With cybersecurity at the forefront of many IT professionals’ minds, many organizations that utilize IT and have access to sensitive information have legally required safeguards that are directed at protecting that data. This comes in many forms, of course, and in our work as a Managed IT Services Provider we deal with these restrictions on a daily basis.
At their core, many of these requirements stem from legislation at various levels. Some of the most common compliance requirements are borne from Sarbanes-Oxley Act – SOX (2002), Federal Information Security Management Act – FISMA (2002), Health Insurance Portability and Accountability Act – HIPAA (1996), Payment Card Industry Data Security Standard – PCI DSS (2001), and National Technology Transfer and Advancement Act – NTTAA (1995).
So…what does that mean for YOUR business?
It means that these third-party requirements often occur in certain industry verticals, although not always. Some of the most common are in financial, medical, and government contracting industries. However, PCI DSS compliance can benefit any business that uses credit cards as payment, for example. Failure to comply with these various standards can leave businesses with legal liability or loss of opportunity.
(Quick note: I apologize in advance for the oncoming acronym assault, however they are a key to understanding this world of compliance and are commonly used terms.)
Some examples of Compliance Organizations:
The National Institute of Standards and Technology, or NIST, is responsible for this common framework which most often pertains to certain (especially Department of Defense) government contractors. The standards set forth in NIST 800-171 (which is transitioning to the Cybersecurity Maturity Model Certification, or CMMC) specifically apply to non-governmental computers capable of storing or transmitting Controlled Unclassified Information (CUI). While CUI could refer to a huge multitude of items from blueprints of parts for a military vehicle to certain government process manuals to parts for rocket engines to many things in between, the model works on gauging advancements along a cybersecurity framework (CSF). NIST/CMMC compliance relates to structures, systems, and personnel that surround, interact, and integrate with CUI. For full details on NIST 800-171, you may consult the document here.
Coming directly from the name of the legislation that spawned it, Payment Card Industry Data Security Standard (PCI DSS) compliance is applicable to any merchant who uses credit cards in their transactions. These exist primarily to prevent credit card fraud, which costs the financial industry billions of dollars per year, and by extension strengthen the cybersecurity defense around systems that transmit or store related information. Companies can be penalized and fined—and lose the ability to process cards at all, a nightmare in today’s economy—if a data breach occurs and PCI compliance is inadequate. By some reports, barely 50% of organizations are truly PCI DSS compliant!
Similar to PCI DSS, HIPAA gets its name from its associated legislation: the aforementioned Health Insurance Portability and Accountability Act. HIPAA compliance is specifically geared to the industry in which sensitive patient data is kept. This can be loosely defined as businesses or organizations that provide treatment, payment, or support operations with a medical focus. Primarily relating to individual privacy with regards to protected health information (PHI) or electronic PHI (e-PHI), HIPAA compliance covers both technical and physical safeguards to breach. Telehealth in the age of COVID has made this more complex in some ways. Still, compliance failures that are considered “willful” can result in a minimum $50,000 criminal fine. Even smaller violations range from $100 to $25,000 fines.
How do businesses get audited?
Audits vary between the organizations. NIST 800-171 used a self-assessment in many instances (which, frankly, were not always completely accurate). This is changing with the transition to CMMC, where a business is required to be audited by an accredited third party. HIPAA audits often occur based on complaints, mistakes, security incidents, or discovered wrongdoing. PCI audits are common after a breach of information has been discovered and/or traced back to a particular business.
How do businesses prepare for audits?
There are many ways businesses prepare their personnel, structures, and technology for audits. The most common are periodic check-ups on compliance physical and technical process and policy checklists. If none exist, a business should consult an outside agent to help align it with applicable requirements.
But I pay an IT company, I’m covered.
Are you sure? Unless your business has a written contract assigning liability, responsibility rests with your business! Even as an IT MSP, Certified CIO strives to advise our customers regarding proper compliance process alignment, cybersecurity insurance, and to help create policy. Still, the specific business or organization is responsible for their compliance as we cannot enact these changes without the approval of the business or organization.
Then how can Certified CIO help me with this?
Certified CIO can conduct a variety of compliance related consulting tasks for your business. These include advising on tasks and policies commonly related to various regulatory compliance items to conducting more in-depth compliance alignment checks. If you are unsure of where you stand, pick up the phone and call us or CONTACT US!