Do you meet the latest Global IT Security Certifications and Regulations?

Global IT security doesn’t necessarily mean responding to a global IT Security breach, but rather the regulations that each country or continent will put in place to limit IT Security breaches… Right. Well that’s not quite correct.

Many companies are not aware of all the IT regulations and standards with which they should comply. In many cases, data protection compliance would not be one of a company’s top 3 priorities. In fact it’s reported that less than 10% in the EU are close to being ready to comply with GDRP (MediaPost.com, January 8th, 2018)

With global standards and particularly GDPR in the wings, and constant reports of global data breaches, many CIOs/CSOs are making little headway. More focus is required from multinational organizations to comply with the applicable, impending global regulations and risks.

But the geographic and technological scope of these regulations is; local, state, country and global. Where does an organization start to understand their compliance and certifications requirements, let alone their individual technology needs?

A good starting point is to understand the IT Security Standards for the market silo in which you belong. And then the geographic territory where you do business. Start by conducting an IT risk assessment and then begin to plug the technology gaps.

Multi-factor authentication (MFA) and data encryption should be high on the priority list for companies where personal, financial, private data is stored.

Here are a list of the global and territorial IT Security regulations that are currently registered around the world.

General Data Protection Regulation (GDPR):
https://www.eugdpr.org

GDPR has a goal of protecting all EU citizens from privacy and data breaches. Although the key principles of data privacy remain, many upgrades have been proposed. Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

Many organizations now need to start adapting their business approaches, operations, and security practices to manage GDPR compliance.

Payment Card Industry 3.2 (PCI):
https://www.pcisecuritystandards.org/pci_security/

The PCI Security Standards that businesses currently use to safeguard payment data before, during and after a purchase have been upgraded to Version 3.2, to address growing threats to customer payment information.
Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches.

Companies wishing to comply with the new PCI Data Security Standard, will have until July 2018. PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data.

NESA’s UAE IAS:
http://csc.dubai.ae/res/wp-content/uploads/DCSS-EN.pdf

Compliance with NESA’s UAE IAS standards is mandatory for all government organizations, semi-government organizations and business organizations that are identified as critical infrastructure to the UAE.

UAE IAS is made up of a set of 188 security controls and standards which are grouped into four different tiers, ranging in priority from P1 (highest) to P4 (lowest). NESA created the list of security controls based on 24 threats that were compiled from various industry reports, and prioritized them based on the percentage of breaches that were found. Out of the 188 security controls listed, 39 of them are P1 controls, which address 80% of the possible security threats NESA identified.

Implementing P1 controls is an organization’s first step towards achieving compliance and building a strong information security foundation against cyberattacks.

Electronic Identification & Trust Services for Electronic Transactions (eIDAS): https://www.eid.as/home/

Electronic identification (eID) and electronic Trust Services (eTS) are key enablers for secure cross-border electronic transactions and central building blocks of the Digital Single Market.

The eIDAS Regulation ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available.

It also creates a European internal market for eTS – namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication – by ensuring that they will work across borders and have the same legal status as traditional paper based processes. Only by providing certainty on the legal validity of all these services, businesses and citizens will use the digital interactions as their natural way of interaction.

With eIDAS, the EU has managed to lay down the right foundations and a predictable legal framework for people, companies (in particular SMEs) and public administrations to safely access services and do transactions online and across borders in just “one click”. Indeed, rolling out eIDAS means higher security and more convenience for any online activity such submitting tax declarations, enrolling in a foreign university, remotely opening a bank account, setting up a business in another Member State, authenticating for internet payments, bidding to on line call for tender, etc.

On 8 September 2015 the European Commission completed the adoption of all the implementing acts due by 18 September 2015.

Payment Services Directive (PSD2):
https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en

Understanding and meeting the new regulations for eCommerce in Europe,,banks and financial institutions had until January 2018 to comply with the European Union’s revised Payment Service Directive (PSD2) which was introduced in 2016.

New York Cybersecurity Regulation 23NYCRR 500:
http://www.dfs.ny.gov/about/cybersecurity.htm

The New York State Department of Financial Services (DFS) policy addresses a broad array of topics from policy and governance issues to security methods. Such a wide breadth means that there is no single solution to this compliance challenge. However, deploying multi-factor authentication, encryption and key management can go a long way to making your organization compliant.

The Australian Protective Security Policy Framework (PSPF):
https://www.protectivesecurity.gov.au/Pages/default.aspx

The PSPF has been developed to assist Australian Government entities to protect their people, information and assets, at home and overseas.

The PSPF provides policy, guidance and better practice advice for governance, personnel, physical and information security. The 36 mandatory requirements assist Agency Heads to identify their responsibilities to manage security risks to their people, information and assets.

Non-corporate Commonwealth entities are required to apply the PSPF as it relates to their risk environment. It is best practice to do this through a security risk management approach, with a focus on fostering a positive culture of security within the entity and across the Australian Government.

The PSPF document map is designed to assist users of the PSPF to understand the relationships between protocols, guidelines and better practice guides that support the PSPF governance arrangements and core policies.

United States Department of Defence: Defence Federal Acquisition Regulation Supplement (DFARS) regulations:
https://www.nist.gov/mep/dfars-cybersecurity-requirements

DFARS, as revised on Dec. 30, 2015, is the cyber security rule issued by the Department of Defence (DoD) titled, “Safeguarding Covered Defence Information and Cyber Incident Reporting.”

For most contractors, “adequate security” is satisfied by showing compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. There are exceptions and a variance process. All defence contractors working with the US Department of Defence are impacted by these regulations.

HIPAA:
http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:
• Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
• Reduces health care fraud and abuse;
• Mandates industry-wide standards for health care information on electronic billing and other processes; and
• Requires the protection and confidential handling of protected health information

Multi-factor authentication plays a large role in these regulations.

FedRAMP:
https://www.fedramp.gov

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, in the USA.

Multi-factor authentication is a large area of focus for this particular program.

Cloud Security Alliance (CSA) Security, Trust, & Assurance Registry (STAR) Level 2 Attestation:
https://cloudsecurityalliance.org/star/

CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

The National Association of Insurance Commissioners Model Law (NAIC) Insurance Data Security Model Law 
http://www.naic.org/documents/cmte_ex_cswg_related_ins_data_security_model.pdf

This set of data regulations impacts on insurers and some aspects of it include the use of multi-factor authentication.

Notifiable Data Breaches Scheme – Privacy Amendment (Notifiable Data Breaches) Act 2017 https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

This particular regulation is application to Australia only. The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) establishes requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

New and / or Updated Standards
If you know of any new, updated or additional standards, please let us know at sales@mi-token.com and we will add them to this blog.

Visit our website for more on our world’s best multi-factor authentication systems: https://www.mi-token.com