With the COVID-19 pandemic, the cyber-attacks have diversified, and data security is getting more important. Therefore, companies need to focus on cybersecurity protocols to protect privacy and data. Here are the top seven protocols that are essential for professionals to take into consideration.
General Data Protection Regulation – GDPR
The General Data Protection Regulation (GDPR) that put into effect on May 25, 2018, is Europe’s new data privacy and security law. It provides obligations to organizations that target or collect data related to people in the EU. In terms of data protection principles, data processing must be lawful, fair, and transparent. Data minimization is another data protection principle to consider.
According to GDPR, organizations should collect and process only as much data as necessary for the purposes specified. Also, data processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality.
On the data security side, organizations have to implement appropriate technical and organizational measures. For the technical measures, employees should use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.
Public authority other than a court acting in a judicial capacity, organizations that monitor people systematically and regularly on a large scale because of their core activities like Google need to appoint a Data Protection Officer (DPO). Companies must report security breaches within 72 hours, enforce protection, carry out assessments and maintain communication with individuals who may have lost data in a breach.
Cybersecurity Maturity Model Certification – CMMC
The US Department of Defense developed the Cybersecurity Maturity Model Certification (CMMC) to address the protection of information and data on DoD networks. The CMMC’s goal is also improving overall cybersecurity and supply chain protection across the DIB. CMMC can be defined as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
CMMC has been implemented in 2020, with the aim of improving CUI security by introducing a formal audit program for compliance. Its final version was released on January 31, 2020. In June 2020, certified and accredited 3rd-party auditors will be available to begin CMMC certification assessments. Since September 2020, DoD contractors need to be certified at the appropriate CMMC level to bid on Requests for Proposal.
The CMMC framework is built on four elements: security domains, capabilities, controls (practices), and processes and when combined, they build best practices for the protection of an organization and associated FCI and CUI. These elements apply at five cybersecurity maturity levels – Level 1 through 5 –. Level 1 is the least mature. CMMC applies to all government contractors, primes and subs, who do business with the Department of Defense.
Health Insurance Portability and Accountability Act – HIPAA
Providers are using clinical applications like computerized physician order entry systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The US Department of Health and Human Services (HHS) set the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. With the impact of COVID-19, The US Department of Health& Human Services (HHS) updated Privacy Rule in December 2020 ten years later the last update.
The HIPAA Privacy Rule is applied to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.
The HIPAA Security Rule is developed for protecting the privacy of individuals’ health information. At the same time, it allows covered entities to adopt new technologies to improve the quality and efficiency of patient care. For individuals’ rights under HIPAA, you can watch the video.
The U.S. Securities and Exchange Commission – SEC
The U.S. Securities and Exchange Commission (SEC) updated strict guidelines and protocols to adhere to, in response to rising cyber-threats from many sources during COVID-19. In the US, aspects of cybersecurity are the responsibilities of multiple government agencies, including the SEC. The SEC is working with federal and local partners, market participants and others to monitor developments and effectively.
Education, monitoring and action are the three major steps of the SEC advertises. By providing cybersecurity guidance, SEC helps broker-dealers, investment advisers, investment companies, exchanges, and other market participants protect their customers from cyber threats.
SEC through its Office of Compliance Inspections and Examinations issues guidelines to companies on when to report a cyberattack. The recent guideline named “Cybersecurity and Resiliency Observations” includes recommendations for registrants, issuers, other regulated entities, and investment professionals.
This guide encourages them to sign up for alerts published by the Cyber Infrastructure Security Agency. In addition to this, the SEC maintains a Cybersecurity Spotlight webpage that provides cybersecurity-related information and guidance.
System and Organization Controls – SOC 2
SOC 2 is developed by the American Institute of CPAs (AICPA) to define criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are unique to each organization. Therefore, each specific business practice designs its own controls to comply with one or more of the trust principles.
The internal reports explain how your service provider manages data. SOC reports have two types. Type 1 shows the design of a vendors’ system is suitable to meet relevant trust principles. Type 2 gives information about the operational effectiveness of those systems.
Information Security Management System – ISO 27001
ISO 27001 is an international standard that provides requirements for an information security management system. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005.
While The second edition of ISO/IEC 27001 was published in 2013, a European update of the standard was published in 2017. This standard was last reviewed and confirmed in 2019.
ISO 27001 explains requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) in detail. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body brings a number of benefits like marketing potential and brand value. It can be applicable to all organizations, regardless of type, size, or nature.
Payment Card Industry Data Security Standard – PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) was formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. PCI DSS consists of a set of security standards that are governed by Payment Card Industry Security Standards Council (PCI SSC). The compliance scheme is designed to secure credit and debit card transactions against data theft and fraud.
Although the PCI SSC has no legal authority to compel compliance, it is accepted as a requirement for any business that processes credit or debit card transactions. PCI certification provides the security of card data at your business through a set of requirements such as the installation of firewalls, encryption of data transmissions, use of anti-virus software.