4 Compliance Regulations Every CISO Should Know
The job of a CISO is a tough one. Adaptability is key in a field where change is the only real constant, as new laws, evolving regulations, and increasingly complex security threats challenge even the most seasoned executive.
While many of the regulations that CISOs deal with are industry specific, the approach to compliance (ensuring teams have visibility into who has access to what information and implementing proper security measures) remain consistent across them. These are four of the most pertinent regulations for CISOs to comply with today, along with the solutions Okta offers to help meet them:
HIPAA (Health Insurance Portability and Accountability Act)
Applies to: HIPAA-covered entities and business associates, including doctors, clinics, pharmacies, dentists, health insurance companies, and health management organizations (see the full list here)
HIPAA holds organizations accountable for protecting important patient data. Since HIPAA has been on the books for more than two decades, most CISOs are quite familiar with it by now, but remember that HIPAA also requires periodic audits to ensure all safeguards are up to date and working properly.
Also consider that the penalties for violating HIPAA remain remarkably high at $50,000 per compromised individual, with up to 10 years in prison for those who fail to comply. Even a settlement with the federal government for violating HIPAA can cost a company millions—so it pays to pay attention.
Okta works with numerous healthcare organizations, and its HIPAA Compliant cell is specifically designed to meet HIPAA requirements for service providers. This enabling organizations to manage employee, vendor, and patient identities with a secure, compliant solution for ease of use and peace of mind.
GDPR (General Data Protection Regulation)
Applies to: Any organization that collects, processes, or stores the personal data of European individuals
The GDPR regulates organizations’ collection, processing, and storage of personal data of EU individuals. Personal data includes any information that can be connected back to a particular EU individual. Under GDPR, an organization must be able to delete the personal data if no longer needed for its original purpose, if the user withdraws consent for its use, or if they have objections about how it’s being processed.
That means that an enterprise must know where data is stored and how many copies they have stored so all of them can be quickly erased. And that data must also be transferable to the individual in a standard electronic format upon request.
Finally, the regulation requires that data breaches must be reported to the appropriate European authority within 72 hours of discovery. Fines for violating the GDPR can reach up to 20 million Euros or 4% of an organization’s annual worldwide turnover—whichever is greater.
Okta has numerous resources to help organizations prepare for GDPR regulations, and while Identity and Access Management can’t solve all challenges presented by GDPR, it provides a strong foundation for compliance and reduces an organization’s overall risk.
DFARS (Defense Federal Acquisition Regulation Supplement)
Applies to: Any organization contracting with the Department of Defence or federal civilian executive branch agencies
DFARS is a the Department of Defense’s supplement to FARS. At the tail end of 2017, some prolific updates to DFARS went into effect. These updates require any organization contracting with the DoD or federal civilian executive branch agencies to implement National Institute of Science and Technology (NIST) Special Publication (SP) 800-171 guidelines.
While many of the regulations that CISOs regularly deal with focus on protecting personal information, these NIST guidelines focus more on access.
Amongst the newest rules are requirements that employees only have access to the portions of the network they need to do their jobs, multi-factor authentication for remote access, and record-keeping of network activity.
These requirements can initially seem intimidating, but they can easily be met with Okta’s flexible and comprehensive Identity Management and Access Control.
PCI DSS (Payment Card Industry Data Security Standard)
Applies to: Any company that accepts credit cards for payment processing
As a group of technical and operational requirements, the PCI DSS plays a key role when handling, transmitting, and storing credit and debit card data administered by the credit card industry.
Its goal is to protect consumer information and avoid widespread, damaging data breaches.
While there are a number of sub-requirements, some of the most significant requirements of PCI DSS fall into four key areas:
Securing: by encrypting data when within the realm of public transmission, installing and maintaining a firewall and protecting against malware with a regularly updated antivirus solution.
Restricting: by fencing off data as business need-to-know, both physically and within the network, and not utilizing vendor-supplied defaults for security parameters.
Monitoring: by keeping a close watch on all network access and cardholder data, while maintaining a clear security policy across personnel.
Maintaining: by regularly testing security systems and processes.
Many organizations use a confusing patchwork of systems to meet these requirements, though a single platform ensure PCI DSS compliance. Okta satisfies all identity management requirements of PCI and can also help your business become PCI certified faster.
This is just the tip of the iceberg when it comes to compliance regulations and requirements. It’s the job of every CISO to study them, regularly perform audits, and stay up to date on any changes.
And while it’s a tough (and often thankless job), Okta can assist with your business’s security and compliance needs in the constantly evolving landscape of regulation. Just get in touch with us to get started.