With the best of intent, governments and organizations have created laws certifications, and requirements to protect payments, personal data, privacy, and communication (PCI-DSS, PCI-DSS, PCI-3DS, PA-DSS, P2PE, AICPA Trust Services Criteria, FedRAMP, GLBA, Sarbanes-Oxley, FISMA, FERPA, GDPR, PIPEDA, CCPA, HIPAA, SSAE-16, SAS-70, SOC2 Type x, etc…). Very often these laws and requirements do not account for the real-world technical challenges, edge conditions, interpretation, and applicability. At the end of the day, though, you must account for all relevant compliance regimes and consider which information security framework to use, or potentially face sanctions or fines.
To help figure out what an organization should do to meet their information security compliance obligations, one turns to industry-accepted best practices. But which? There are a myriad of best practice frameworks, each written differently, sometimes written to fit a specific law or requirement, written to address the needs of a particular industry, or written to try to address every possible organization or situation (NIST SP800-xx, ISO 2700x, HITRUST, COBIT, CIS CSC, etc…).
Our CISO and Vice President of Cyber Risk Management, Christopher Gerg, dove in to explain the compliance regimes and information security frameworks in hopes of adding a little bit of clarity to the myriad of options.
Prevalent Compliance Regimes
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
EMV® Three-Domain Secure (3-D Secure, or 3DS) is a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, Payment Systems). For details about EMV® 3-D Secure, refer to:
Payment Application Data Security Standard (PA-DSS) is a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance. PA-DSS applies to third-party applications that store, process or transmit payment cardholder data as part of an authorization or settlement. Software applications developed by merchants for in-house use only are exempt from PA-DSS but must comply with PCI DSS.
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2Pe and E2Ee is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. There are requirements that federal agencies use cloud service providers where possible, but also that those cloud service providers be FedRAMP compliant). It is a rigorous and extensive compliance process. It is a standard that utilizes guidance and controls from NIST SP800-53 (see below).
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees and the public from accounting errors and fraudulent financial practices.
- Section 302: SOX Section 302 relates to a company’s financial reporting. The act requires a company’s CEO and CFO to personally certify that all records are complete and accurate. Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days. These internal controls include a company’s information security infrastructure inasmuch as its accounting and reporting is performed electronically in other words, for almost all modern businesses there is a clear mandate to ensure high security standards are enforced.
- Section 404: Section 404 stipulates further requirements for the monitoring and maintenance of internal controls related to the company’s accounting and financials. It requires businesses to have an annual audit of these controls performed by an outside firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the SEC.
A SOX compliance audit is a measure of how well your company manages its internal controls. While SOX doesn’t specifically mention information security, for practical purposes, an internal control is understood to be any type of protocol dealing with the infrastructure that handles your financial data. Indeed, one of the biggest criticisms of SOX is that, particularly for smaller firms, this requirement that all accounting systems must be subject to auditing is prohibitively expensive.
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive security framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002. It is a standard that utilizes guidance and controls from NIST SP800-53 (see below).
The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. This is another standard that utilizes guidance and controls from NIST SP800-53 (see below).
The General Data Protection Regulation (GDPR) is a legal security framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.
The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
The California Consumer Privacy Act of 2018 (CCPA), is a bill that enhanced privacy rights and consumer protections for residents of the US state of California.
The intent of the act is to provide California residents with the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
It was passed and is due to come into effect on January 1, 2020, but is still undergoing re-writing to make the regulations clearer and easier to enforce. Many experts in the privacy field say that the act is unenforceable in its current form due to errors and omissions.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. This is a very extensive set of regulations that not only was intended to make things simpler for providers and insurance carriers, it is also intended to keep health records private and secure. This is another NIST SP800-53-based compliance regime. (see below)
SSAE-16, SAS-70, SOC2 Type x
This gets a little complicated: The International Auditing and Assurance Standards Board (IAASB) owns these standards. The SAS 70 is the old standard that was never designed for certain service organizations that offer colocation, managed dedicated servers or cloud hosting services. It was initially established to provide auditors information and verification about data center controls and processes as it relates to the data center user and their financial reporting.
A SAS 70 audit does not set any standards for data center excellence; it merely verifies that the controls and processes set in place by a data center are actually followed. Additionally, no certification exists for SAS 70, only an auditing process. The problem arose that the data center service industry required some type of certification of excellence.
The SSAE 16 (Statements on Standards for Attestation Engagements No. 16) goes beyond SAS 70 by not only verifying the controls and processes, but also requiring a written assertion regarding the design and operating effectiveness of the controls being reviewed.
The SSAE 16 audit will result in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting. A SOC 1, Type 1 report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system and/or service. A SOC 1, Type 2 report includes Type 1 and an audit on the effectiveness of controls over a certain time period, normally between six months and a year.
SOC 2 and SOC 3 provide pre-defined, standard benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information.
A SOC 3 report is for general use and provides a level of certification for data center operators that assure data center users of facility security, high availability and process integrity. While a SOC 2 report includes service auditor testing and results, a SOC 3 report provides only the system description and auditor opinion.
These standards all use the AICPA Trust Services Criteria to assess compliance. (See below)
Common Information Technology, Information Security, and Risk Management Control Frameworks
Note that all of these control frameworks can (and have been) mapped to each other in cross-walk documents that can be found on the Internet.
NIST SP800-xx Family of standards
The NIST 800 Series is a set of documents that describe United States federal government computer security policies, procedures and guidelines. NIST (National Institute of Standards and Technology) is a unit of the Commerce Department. These standards provide guidance for information security and privacy (encryption, risk management, securing systems, destroying data, cloud security, account management, authentication, etc…). These are intended to be used to help secure US federal government infrastructure, but can be used by the private industry. NIST SP800-171 provides guidance for private organizations to utilize NIST SP800 series standards to enhance their security.
NIST Special Publication 800-53 provides a catalog of security controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. The catalog of controls is rarely, if ever, applied in total to any environments. It acts as a complete catalog
from which a subset can be selected for application to a particular environment, depending on its aspects. It forms the basis of many compliance frameworks including FISMA, FERPA, and FedRAMP. A subset of this standard was also used to build the NIST Cyber Security Framework. This is largely only used in the US.
ISO 2700x Family of standards
Similar to the NIST SP800 publications, the International Standards Organization (ISO)’s ISO 27000 series is a series of standards to guide many aspects of information security and risk management. (They educate many of the GDPR requirements). ISO 27001 is a large catalog of controls similar to NIST SP800-53. A subset of these controls are selected for a particular organization depending on their various aspects. The ISO 27000 series is mostly used outside the US.
AICPA Trust Services Criteria
The American Institute of Certified Public Accountants (AICPA). Founded in 1887, the AICPA represents the CPA profession nationally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the profession’s technical and ethical standards.
The Trust Services Criteria (TSC) is a set of controls used for SSAE-16 and SOC compliance assessments. The TSC presents control criteria for use in attestation or consulting engagements to evaluate and report on controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems
- across an entire entity
- at a subsidiary, division, or operating unit level.
- within a function relevant to the entity’s operational, reporting, or compliance objectives.
- for a type of information used by the entity.
This guidance is useful in reporting on SOC for Cybersecurity engagements, SOC 2® engagements, and SOC 3® engagements. The 2017 edition revises the trust services criteria to align with the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control—Integrated Framework, to better address cybersecurity risks and increase flexibility in application across an entire entity, including at a subsidiary, division, or operating unit level within a function relevant to an entity’s operational, reporting, or compliance objectives.
The Health Information Trust Alliance (HITRUST) is a for-profit organization that has created a set of controls (called the Common Security Framework or CSF) that were initially intended to help healthcare organizations assess their compliance against the HIPAA privacy and security standard. It has since been used by non-healthcare organizations to assess their information security maturity. The HITRUST alliance certifies organizations to perform HITRUST assessments, and has strict controls on how these assessments are performed.
The Information Systems Audit and Control Association (ISACA) created a security framework for IT best practices that includes risk management, governance, and information security guidance and controls. It is tightly linked to ISACA’s professional certifications for management of IT organizations. It is called the Control Objectives for Information and Related Technologies). (editor’s note: this is a terrible acronym) This is most often used in the US.
ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
Similar to COBIT, ITIL describes processes, procedures, tasks, and checklists which are not organization-specific nor technology-specific, but can be applied by an organization for guiding IT management and implementation. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. There is no formal independent third party compliance assessment available for ITIL compliance in an organization. Certification in ITIL is only available to individuals. It is owned/managed by AXELOS, a joint venture between Capita and the UK Cabinet Office. As a result, it is most commonly used in the UK.
The Center for Internet Security (CIS) is a non-profit organization that is comprised of information security professionals acting as a governing community. They have developed a set of controls that are organized into 20 different groups that are further organized into basic, fundamental, and organizational “levels”. It provides a useful control set as it is not from a government agency, or for-profit organization and can be mapped to other control frameworks easily. It can be downloaded by anyone without charge.