But regulations come in multiple different colors and shapes – some are tailored to a specific vertical, while others are industry-agnostic. Some bare explicit consequences for failing to comply, while others have a more guidance-like nature.
The Comprehensive Security Guide (download here), for the first time, provides security executives with a single document that gathers standardized and easy to use templates of all main compliance frameworks: PCI-DSS, HIPAA, NIST Cyber Security Framework and GDPR.
Employing an independent auditor is the common practice to ensure one complies with the desired regulation.
However, before having an external auditor excavating through the organizations' security stack internals, it makes sense for the security stakeholders to independently conduct a rough gap analysis of their environment and the regulation they seek to comply with.
The Comprehensive Compliance Guide saves security stakeholders the time and trouble of building themselves such an evaluation tool.
Instead of crafting a compliance matrix from scratch or searching across the web for a free template, CISOs can now use the guide to access a wide range of assessment templates effortlessly.
While probably not all of them will be simultaneously used in a single organization, there are good chances that every organization will find at least one of them useful.
The Comprehensive Compliance Guide encloses assessment templates for the following regulations:
- Payment Card Industry Data Security Standard (PCI DSS) — Information security standard for any organization that handles branded credit cards from the major card schemes. Proving that an organization complies with PCI-DSS is essential in shielding an organization from lawsuits that can arise in a breach scenario that entails the compromise of credit card data.
- Health Insurance Portability and Accountability Act (HIPAA) — United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA standard applies to all organizations that operate within the healthcare ecosystem: hospitals, medical centers, and health insurance providers, a market segment that is subject to significant cyberattacks.
- NIST Cyber Security Framework (CSF) — A policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyberattacks. NIST CSF applies to all organizations and is not confined to a certain vertical. While not a binding regulation in the strict sense of the term, NIST CSF is rapidly becoming the general industry cybersecurity common standard and in practice, serves as an indication that sound cybersecurity policies are implemented and practiced.
- The General Data Protection Regulation (GDPR) — Regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. GDPR applies to any organization that stores and processes EU citizens PII regardless if of its location. Failure to comply with GDPR results with fines that can reach 5% of the violating organization's annual revenue.
The Comprehensive Compliance Guide enables CISOs to pull up their sleeves and get to work immediately – map out the compliance framework that fits them best and immediately launch an internal assessment process that rapidly yields actionable and conclusive insights on what's working and what should be improved.
Download The Comprehensive Compliance Guide here.