Requirements for Data Protection
Compliance requirements vary among different industries and geographic locations. New legislation and industry regulations are continually developed that change the standards for compliance audits in these industries. Familiarity with multiple compliance standards is necessary, even if they do not seem to be required at the moment. Changing legislation or shifts in an organization’s business offerings require that managers keep abreast of audit criteria in other industries. The goal of compliance requirements is to avoid breaches of regulatory, statutory, or contractual obligations related to information security and of any security requirements. This section provides an overview of three of the common security compliance requirements: HIPAA, ISO 27001, and PCI DSS. These requirements are a small sample of many security compliance initiatives that have overlapping controls. Please refer to the Tenable Research Audits page for a list of audit files that address many of these compliance initiatives.
The Health Insurance Portability and Accountability Act (HIPAA) provides a set of rules for the protection and privacy of electronic Patient Health Information (ePHI) for U.S. citizens. The HIPAA rules apply to Covered Entities and Business Associates of Covered Entities. Covered Entities are those who perform the functions of processing data for the release and transmission of funds for medical services and include:
- Health Plans – entities that provide or pay for the cost of medical care
- Health Care Clearinghouses – organizations that process health care transactions for providers and insurers
- Health Care Providers – professionals trained and licensed to give, bill and be paid for health care services and do so via electronic transactions
- Business Associates of Covered Entities – organizations that serve in a support capacity for Covered Entities and may not necessarily be in the health care business. Examples of Business Associates include:
- Data Aggregators
ISO 27001 Overview
ISO 27001 is a collection of standards set by the International Organization for Standardization (ISO), an independent international organization with a membership of 167 national standards bodies. Organizations use these standards to guide their Information Security Management System (ISMS) in a manner that reduces risk to the Confidentiality, Availability, and Integrity (CIA) of data.
Many organizations choose to obtain certification from an accredited ISO certification registrar, who audits the program and submits evidence documents to the ISO governing body. The certification process includes a primary audit, followed by a secondary audit that evaluates the effectiveness of the organization’s Information Security Management System (ISMS) and determines if the controls meet all the requirements of the standard. Once the process is complete, the ISO certification registrar issues one of the following: a certification; a conditional certification; or a rejection. The ISO governing body sets the standard, but the accredited ISO certification registrar issues the certification. The ISO certification registrar must be objective and impartial, which means they cannot write documentation or provide consulting services to help the organization address gaps. Accreditation is not mandatory, but provides independent confirmation of competence, which helps large organizations negotiate Service Level Agreements (SLAs) with third parties.
PCI DSS Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards established by the founding members of the PCI Security Standards Council, including Visa, American Express, Discover Financial Services and MasterCard. The PCI DSS is intended to provide a common baseline to safeguard sensitive cardholder data for all bankcard brands and is used by e-commerce vendors who accept and store credit card data. The PCI DSS specifies a variety of high-level guidelines for running a secure network that leads to variations in how auditors interpret these recommendations.
The PCI DSS mandates 12 high-level requirements that e-commerce organizations must perform to be considered in compliance with the standard. Such organizations must also have a comprehensive vulnerability audit of any internet-facing system that handles credit card transactions. This vulnerability audit is required to look for the following items:
- Any vulnerability with a CVSS score of 4 or larger
- Any cross-site scripting or SQL injection type of vulnerability
- Any evidence of outdated SSL encryption