Data security requirements, including laws and regulations, exist at the federal, state, and even industry specific levels. These requirements outline how an entity must address cybersecurity, protect information, and respond to data breaches. In recent years, there has been an increase in legislation focusing on cyber security across the board.
Meeting data security requirements on your own can be challenging. We recommend a high-level approach to identifying applicable data security laws and regulations, understanding their inherent challenges, and meeting requirements.
IDENTIFY YOUR REQUIREMENTS
Businesses must first understand what laws and regulations apply to them. To determine which specific requirements apply, start with the following:
- Where does your business operate physically?
- Where do your customers reside physically?
- What type of data do you collect, transmit, and store?
- What regulatory agencies oversee your business (federal, state, and industry)?
- What exemptions apply to you, if any?
Based on the above, spend time reviewing applicable laws and regulations with a legal representative to ensure all requirements, and penalties for not meeting the requirements, are understood. A clear understanding is critical to ensure deadlines are met, exemptions are noted, and reporting requirements are followed. Periodically check for any amendments to laws and regulations to stay compliant with changing requirements.
PLAN FOR ACTION
Once all applicable requirements are identified and understood, it’s time to budget, plan, and implement cybersecurity best practices.
Begin with a review of reputable cybersecurity frameworks. These best practices provide a road map for implementing cybersecurity controls. Ultimately, following a framework provides a better understanding of cybersecurity risks, how to reduce overall exposure, and can help simplify meeting requirements.
Some popular frameworks include the National Institute for Standards in Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) Top 20, and International Organization for Standardization (ISO) Guidelines for Cybersecurity.
Common requirements include executing a risk assessment, creating policies and procedures, performing technical testing, and developing an incident response plan. Confirm that all requirements under applicable laws and regulations are addressed within the framework, and supplement as necessary.
With a defined path ahead, it is easier to budget and plan for the resources, time, and activities needed to meet requirements. Set benchmarks to stay on target with deadlines and account for interruptions that could increase the amount of time needed. To simplify efforts, approach cybersecurity and the steps for maintaining compliance as an ongoing project that happens throughout the year.
PREPARE FOR CHALLENGES
Data security requirements may be difficult to understand without specific legal experience, and there may be little to no guidance easily accessible. Requirements may vary between different laws, regulations, and jurisdictions and can be confusing. Additionally, new laws and regulations are introduced every year, and are often updated.
Cybersecurity topics, vocabulary, and concepts may be challenging without industry-specific experience. Implementing the controls within a framework requires a technical understanding of how to address cybersecurity risks. Failure to implement requirements properly could leave your business vulnerable to attacks and in danger of being fined.
Addressing requirements will consume time and resources but reducing cybersecurity risks is necessary for uninterrupted business operations and the protection of business sensitive data. Meeting data security requirements will require the support of your entire business, and with time, should become engrained in your culture. This is often the biggest challenge.
RIGID BITS CAN HELP
Consider working with third-party cybersecurity experts to alleviate the stress of tackling these challenges. Rigid Bits specializes in helping businesses identify and reduce their cybersecurity risks. Through consulting, professional services, and technology, our certified experts work closely with business leaders and IT teams to meet requirements and protect systems and data.
Enlist the help of our experts and tools to simplify the process of addressing data security requirements. Our online portal provides a centralized location to develop and track cybersecurity policies and procedures. Clients benefit from a streamlined, established process while saving time, money, and reducing stress.
Reach out to us today at email@example.com to request our free cybersecurity framework mapping for 23NYCRR500 (New York’s DFS Data Security Law) and to learn more about how we can make data security easier and more cost effective for your business.
This article was published in the June 2019 edition of Colorado Insurance News (COIN). To view more articles and read the whole COIN, click here.