Which Direction Should We Go? HIPAA, PCI-DSS, DIACAP, NIST 800-53, ISO 27001
In this world of Information Technology (IT) regulatory compliance there are many, many disciplines that organizations are faced with choosing – primarily when they are uncertain of what compliance they are required to meet. We face this question almost on a daily basis from our customers. “Which direction should we go?” They sense there is a specific need to tighten up their internal security posture, but without someone or some governing body pointing them in a particular compliance direction, they often find themselves more distant from the security they seek, and ultimately less appealing to their customer(s).
In responding to the customers, it’s rather easy for us to recommend they implement a Governance, Risk, and Compliance (GRC) framework, but most businesses don’t have the budget to support a full-blown GRC program, nor the personnel resources to successfully implement GRC. What should we recommend? What’s relatively simple for small and medium sized businesses to implement? Well, the first thing to realize is that compliance does not equal security! There is absolutely no expectations that meeting a certain compliance mandate means you are secure, only that a minimum framework has been put in place. Open up your local newspaper, turn the television to any number of news channels, or browse your favorite online news source and you will be inundated with stories about certain retail chains that were said to be “PCI-compliant”, or hospitals that were “maintaining HIPAA compliance” only to have their security breached and reputation destroyed.
It is very clear that being compliant in today’s business world does not guarantee the security of daily-operations, nor does it prove effective at combatting the current and ever evolving threat-landscape. However, in most instances, compliance clears the way for an organization to conduct business with their peers. Most companies look for third-party measures (compliance) to verify that the “security” of the business-partners network is in-line with their own requirements. Again, not “secure” but “compliant”.
Which Path is Right for Us?
To correctly choose a compliance path that may assist with getting the overall security posture stable, you must first understand the likeness and contrasting differences in the various compliance verticals. While there are too many to list, I have concentrated on the most popular and in particular, the compliance paths we commonly work and support organizations with.
HIPAA requires that any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and appropriately followed. The following is a list of who needs to be concerned with HIPAA compliance:
- Covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) that carry out transactions in electronic form
- Healthcare clearinghouses
- Health plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit EPHI, or electronic protected health information, to enroll employees or students in health plans)
- Their business associates (including private sector vendors and third-party administrators)
Payment Card Industry (PCI)
PCI-Data Security Standard (DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure cardholder data environment. While overseen by the PCI-Standards Security Council (SSC), it is important to note that PCI compliance enforcement is the responsibility of the card brands (Visa, Mastercard, AMEX, etc). PCI-DSS compliance should be addressed if:
- All business that store, process or transmit payment cardholder data
- Organizations using third-party processors
- Any company that stores, processes, or transmits cardholder data on behalf of another entity
Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)
DIACAP is the process in which h information systems are certified for compliance with DoD security requirements and accredited for operation by a designated official. DIACAP provides visibility and control for the secure operation of DoD information systems. DIACAP applies to the following:
- Any organization entering into a contract with the US Department of Defense
- AIS applications with connection to the Global Information Grid (GIG)
- Any DoD Outsourced IT-based process
- Any commercial interconnection with the DoD
- Any DoD maintained enclave and system(s)
National Institute of Standards and Technology (NIST) 800-53
NIST Special Publication 800-53 is the “recommended security controls for federal information systems and organizations”. NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. NIST compliance is applied to the following:
- Any federal agency (with the exception of National Security/Defense)
- Organizations engaging with or planning to engage in US Federal government related contracts (VA, TRICARE, FDA, IRS, etc.).
- Organizations looking to implement a solidified Risk Management Framework.
International Organization for Standardization (ISO) 27001
ISO/IEC 27000 family of standards is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 is different from some of its counterparts, as it is the only compliance vertical that is typically self-adopted. Once adopted organizations are then subject to formal auditing to verify compliance with the standard. Typically, ISO 27001 should be adopted by the following:
Organizations looking to implement an information security management system (ISMS).
- Companies looking to adopt an extension to their current quality management system.
- Organizations looking to demonstrate credibility, trust, satisfaction, and confidence with stakeholders, partners, community, and customers.
Compliance is a living, breathing presence. In order to be an effective part of your overall security plan it needs to become an integral part of your organization. While no compliance vertical can guarantee protection from breaches and security incidents, it does provide evidence of due diligence being exercised on the part of your organization. The more concentration placed on compliance, the more results and benefits it will produce.
Praetorian Secure practices IT compliance excellence and is well-versed in a wide-variety of compliance mandates, requirements, and verticals. If you would like to learn more about how Praetorian Secure can assist your organization with their needs, please contact us and one of our experienced security-engineers will be waiting to address your requirements.