2022 Cybersecurity Compliance Requirements and Building a Comprehensive Compliance Plan
It has undoubtedly been a challenging year for compliance and cybersecurity teams worldwide. The COVID-19 pandemic created turmoil that tested compliance and information security to the limit globally. On the other hand, malevolent internet actors capitalized on the confusion as organizations implemented rapid changes to their working models. Cybercriminals attempted and continue to bombard targets with COVID-19 themed phishing attacks, persistent vulnerability exploitation attempts, and clickbait attacks.
As a result, compliance and information security teams continue to face an uncertain 2022 with little doubt that cybersecurity and compliance regulations are bound to increase. Also, data security compliance uncertainties between the United Kingdom, United States, and Europe introduce regulatory challenges due to the Brexit (the UK exiting from the European Union) in January 2020. In light of such challenges, how can enterprises meet all needed compliance requirements and industry standards?
Cybersecurity Compliance Regulatory Requirements
Compliance requirements and cybersecurity are usually intertwined. As a result, IT security groups must consider existing regulatory compliance mandates that impact organizational cybersecurity programs. Some of the cybersecurity regulatory requirements organizations should consider in 2022 include:
1. Cybersecurity Maturity Model
The Department of Defense (DoD) announced the Cybersecurity Maturity Model Certification (CMMC) on January 31, 2020. The regulatory framework is a unified standard that stipulates the cybersecurity requirements that must be implemented across the entire Defense Industrial Base (DIB). As such, organizations wanting to engage the US DoD on any business activities must comply with the cybersecurity regulations indicated in the CMMC. The certification applies to “all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers.”
2. Internet of Things (IoT) Cybersecurity Improvement Act of 2020
According to the IDC, there will be at least 55.7 billion connected devices by 2025, with IoT accounting for 75% of all devices. While IoT devices provide numerous business benefits, they often contain inherent vulnerabilities and are a leading source of cyber threats. Therefore, the IoT Cybersecurity Improvement Act of 2020, enacted on December 4 2020, purposes to establish the minimum current cybersecurity standards to be included in IoT devices used by the Federal Government. As such, the law currently applies to federal government agencies only. However, with IoT being an integral component in daily business processes, companies can consider complying with the regulation as a voluntary framework.
3. General Data Protection Regulation
The EU’s GDPR is one of the global regulations that protect the sensitive personal information of EU citizens. Also, the GDPR stipulates some of the strictest and mandatory security controls for protecting the privacy rights and identifiable information of data owners from unauthorized access and use. The regulation is mandatory for all organizations that collect user data belonging to citizens of EU countries. Compliance teams must comply with a minimum of seven data protection principles and implement eight security measures to protect user privacy.
4. State Data Privacy Rules
Different states have implemented variating data privacy regulations. However, cybersecurity is the priority of all state regulations in 2022. For instance, at least 38 states have considered or introduced not less than 280 new regulations that significantly focus on cybersecurity compliance. For example, the California Consumer Privacy Act (CCPA), which was enforced in January 2020, describes the external and internal controls for maintaining reasonable protection of confidential data.
5. National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
The NIST CSF is a voluntary framework that describes the best practices, guidelines, and standards for effective risk management and mitigation. It is one of the most common compliance programs that assist companies in managing and reducing risks. In this case, the NIST CSF provides five elements for assisting organizations and security professionals to identify and reduce cybersecurity risks. The elements are identify, protect, detect, respond, and recover.
Enforcing Compliance Regulations
Numerous companies have faced complex compliance enforcement challenges in 2020 and 2021. For example, the Court of Justice of the European Union revoked the EU-US Privacy Shield Framework on July 12 2020. The framework was used to regulate the transmission of personal information between the EU and the US organizations used for commercial reasons. Also, companies handling personal or sensitive information, such as Health Information Portability and Accountability Act (HIPAA)-compliant data, must ensure compliance as the world recovers from a devastating pandemic.
However, most compliance regulations are still enforceable, including the General Data Protection Regulation (GDPR), and continue to take action against organizations that record a data breach. For instance, ICO (Information Commissioner’s Office) issued a £180 million fine after EasyJet, a British-based travel company, suffered a data breach that affected 9 million passengers.
Compliance, Governance, and Risk Management
Risk management and compliance often go hand in hand. That said, companies require to implement a governance, risk management, and compliance (GRC) program. Stricter compliance programs assist enterprises in maintaining continuous risk monitoring, management, and mitigation. On the other hand, an effective risk assessment and management program is essential in addressing real-time security requirements to inform mitigation and prioritization decisions. While compliance a compliance assessment may not keep pace, a real-time cyber risk management procedure can assist in auditing, managing, and monitoring compliance initiatives.
From a compliance perspective, GRC defines how enterprises conform to the stipulated cybersecurity requirements. For instance, a compliance department can utilize the management processes to determine the applicable requirements and industry regulations to develop a cybersecurity compliance plan. Besides, the management processes enable businesses to conduct a compliance assessment to ascertain that they remain compliant with all relevant cybersecurity legislations.
How Cybersecurity Impacts Compliance
Failing to comply with some cybersecurity regulations exposes companies to huge fines and penalties. It is pertinent to note that internal policies, state and federal laws are mandatory for a company to conform with various regulations. For example, using risk assessments in compliance programs can help organizations determine the possibility of a data incident and potential impacts. Presenting the assessments to C-Suite executives can effectively illustrate the possible results for failing to meet some regulatory compliance objectives.
On the other hand, companies with fewer resources or are perceived to have low risks to cyber threats may prefer prioritizing cybersecurity programs over compliance services. For instance, an enterprise may opt to invest in information security training for employees rather than invest in the cybersecurity requirements described in a compliance framework for protecting endpoints. However, such trade-offs tend to cause a surge of organizational risks, creating possible vulnerabilities that may remain undetected and unmitigated.
Recommended Practices for Developing a Cybersecurity Compliance Plan
1. Compliance Team Identification
Whether it is a large corporate or a small business, it is essential first to create a compliance team responsible for assessing, monitoring, and managing compliance and cybersecurity programs. Additionally, a compliance team plays an essential role in informing and educating IT department teams regarding current and emerging regulations. Educating the IT department is critical as it ensures that cybersecurity programs remain current and aligned to current compliance regulations. Finally, ensuring strong collaboration between an IT department and the compliance team ensures a robust cybersecurity environment.
2. Implement an Efficient Risk Assessment Plan
A security-conscious company requires all departments to conduct thorough risk assessments frequently. Establishing assets with new vulnerabilities enable both IT and compliance teams to determine areas where regulatory requirements need to be strengthened. In addition, sensitive information, such as credit card data, financial data, personally identifiable information, and critical business data, must be protected from adversaries and be included in the risk management programs. Some of the points that can assist companies in implementing comprehensive risk management and assessment plans are:
- Identify the networks, information systems, and data accessed within the organization.
- Perform a risk assessment of all types of data and assets
- Perform comprehensive risk analysis and prioritization procedure
- Establish which risks to mitigate first, accept, or refuse
3. Implement Security and Technical Controls
An organization should then implement security and technical controls based on the risk tolerance established in the risk assessment and cybersecurity regulations. One of the ways to implement the correct controls is using a specific cybersecurity framework to determine the most appropriate controls. As a way of ensuring adequate protection, a company should implement additional technical controls, among them being:
- Mechanisms for encrypting confidential data
- Software for managing and monitoring endpoints deployed in a network
- External, internal, and web-based firewalls
- Standardized antimalware and antivirus solutions across the endpoints connecting to a network
- Incident response and business continuity plans
4. Implement and Update Cybersecurity Policies
A risk and security assessment enables a company to identify required cybersecurity policies, process controls, and procedures for mitigating detected cyber risks. At the same time, a compliance team can update existing policies in line with the mitigations done to address known risks. Moreover, various regulatory bodies require organizational compliance departments to provide sufficient details regarding how implemented policies work together with installed security programs. Examples of cybersecurity compliance policies to consider are:
- The appointment of a CISO
- Policies for performing vulnerability and risk assessments
- Employee awareness and security training policies
- Documented cybersecurity procedures and policies
5. Review, Test, and Monitor Frequently
The last test is reviewing the implemented cybersecurity compliance requirements to determine if any are missing. Also, testing the controls assures they can secure critical infrastructure assets and data from modern threats. Besides, regular testing is recommended to ensure that a company stays compliant with the relevant compliance laws. On the other hand, since compliance requirements frequently evolve to counter new data breaches and intrusion tactics, consistent monitoring is critical. Only through monitoring can a company establishing if there are missing compliance requirements. More importantly, monitoring is essential to detecting new threats and the corresponding controls for responding appropriately.