Use your computer fearlessly.




[ Security | Consulting | Research ]





Compliance with Cybersecurity Regulation

by Brent Kirkpatrick

(Date Published: .)



Following cybersecurity laws cannot guarantee security.



Compliance with regulations about cybersecurity largely revolves around physical security, reporting intrusions, and accounting verification. Compliance does not guarantee security.

For a given company, the type of company (public or private), the sector of its business, and its transactions determine the regulations with which it must comply. Laws pertaining to compliance include, but are not limited to:
FinanceGramm-Leach-Bliley (GLB) Act
Credit CardsPayment Card Industry Data Security Standard (PCI-DSS)
Public CompaniesSarbanes-Oxley (SOX) Act
EnergyNERC Critical Infrastructure Protection Act
HealthHealth Insurance Portability and Accountability Act (HIPAA)
GovernmentFederal Information Security Management Act (FISMA)
European CommerceGeneral Data Protection Regulation (GDPR), European Union Agency, Directive on Security of Network and Information Systems (NIS)

The reason for compliance to these laws is the enforcement of a minimum security standard. This minimum standard is a procedure for response to intrusions, not a check list of security measures. These laws are designed to help a company detect accounting and security irregularities, report them to those who are effected, and respond with repairs.

Fines for lack of compliance usually come when there is a failure to report or some gross negligence in implementing a commonly accepted security measure. Usually, hackers reveal a lack of compliance. A company is hacked, fumbles, fails to report, or fails to repair vulnerabilities. This is when there are fines.

Compliance does not guarantee security. A company can be fully compliant before, during, and after an intrusion. Compliance during an intrusion requires a timely response that involves: reporting the intrusion and mitigating the vulnerabilities. Reporting means notifying the individuals whose sensitive data was breached. Mitigation means identifying the vulnerabilities used by the hackers and repairing them.


defendIT. AI-driven security measures derived from security incident data.








bbkirk@intrepidnetcomputing.com




© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.