Cybersecurity Compliance - It Starts With The Framework!

It is important to understand that to "get compliant" with a cybersecurity requirement, it is generally more involved than just addressing a checklist.

NIST CSF vs ISO 27001 27002 vs NIST 800-53 vs NIST 800-171 vs SCF

With that in mind, selecting a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to (1) not be considered negligent with reasonable expectations for security & privacy; (2) comply with applicable laws, regulations and contracts; and (3) implement the proper controls to secure your systems, applications and processes from reasonable threats. This understanding makes it pretty easy to determine the appropriate external framework to align with.

good cybersecurity documentation example

Where Do You Fit In The Mandatory Compliance Puzzle?

A single negligent breach could close your businesses forever, because liability insurance does not cover professional negligence! Below are several examples of how compliance with information security requirements affects common businesses:



HIPAA and PCI DSS Compliance 

 Example #1: Physical Therapist

Compliance Requirements: HIPAA, PCI DSS & State Breach Laws

Why? This physical therapist office deals with electronic Protected Health Information (ePHI) of clients so it falls under HIPAA. The office also accepts co-payments by credit card so it falls under PCI DSS. Since the state requires a breach notification plan, the office must also adhere to state-specific compliance requirements for data breaches.



PCI DSS and GLBA Compliance

Example #2: Certified Public Accountant (CPA)

Compliance Requirements: GLBA, PCI DSS & State Breach Laws

Why? Like most CPAs, this CPA deals with private financial information of clients, so it falls under GLBA. The CPA works for clients that accept credit cards and has access to their QuickBooks accounts (containing cardholder information), so the CPA must meet PCI DSS requirements. Most states waive state-sponsored breach laws if the company is GLBA compliant, so there are no additional requirements by the state.



GLBA and PCI DSS Compliance in Oregon    

Example #3: Lawyer

Compliance Requirements: HIPAA, FACTA, GLBA, PCI DSS & State Breach Laws

Why? This law offices deal with Protected Health Information (PHI) for injury claims so its falls under HIPAA as a Business Associate. Since the office also performs real estate closings and is responsible for private financial information, it falls under both FACTA and GLBA. The office accepts payment by credit card so it falls under PCI DSS. This state waives its breach notification law if the law office is GLBA compliant, so there are no additional requirements by the state.


icon-retail-compliance.jpg PCI DSS Compliance for Level 3 and Level 4 Merchants 

Example #4: Coffee Shop

Compliance Requirements: PCI DSS

Why? This coffee shop accepts payment by credit and debit cards so it falls under PCI DSS. This specific state does not have any specific laws for breach notification, so the coffee shop only has to focus on PCI DSS compliance.



State Identity Theft Law Compliance

Example #5: Construction Company

Compliance Requirements: State Breach Laws

Why? The construction company operates in a state that has a law requiring both client and employee Personal Identifying Information (PII) to be protected and for notification in the event of a breach.

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options
  • ISO 27001 27002 policies & standards

    ISO 27001 / 27002 Policy Template

    ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates

    ISO 27001 & 27002 Policy Template   UPDATED FOR ISO 27001:2022 & 27002:2022   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...

    Choose Options

Learn More About Cybersecurity & Data Privacy