With a growing awareness of data privacy and rising incidents of information security breaches, it’s essential that organisations manage their cyber security compliance requirements effectively.
At the heart of any cyber security programme is a combination of technology, processes and policies that are designed to protect an organisation’s systems and data from unauthorised access.
There are countless ways that organisations can address their requirements, but they must always consider their legal obligations. Almost all organisations are subject to some form of cyber security regulation, although what those are will depend on several factors, including the organisation’s location and sector.
For example, organisations that are based in the EU and which process personal data will be subject to the GDPR (General Data Protection Regulation), while those that handle financial data must comply with the PCI DSS (Payment Card Industry Data Security Standard).
Thankfully, best practices often overlap, which means that what’s required under one regulation might also apply under another. With this in mind, organisations can implement a cyber security compliance framework that’s specific to their needs while also meeting their legal requirements.
Why is cyber security compliance important?
Cyber crime is one of the biggest problems that organisations currently face. Fraudsters are constantly developing new techniques to bypass defences, while individuals continue to fall victim social engineering techniques that make all organisations vulnerable to scams.
You can mitigate these risks by implementing the requirements outlined in relevant regulations and frameworks. Although some people consider cyber security laws to be extraneous red tape and a lot of paperwork, they exist to protect organisations.
Indeed, however expensive it is to achieve cyber security compliance, it pales in comparison to the cost of a significant data breach. According to a study by McAfee and the CSIS, the world economy loses more than $1 trillion (about £800 billion) each year due to cyber crime.
Organisations must also consider the financial effects of non-compliance. Many regulations give authorities the power to levy enforcement action or fines against anyone that fails to meet their requirements.
In the case of some regulations, such as the GDPR, these penalties can be severe, with the most egregious failures attracting fines of up to €20 million (about £17.5 million) or 4% of the organisation’s annual global turnover, whichever is greater.
Main cyber security compliance requirements
Many industries have their own cyber security framework, as do national and regional governments. It’s therefore impossible to determine which requirements any one organisation should focus on.
However, there are a handful of frameworks that are widely applicable – particularly in the UK – which we discuss below.
GDPR
The GDPR is an EU data protection law, which brings a twenty-first-century approach to data protection. Following the UK’s departure from the EU, it creates a domestic version of the regulation that mirrors its requirements, barring a few derogations.
Under the GDPR, organisations are subject to a range of obligations that require them to take a more proactive approach to information security. Its rules also make organisations more accountable for data breaches.
The GDPR also expands the rights of individuals to control how their personal data is collected and processed.
DPA 2018
The DPA (Data Protection Act) 2018 sets out the data protection framework in the UK, and sits alongside the country’s domestic version of the GDPR.
The DPA governs how personal data must be collected, handled and stored to protect people’s privacy. It gives individuals the right to know what personal data is held about them and to have that data erased in certain circumstances.
It contains deviations from the GDPR and has a broader scope. For example, the DPA sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.
PCI DSS
The PCI DSS is an information security standard designed to reduce payment card fraud by establishing security controls for cardholder data.
All merchants and service providers that process, transmit or store cardholder data must comply with the PCI DSS. The Standard is split into several tiers, with increasingly strict rules, based on the number of annual transactions an organisation processes.
ISO 27001
ISO 27001 is the international standard that sets out the specification for an ISMS (information security management system.
The Standard’s best-practice approach helps organisations manage their information security by addressing the three pillars of data protection: people, processes, and technology.
It’s a voluntary framework, meaning that there is no legal mandate to certify. However, many organisations require that its suppliers to implement ISO 27001 to demonstrate their commitment to information security.
How can Vigilant Software help?
Vigilant Software’s CyberComply platform is built to help organisations manage their cyber security compliance requirements.
This toolkit helps you identify relevant rules and regulations in one simple package. It guides you through your compliance needs and the most appropriate controls to mitigate risks.
Plus, it comes with with tools dedicated to treating security threats, risk management and data flow mapping.
The platform is ideal for small- and medium-sized organisations to address their information security and compliance requirements.
