This table shows the different cybersecurity frameworks and regulations, what they regulate, and which corporations would be subject to the scope of the act. The Act : NIST
(National Institute of Standards and Technology)
What it Regulates : This framework was created to provide a customizable guide on how to manage and reduce cybersecurity related risk by combining existing standards, guidelines, and best practices. It also helps foster communication between internal and external stakeholders by creating a common risk language between different industries.
Company Affected : This is a voluntary framework that can be implemented by any organization that wants to reduce their overall risk.
The Act : CIS Controls -
(Center for Internet Security Controls)
What it Regulates : Protect your organization assets and data from known cyber attack vectors.
Company Affected : Companies that are looking to strengthen security in the internet of things (IoT).
The Act : ISO 27000 Family
(International Organization for Standardization)
What it Regulates : This family of standards provide security requirements around the maintenance of information security management systems (ISMS) through the implementation of security controls.
Company Affected : These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.
The Act : ISO 31000 Family
(International Organization for Standardization)
What it Regulates : This set of regulations governs principles of implementation and risk management.
Company Affected : These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.
The Act : HIPAA
(Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
What it Regulates : This act is a two part bill. Title I protects the healthcare of people who are transitioning between jobs or are laid off. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. This was further expanded through the HITECH / Omnibus Rule.
Company Affected : Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates, and employers.
The Act : PCI-DSS
(Payment Card Industry Data Security Standard)
What it Regulates : A set of 12 regulations designed to reduce fraud and protect customer credit card information.
Company Affected : Companies handling credit card information.
The Act : GDPR
(General Data Protection Act)
What it Regulates : This regulates the data protection and privacy of citizens of the European Union.
Company Affected : Any company doing business in the European Union or handling the data of a citizen of the European Union.
The Act : CCPA (California Consumer Privacy Act)
What it Regulates : Privacy rights and consumer protection for the residents of California.
Company Affected : Any business, including any for-profit entity, that does business in California and collects consumers’ personal data.
What it Regulates : The security, availability, processing integrity, and privacy of systems processing user data and the confidentiality of these systems.
Company Affected : Service organizations that process user data.
The Act : SOX (Sarbanes-Oxley Act)
What it Regulates : This act requires companies to maintain financial records for up to seven years. It was implemented to prevent another Enron scandal.
Company Affected : U.S. public company boards, management, and public accounting firms.
The Act : COBIT (Control Objectives for Information and Related Technologies)
What it Regulates : This framework was developed to help organizations manage information and technology governance by linking business and IT goals.
Company Affected : Organizations that are responsible for business processes related to technology and quality control of information. This includes, but is not limited to, areas such as audit and assurance, compliance, IT operations, governance, and security and risk management.
The Act : GLBA (Gramm-Leach-Bliley Act)
What it Regulates : This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers.
Company Affected : This act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”
The Act : FISMA (Federal Information Security Modernization Act of 2014)
What it Regulates : This act recognizes information security as a matter of national security. Thus, it mandates that all federal agencies develop a method of protecting their information systems.
Company Affected : All Federal agencies fall under the range of this bill.
The Act : FedRAMP (Federal Risk and Authorization Management Program)
What it Regulates : Cloud services across the Federal Government.
Company Affected : Executive departments and agencies.
The Act : FERPA (The Family Educational Rights and Privacy Act of 1974)
What it Regulates : Section 3.1 of the act is concerned with protecting student educational records.
Company Affected : Any post-secondary institution including, but not limited to, academies, colleges, seminaries, technical schools, and vocational schools.
The Act : ITAR (International Traffic in Arms Regulations)
What it Regulates : Controls the sale of defense articles and defense services (providing critical military or intelligence capability).
Company Affected : Anyone who produces or sells defense items and defense services.
The Act : COPPA (Children’s Online Privacy Protection Rule)
What it Regulates : The online collection of personal information about children under 13 years of age.
Company Affected : Any Person or entity under U.S. jurisdiction.
The Act : NERC CIP Standards (NERC Critical Infrastructure Protection Standards)
What it Regulates : Improve the security of North America’s power system.
Company Affected : All bulk power system owners and operators.
There is an abundance of laws and bills on the books designed to protect information. However, it is not always clear to the average business decision-maker which regulations apply to their organization. That is where a Company like Rede Consulting can significantly help a business make sense of such an area that grows more complex with each new regulation.
IMPORTANT : Compliance is critical, and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.
