of 2002

• Mandated by United States federal law.
• Primary aim - Practices in financial record keeping and reporting for corporations.

CIS - Center for Internet Security

• A nonprofit organization with no official mandate.
• Primary aim - A set of best-practice cybersecurity standards for a range of IT systems and products.

SOC2 – Service Organization Control

• A voluntary compliance standard developed by the American Institute of CPAs (AICPA).
• Primary aim - Specifying how organizations should manage customer data.

CCPA - California Consumer Privacy Act

• A state statute for residents of California, United States.
• Primary aim - To enhance privacy rights and consumer protection.

FISMA - Federal Information Security Management Act of 2002

• Mandated by United States federal law.
• Primary aim - To reduce the security risk to federal information and data while managing federal spending on information security.