Cybersecurity defense: What frameworks work for regulators?
Ascend-blog-0622-Cyberdefenses-banner-cropped.png
For as long has information technology has existed, so too have malicious actors seeking to exploit network vulnerabilities to obtain compromising information. In response, organizations worldwide, private and public alike, have created frameworks for cybersecurity compliance. But what do these frameworks look like, exactly? And how do they work for regulators? We look at this and more in our latest Ascend piece.

Thentia is a highly configurable, end-to-end regulatory and licensing solution designed exclusively for regulators, by regulators.

RELATED TOPICS

Thentia is a highly configurable, end-to-end regulatory and licensing solution designed exclusively for regulators, by regulators.

RECOMMENDED FOR YOU

SHARE

Share on linkedin
Share on twitter
Share on email
Share on facebook

The development of information technology over the past 30 years has created a world in which most sectors, both public and private, find themselves reliant on network systems in one way or another. As more private industries and government agencies have migrated their information and day-to-day processes toward network systems, so too have they opened themselves up to the omnipresent threat of cyberattacks. Regulators in particular have a vested interest in bolstering their cybersecurity defenses, as their systems contain sensitive citizen information that could compromise the public interest were it to fall into the wrong hands.

In recent years, particularly in the wake of the COVID-19 pandemic (which resulted in a hasty shift to network-based remote work arrangements for many), regulators have found themselves even more vulnerable to the threat of cyberattacks. Even prior to this development, public and private organizations around the world have created different cybersecurity standards and frameworks, many of which overlap in the topics and best practices they cover. The important frameworks for an organization to follow are largely dependent on industry and context. For example, government agencies will often hold themselves to different standards than, say, financial organizations or manufacturing companies.  

Here we will discuss the most popular standards for cyber defense as well as some overlaps in the subjects they outline.

ISO/IEC 27000 Series

One of the most well-known information security frameworks, the ISO/IEC 27000 Series, was developed by the International Organization for Standardization. A large part of this framework’s popularity stems from its flexibility and comprehensiveness – for example, different subsections of the framework cover topics from incident management to data collection, storage security, and beyond. ISO 27000 is used across many industries in many different sectors, and its certification must be handled by another ISO 270000-accredited body.

Importantly, this series deals with information security in healthcare, which makes it a popular standard for organizations trying to maintain HIPAA compliance, which involves the confidential handling and storage of patient information from healthcare providers. One section in particular, ISO 27799:2016, “applies to health information in all its aspects, whatever form the information takes, whatever means are used to store it, and whatever means are used to transmit it.” This outline, however, does not discuss the type of technology used to meet the standard, which means organizations are free to ensure compliance however they see fit – so long as the standard is met.

NIST Special Publication 800-53

Though it is used commonly in the private sector, NIST SP 800-53 was designed (starting in 2005) as a security benchmark for U.S. government agencies. Like the ISO 27000 series, NIST SP 800-53 is lenient with regards to the different measures agencies can take to ensure compliance, as long as compliance is achieved. This collection of security controls is intended to protect the U.S. (and private agencies) from threats including “hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”

SOC 2

SOC 2 is a security framework that primarily concerns organizations handling customer data. Created by the American Institute of CPAs, SOC 2 revolves around five basic principles:

  • Privacy: Controlling and protecting access to private customer information (for example, through methods like encryption and two-factor authentication).
  • Security: Using firewalls, intrusion detection, and other preventive measures to ensure an organization’s network itself is safe from cyberthreats.
  • Availability: Ensuring all necessary data is adequately accessible to customers and vendors alike.
  • Confidentiality: Restricting access and exposure to data to a specific group of people and/or organizations.
  • Processing Integrity: Ensuring a vendor’s system delivers the correct data, for the right price, at the right time. [Note that this exists separately from data integrity, which concerns the safety and adequate storage of the data at hand].

Like the previous two examples, SOC 2 compliance can be achieved through a variety of methods, so long as the organization in question meets these standards. Certification is handled by licensed Certified Public Accountants (CPAs), and while SOC 2 compliance is not legally mandated, it is one of the basic forms of compliance any business will look for when choosing a vendor, particularly in the software-as-a-service (SaaS) space. Though it is more flexible in scope than ISO 27000 compliance, the two frameworks share quite an overlap, with one study suggesting they share 96% of the same security controls.

PCI DSS

Launched in 2006, the Payment Card Industry Data Security Standard (PCI DSS) was designed to protect all aspects of consumer payment card data. Though it is not officially a law, PCI DSS compliance is written into virtually every agreement a vendor makes with a card company, and many individual states have incorporated elements of this framework into their legislature. PCI DSS compliance is crucial to any regulator or government agency that handles card payment through its own systems. According to the American Bar Association, this compliance is reliant upon twelve basic steps, which include everything from maintaining firewalls to protect cardholder data, encrypting transmission of this data, restricting access to this data from other businesses on a need-to-know basis, and other payment card security controls.

Alternative frameworks

From Cybersecurity Maturity Model Certification (CMMC) to the NIST CyberSecurity Framework, Control Objectives for Information and Related Technologies (COBIT), the Center for Internet Security (CIS) Critical Security Controls, and beyond, there are many other different IT and cybersecurity frameworks for vendors to choose from when trying to collaborate with security-minded businesses. Of course, the fact will always remain that if a regulator keeps cybersecurity at the forefront of its priorities, compliance, while it will not necessarily be an afterthought, will be that much easier to achieve and maintain.

Stay informed.

Get the latest news and views on regulation and digital government.

DIGITAL GOVERNMENT

Ascend-blog-0622-Cyberdefenses-banner-cropped.png

Cybersecurity defense: What frameworks work for regulators?

For as long has information technology has existed, so too have malicious actors seeking to exploit network vulnerabilities to obtain compromising information. In response, organizations worldwide, private and public alike, have created frameworks for cybersecurity compliance. But what do these frameworks look like, exactly? And how do they work for regulators? We look at this and more in our latest Ascend piece.

Read More »
Ascend-blog-0601-Banner-cropped

Network outsourcing in the US government: Past, present, and future

Today, networks carry more information — and more types of information — than ever before. The ubiquity and cost of network technology has forced U.S. government officials at every level to consider outsourcing its management to the private sector. But what does that implementation look like, exactly? We take a look at this and more in our latest Ascend article.

Read More »
Ascend-data-virtualization-cropped

Data virtualization and regulation: Creating a logical digital fabric for government leaders

Government leaders often find themselves analyzing data from multiple discrete sources in their everyday work. In the past, physically integrating this data has proven to be a costly and time-consuming process. Thanks to data virtualization, however, regulators can now access data from many different sources without relocating any of it. Here we look at the basics of data integration as well as different ways governments have adopted the technology.

Read More »
Ascend-Week-in-brief-blog-April5-2022-banner-cropped

Judge dismisses lawsuit against Louisiana regulators: Weekly regulatory news

The Week in Brief is your weekly snapshot of regulatory news and what's happening in the world of professional licensing, government technology, and public policy.
A federal judge dismisses a Louisiana woman’s lawsuit alleging the state unconstitutionally barred her from offering life-skills training to special needs children in our latest weekly roundup of regulatory news.

Read More »

SHARE

Share on linkedin
Share on twitter
Share on email
Share on facebook
Jordan Milian
Written byJordan Milian
Jordan Milian is a writer covering government regulation and occupational licensing for Ascend, with a professional background in journalism and marketing.

POLICY

Interstate compacts
Health Care
How do interstate compacts make licensing more efficient?

States are increasingly turning to interstate compacts as a way to help workers in licensed professions practice in multiple states while ensuring that the standards in place to protect the public are upheld. We take a look at different types of occupational licensure compacts and how they make licensing more efficient.

Featured

Ascend Magazine lives at the nexus of regulation, licensing, public policy, and digital government. We share news, insight, and exclusive commentary from leaders in regulation and technology. 

OCCUPATIONAL LICENSING REFORM

VOICES

CYBERSECURITY

LICENSE PORTABILITY