Compliance is a fact of life for businesses of all shapes and sizes, in every industry. From health and safety laws to industry-specific regulations, there are rules that must be followed, and penalties ranging from fines to revoked licenses to shutdown for breaking them.
When it comes to IT security, the regulations can be tricky. Just as in other areas of business, there are industry-specific compliance issues, as well as more general laws. However, the field of information technology is vast and constantly shifting, making it difficult to apply uniform regulations.
Regardless, there are still some existing issues affecting your IT environment. Understanding IT security regulations is essential for your company to maintain compliance and avoid penalties.
Areas impacted by IT security regulations
Security is a critical component whenever information technology is used. All modern businesses deal with private and customer information in digital form, one way or another—whether it’s through an in-house network, over the Internet, or both.
This data must be protected. Regulations from service providers and governing bodies help ensure that consumers and companies can conduct business electronically in an environment that's as secure as possible.
Some of the areas of your business that may be affected by security regulation compliance include:
- IT infrastructure. Your company's internal network, including your hardware components, require security and may be subject to local regulations.
- Risk assessment. This includes sufficient firewall and antivirus protection, as well as risk management for unpredictable factors like fire, natural disasters, and break-ins or theft.
- Usage policies. Maintaining the proper software licenses and policies on company usage is part of IT security compliance.
- Documentation. This is an essential step in compliance. If your business is ever audited by a regulatory body, you'll need to be able to prove the steps and measures you've taken to comply.
Federal cyber-security regulations
The United States government has not imposed far-reaching legislation on digital commerce. Instead, federal and state governments have favored collaboration with the private sector that's designed to encourage voluntary improvements in IT security.
However, there are still a handful of federal regulation measures in place that govern specific industries.
In the health industry, the 1996 Health Insurance Portability and Accountability Act, commonly known as HIPAA, initiated security and privacy rules to protect private health information. This act was amended in 2003 to specifically include Electronic Protected Health Information under the existing security and privacy rules. The amendment set forth compliance regulations for administrative, physical, and technical IT security in the health industry.
The 1999 Gramm-Leach-Bliley Act, aimed at financial institutions, includes the Financial Privacy Rule that places regulations on collecting and disclosing personal financial information from customers. This rule also applies to any business that handles private customer financial information.
Federal agencies are affected by the 2002 Homeland Security Act and the simultaneously enacted Federal Information Security Management Act, which outlines mandatory standards, policies, principles, and guidelines for IT security. The HSA and FISMA acts don't apply to ISPs or software companies.
PCI security regulations
In order to accept credit or debit cards, including online transactions, businesses must comply with the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with PCI security regulations can result in your business being shut down.
These regulations are defined by the Payment Card Industry Security Standards Council, strengthening the controls around cardholder data to help reduce credit card fraud and theft. The PCI employs external assessors to annually validate compliance for every financial institution, Internet vendor, and retail merchant that accepts credit and debit cards.
There are six categories of PCI compliance security standards, each with defined regulations:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program, including antivirus and system security measures
- Implementing strong access control measures
- Regular monitoring and testing of networks
- Maintaining an information security policy
The future of IT security regulations
While state and federal governments currently support a self-regulatory approach for most of IT security, this may not always be the case. Online consumer privacy is becoming more critical than ever, with so many business transactions moving to Internet-based environments.
An article on CIO.com discusses a recent report from the Federal Trade Commission (FTC) on online consumer privacy, which discusses the necessity of do-not-track tools for Internet users, letting them opt out of targeted marketing and data collection—similar to the do-not-call registry that's used to govern telemarketing.
For now, the FTC is requesting voluntary cooperation with this and other IT security measures. However, if companies are lax in instituting stronger security policies, federal regulation is not out of the question.
If you're responsible for your company's IT security compliance, it's in your best interests to provide the best security possible, for the sake of your customers as well as your business, and the future of e-commerce in the United States.