Regulatory and Standard Compliance
Artificial intelligence, virtual reality, cashless payments, the Internet of Things, and many other information technology branches are growing daily.
With their growth and expansion, new threat vectors and vulnerabilities emerge in the Cyber Landscape. In its report on Cybersecurity Trends in 2022, the World Economic Forum stated that “as digitalization continues to proliferate and new technologies are introduced, cyber risk will inevitably grow”. They also noted through their surveys that “although public- and private-sector […] are determined to achieve higher cyber resilience Although public- and private-sector stakeholders are determined to achieve higher cyber resilience levels, their efforts are often hindered by various […] regulatory barriers”.
Understanding regulatory requirements can be, in fact, a major hurdle for companies, especially those aiming to scale internationally. In the following articles, we will provide an overview on how to approach Cybersecurity regulations, what are the most common and how to approach them.
In 2005, the International Telecommunication Union conducted a study on national-level cybersecurity initiatives across 14 major world economies and in nearly 30 industries. They estimated that over 174 initiatives, which could have led to future policies, were active. Today, based on the number of regulations and standards present worldwide, it is likely that the minimum number of cybersecurity policies enforced worldwide is in the thousands.
However, it is important to understand the difference between regulations and standards, as organizations may be required to comply with one or both. A cybersecurity regulation is a legally binding rule (or set of rules) that an organization must follow. Compliance with these regulations is mandatory, and organizations that fail to comply may face penalties such as fines or legal action from government bodies.
On the other hand, a cybersecurity standard is a set of guidelines or best practices that an organization can follow to improve its cybersecurity posture. Compliance with these standards is voluntary, but following them can help organizations demonstrate to their customers, partners, and regulators the consistency of their cybersecurity posture.
In summary, regulations are legally binding and enforceable by law while standards are not. However, as standards are more frequently updated, being compliant with a standard can help an organization comply with a regulation. Additionally, given that regulations usually have broader scope, compliance with standards specific to an organization’s sector can help it stand out from competitors.
Therefore, depending on an organization’s activity, it may need to comply with a specific standard or regulation. However, it is safe to assume that any modern business must comply with data protection and cybersecurity. For this reason, I have summarized key points from two regulations in Europe and two commonly requested standards across companies worldwide: the General Data Protection Regulation (GDPR), the Network and Information Systems (NIS) Directive, ISO 27k, and the National Institute of Standards and Technology (NIST).
Understanding regulations and standards
In case you are not familiar with all of the above-mentioned policies, I will give you a brief introduction to four of them:
- GDPR (General Data Protection Regulation): This is the EU regulation that governs the protection of personal data and the rights of individuals regarding their personal data. It applies to anyone processing personal data of EU citizens, regardless of where they are located. This means that any individual processing personal data of European citizens is required to abide by GDPR. The articles of GDPR regulate, among other things, measures taken to protect personal data, the appointment of a data protection officer, and the process and reporting of breaches.
- NIS Directive (Network and Information Systems Directive): This is the EU directive focused on providing a security baseline for critical infrastructure and essential services across Europe. Following this directive, all companies operating in critical industries (such as energy, transport, and healthcare) and their digital service providers (such as search engines and cloud services) are requested to implement appropriate security measures. Additionally, the directive requires member states of the EU to have national cybersecurity strategies and incident response plans in place that are equal to or broader than the NIS Directive. This means that all EU states are to implement regulations that must cover all subjects of the NIS Directive as a minimum baseline, but can (and should) be more extensive.
- ISO 27000 standard for cybersecurity: Also known as ISO 27k, it is an international standard that outlines a framework for an information security management system (ISMS). It provides a systematic approach to managing sensitive company information so that it remains secure. It includes a set of policies and procedures that organizations can use to help protect their confidential data, as well as guidelines for risk management and compliance.
- NIST (National Institute of Standards and Technology) cybersecurity Framework: NIST is a U.S. government agency that publishes a wide range of cybersecurity standards, guidelines, and best practices. NIST’s Cybersecurity Framework provides a risk-based approach to managing cybersecurity. The Standard is structured by detailing five core courses of action to be compliant: Identify, Protect, Detect, Respond, and Recover.
GDPR, NIS Directive, ISO 27k, and NIST all address cybersecurity and data protection. While they may differ in terms of scope and requirements, addressing one of them can be a key step in achieving the others. For example:
- If we take ISO 27k and NIST, we can see that both standards are widely adopted and recognized as best practices for cybersecurity. However, ISO 27k is a process-based standard that provides guidelines on managing sensitive company information. On the other hand, NIST is built on a risk-based approach and aims to identify, manage, and reduce risks from cybersecurity vulnerabilities.
- If we take the NIS Directive and GDPR, we can see that they provide guidance and requirements to improve cybersecurity posture. The two are, in fact, overlapping in some aspects. However, it must be noted that GDPR aims to protect personal data at all levels, while the NIS Directive aims to provide guidance on all aspects related to information security but only on an industry-specific scope.
To summarize: the scope, enforceability, and purpose of your cybersecurity policies can be defined after regulations and standards but you must be aware of the differences between them in order to understand which one best applies to you. Once you’ve figured that out, it is just a matter of implementing them correctly. In the next section, a few suggestions on this matter.”
Implementing the aforementioned policies may be necessary due to legal requirements or an upcoming audit. You may need to make changes to your processes and structure to comply with the relevant policy. However, before doing so, there are a few common steps that can be taken to prepare for these changes:
- Inventory and Asset Management: Organizations will typically assess their current systems, processes, and procedures to determine their level of compliance. This includes identifying known areas of non-compliance and known risks and vulnerabilities in their current infrastructure.
- Training and Communication: Preparing your resources for upcoming changes is crucial to ensure that everyone in your organization understands the necessary changes. An audit or infrastructure upgrade can cause disruption and may require employees to acquire new skills. Awareness of these matters can help you save time in setting priorities and planning possible remedies.
- Third-Party and Vendor Management: This is an aspect that is often overlooked. A detailed and updated inventory of your vendors will probably be required to ensure compliance with most standards and regulations. Even if a policy does not directly address a third-party, it may still indirectly require changes to the terms and conditions of agreements with external service providers.
- Gap Analysis: If you are verifying compliance with a regulation or standard, it is important to be prepared to conduct a gap analysis to identify areas where critical amendments are needed. This is the first step towards compliance and is best conducted by external consultants with specific knowledge on the compliance you are trying to achieve.
In conclusion, compliance with regulations and standards can be difficult and expensive. You may need to rely on external consultants to achieve compliance if you do not have the necessary in-house competencies. However, understanding the differences between policies and regulations and having a strategy in place can make the process smoother and help you determine when it is worth improving with a standard and when it is necessary to comply with regulations.