It is important to understand that to "get compliant" with a cybersecurity requirement, it is generally more involved than just addressing a checklist.
With that in mind, selecting a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to (1) not be considered negligent with reasonable expectations for security & privacy; (2) comply with applicable laws, regulations and contracts; and (3) implement the proper controls to secure your systems, applications and processes from reasonable threats. This understanding makes it pretty easy to determine the appropriate external framework to align with.
A single negligent breach could close your businesses forever, because liability insurance does not cover professional negligence! Below are several examples of how compliance with information security requirements affects common businesses:
 |
HIPAA and PCI DSS ComplianceExample #1: Physical Therapist Compliance Requirements: HIPAA, PCI DSS & State Breach Laws Why? This physical therapist office deals with electronic Protected Health Information (ePHI) of clients so it falls under HIPAA. The office also accepts co-payments by credit card so it falls under PCI DSS. Since the state requires a breach notification plan, the office must also adhere to state-specific compliance requirements for data breaches. |
 |
PCI DSS and GLBA ComplianceExample #2: Certified Public Accountant (CPA) Compliance Requirements: GLBA, PCI DSS & State Breach Laws Why? Like most CPAs, this CPA deals with private financial information of clients, so it falls under GLBA. The CPA works for clients that accept credit cards and has access to their QuickBooks accounts (containing cardholder information), so the CPA must meet PCI DSS requirements. Most states waive state-sponsored breach laws if the company is GLBA compliant, so there are no additional requirements by the state. |
 |
GLBA and PCI DSS Compliance in OregonExample #3: Lawyer Compliance Requirements: HIPAA, FACTA, GLBA, PCI DSS & State Breach Laws Why? This law offices deal with Protected Health Information (PHI) for injury claims so its falls under HIPAA as a Business Associate. Since the office also performs real estate closings and is responsible for private financial information, it falls under both FACTA and GLBA. The office accepts payment by credit card so it falls under PCI DSS. This state waives its breach notification law if the law office is GLBA compliant, so there are no additional requirements by the state. |
 |
PCI DSS Compliance for Level 3 and Level 4 Merchants
Example #4: Coffee Shop Compliance Requirements: PCI DSS Why? This coffee shop accepts payment by credit and debit cards so it falls under PCI DSS. This specific state does not have any specific laws for breach notification, so the coffee shop only has to focus on PCI DSS compliance. |
 |
State Identity Theft Law ComplianceExample #5: Construction Company Compliance Requirements: State Breach Laws Why? The construction company operates in a state that has a law requiring both client and employee Personal Identifying Information (PII) to be protected and for notification in the event of a breach. |
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates
ISO 27001 & 27002 Policy Template UPDATED FOR ISO 27001:2022 & 27002:2022 Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
