Regulatory Compliance Frameworks
Achieving compliance within a regulatory framework is an ongoing process. Your environment is always changing, and the operating effectiveness of a control may break down. Regular monitoring and reporting is a must, and guidance on exactly what “regular monitoring” entails is also outlined within each framework. If you work with or are part of an information security (IS) team, here are some of the regulatory frameworks you might come across:
- The Sarbanes-Oxley Act of 2002 was passed to counteract fraud after accounting scandals at Enron, WorldCom, and Tyco impacted investor trust. These controls are mandatory for public companies.
- There are various security requirements for applications and systems that process financial data. Requirements around access management, general IT controls (ITGCs), and entity-level controls may need to be managed by the IS team.
- What types of organizations leverage this framework? Public companies, or companies eyeing a potential initial public offering (IPO).
- The Payment Card Industry Data Security Standard (PCI DSS) exists to protect the security of cardholder data. These controls are mandatory for organizations that process credit card data. The standards are made up of multiple levels, and the extent to which your organization interacts with credit card data will determine what level of PCI compliance your organization needs to achieve. For example, banks, merchants, and service providers will be held to higher standards given the nature of the business.
- Aside from enforcing certain procedures and controls based on your PCI DSS level, you may have to complete self-assessment questionnaires, quarterly network scans, and on-site independent security audits.
- What types of organizations leverage this framework? Merchants, payment card-issuing banks, processors, developers, and other vendors.
NIST - National Institute of Standards and Technology
Why does it exist? Unlike SOX, NIST not a singular set of controls. NIST, or the National Institute of Standards and Technology, is a federal agency within the Department of Commerce that spans manufacturing, quality control, and security, among others. The agency collaborated with security industry experts, other government agencies, and academics to establish a set of controls and balances to help operators of critical infrastructure manage cybersecurity risk. Today, many organizations leverage NIST guidelines to manage and reduce risks that could impact their environment and their customers. Unlike some other frameworks, NIST is voluntary, however customers may require that some of the controls be in place before they will partner with you.
- If you’re on the IS team of an organization that leverages NIST, you’ll play a large role in identifying, defining, and enforcing the controls that are governed by the standard. For example, when determining how your organization will handle vulnerability scanning, you may follow the guidance outlined in NIST 800-53 Risk Assessment RA 5, which spells out best practices for the frequency of scans, the type of scanning that should be done, what to do with the results of these scans and more.
- What type of organizations leverage this framework? This is generally leveraged by large business enterprises and government agencies, but it can be a helpful framework for any organization interested in evaluating and reducing cyber risk.
SSAE-16 - Statement on Standards for Attestation Engagements
- Why does it exist? Statement on Standards for Attestation Engagements No. 16 (SSAE-16) monitors and enforces controls around the applications and application infrastructure that impact financial reporting. It covers business process controls and IT general controls. Service organization controls (SOC) 1 reports, formerly known as SAS 70 reports, leverage the SSAE-16 framework.
- The SSAE-16 framework outlines many general best practices, but it is also a mandatory part of the SOX compliance process. In organizations that fall under SOX (as noted above, this includes public companies or companies about to IPO), specific stakeholders will need to review SOC 1 reports for any applications that are deemed in scope for SOX compliance (generally these are applications that processes financial data). After reviewing the reports, these stakeholders will need to decide if the organization can accept any associated risks that were reported.
- What type of organizations leverage this framework? Types of companies that usually get SOC 1 reports, or companies that provide applications used to process financial information and that will ultimately affect financial statements.
- Why does it exist? SOC 2 reports are based on the AT-101 auditing standard. SOC 2 reports test the design or operating effectiveness of security, availability, processing integrity, confidentiality, and/or privacy controls. All SOC 2 reports need to cover security controls. Availability, processing integrity, confidentiality, and/or privacy controls are optional principles that a company may opt to include if those controls are integral to providing a service. AT-101 SOC 2 reports are based on the Trust Service Principles, which are tied to the security controls listed above.
- Reviewing SOC 2 reports from other organizations can reveal how partnering with them could introduce risk into your environment.
- What type of organizations leverage this framework? Software as a Service (SaaS) providers, cloud computing companies, and other technology-related services will often get SOC 2 reports for their solutions.
- Why does it exist? FedRAMP is a standardized way for government agencies to evaluate the risks of cloud-based solutions. It follows a “do it once, use it many times” approach, allowing existing security assessments and packages to be reused across multiple agencies. Since continuous monitoring of cloud products and services is at the core of the framework, it can improve real-time security visibility for organizations.
- If you work at a government agency, you will use FedRAMP packages to decide whether it makes sense to leverage specific cloud-based solutions.
- What type of organizations leverage this framework? Cloud solution providers interested in selling to federal government agencies will go through the FedRAMP certification process.
ISO (International Organization for Standardization)
- Why does it exist? ISO exists to be an international suite of standards. There are different sub-frameworks within ISO, and the sub-framework that is most relevant to your organization/industry depends on your goals. For example, a manufacturing organization would be likely to leverage the sub-framework ISO 9000, because the controls in this framework are focused on quality management. An organization looking to improve processes around information security management systems would derive more helpful guidance from the controls outlined in ISO 27000. For more on the ISO standards and which ones are most relevant to your organization, visit ISO.org.
- Your team may use this framework to improve and report on quality management and security.
- What types of organizations leverage this framework? Any organization, whether public or private, could use this framework to improve and report on quality management and security.
Privacy Shield (replaced US-EU Safe Harbor)
- Why does it exist? US-EU Safe Harbor was created to ensure US companies complied with European Union data protection standards when transferring European data to the States. It was invalidated by a European court in 2015, in relation to controversy over Edward Snowden and the NSA leaks. The Privacy Shield Framework was put in place to replace it. It exists to safeguard or mitigate the risk of data being tampered with while it’s transferred between these two geographic regions. It enables US companies to more easily receive personal data from the EU under EU privacy laws meant to protect European citizens; this allows for a more free exchange of data, which is good for commerce.
- What type of organizations leverage this framework? Organizations collecting, storing or processing personal data between the EU and US. US companies can self-certify that they will comply with EU data protection standards in order to allow for transfer of European data to the US.
- Your team may be involved in the process of joining the Privacy Shield Framework, and enforcing related controls.
Why does it exist? HIPAA/HITECH enforces security to protect Personal Health Information (PHI).
- What type of organizations leverage this framework? Anyone who is collecting, storing or processing personal health information (PHI), including hospitals, medical providers, and insurance companies.
- If you’re collecting this information, you’ll need to have controls in place to make sure it’s secure.
These are only some of the compliance and regulatory frameworks your organization may need to adhere to. Achieving compliance will be an ongoing process, but regular monitoring and reporting can help make adhering to these frameworks (and maintaining a secure environment) a standard part of business operations.
Future Trends in Regulatory and Compliance
The World Bank estimates that almost 8% of the Gross National Product of advanced economies is spent on regulatory compliance. For less developed countries, this percentage is even higher. Given the size of the global economy, we can assume that over $10 trillion is spent annually on regulatory compliance!
To be fair, some of these costs just cannot be avoided. For example, banks are required to keep a certain amount of capital stored in “liquid” and low-return assets. Similarly, manufacturers have to spend some money on environmental compliance and other safeguards. However, there is still an enormous potential for greater efficiency in compliance which can save billions of dollars.
This is where RegTech comes in. RegTech is a catch-all phrase which covers innovators and pioneers in the regulatory technology space – especially in the financial services sector. The financial sector has always been an early adopter of technologies, something which is necessitated by its need for transactional accuracy, speed and large volume. The last financial crisis put an even greater emphasis on financial sector regulation and it is against this backdrop of soaring regulatory costs and FinTech innovation that RegTech has started to gain popularity. Here, we look at some of the most innovative and promising RegTech companies in the world.
Here are eight of the most frequently cited compliance trends.
The Increasing Importance of Cybersecurity
Due in part to a spate of high-profile corporate data leaks, American companies, law enforcement agencies, banks and regulators have become increasingly focused on cybersecurity issues. According to the most recent data from law enforcement and financial regulators, attempted data security breaches are becoming more sophisticated and more common.
The increase in successful cybersecurity attacks has put pressure on corporate boards to ensure an active approach is taken to mitigating and preventing cybersecurity intrusions.
The Value of Whistleblowing
Multinational firms have been displaying an increased willingness to implement whistleblowing programs as part of an effort to raise global corporate governance standards. The ability to defend stakeholder value is enhanced considerably by pinpointing and then resolving internal weaknesses before such information becomes public. Because the modern world is more connected than ever, the reputation of a multinational firm may be seriously damaged by a compliance failure in any of its subsidiaries.
Protection of Intellectual Property
The effects of globalization and emerging technologies have made intellectual property protection absolutely critical for U.S. firms with an international presence. This is sometimes complicated by the varying strength of international protection standards, along with the intangible nature of intellectual property itself. Firms looking to protect their brands, methods or inventions should remember to seek appropriate counsel when dealing with intellectual property rights and enforcement.
Knowledge of Competition and Law
In today’s world, one can no longer be content with knowledge of a single country’s competition and anti-trust law landscape. Because fines from global competition authorities continue to increase significantly, competition law has risen to the top of the global compliance agenda. In this kind of tightly regulated environment, competition law and competition compliance programs have unsurprisingly become two of the most important areas of business risk management.
Safeguarding Data Privacy
We live in societies that are becoming more data-driven by the minute. As such, companies are harvesting greater amounts of personal data. This practice is guaranteed to become even more intensive in the years ahead. With these advanced data collection efforts comes a need to be cognizant of new laws and regulations concerning the acquisition and use of personal information.
Dealing With Tax Compliance
Companies that do significant business overseas are familiar with the extensive burdens of time and expense associated with tax compliance. Governments across the globe are often tempted to use new taxes—or increased audits designed to trigger penalties—as revenue-raising mechanisms. Additionally, when one factors in the difficulty of coordinating compliance issues between jurisdictions, these burdens become even more acute.
Observance of General Regulations
Businesses must work hard to become familiar with the legal structures and regulatory environment of a new market. The combination of cultural issues, customs and legislation particular to any new region can be a difficult hurdle to clear. By making an effort to become steeped in both local culture and government before entering a market, companies will have the best chance of surmounting any unexpected obstacles.
Bribery and FPCA Compliance Issues
Increased cross-border trade necessitates heightened awareness of the FPCA (Foreign Corrupt Practices Act). This awareness should go hand-in-hand with knowledge of any anti-bribery legislation passed in international jurisdictions. It’s important to remember that company-to-company bribery should be taken as seriously as the bribery of a public servant. Companies should review any gift guidelines, risk assessment or anti-corruption measures currently in place to ensure they firmly discourage any act that would result in a violation.