What is an Effective Cybersecurity Compliance Program?
It may surprise you to learn that the foundation of an effective cybersecurity compliance program comes from the United States Department of Justice memos to their Criminal Division. Prosecutors must follow these guidelines when investigating and prosecuting companies for non-compliance. One of the mitigating circumstances for companies being probed is having an effective cybersecurity compliance program. Deputy Attorney General Paul McNulty’s mentioned in his memo that the goal of a compliance program is:
“to prevent and to detect misconduct and to ensure that corporate activities are conducted in accordance with all applicable criminal and civil laws, regulations, and rules. The Department encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own.”
What can businesses do to comply with the law and prevent hefty fines and possibly criminal penalties and, the ultimate goal, prevent cybersecurity incidents? To achieve compliance, every organization must build a cybersecurity and information security program containing the seven essential elements of an effective compliance program:
- Establish standards and procedures
- Appoint a champion to oversee the compliance of said standards and procedures
- Perform background checks, especially on individuals with substantial authority
- Communicate and train your staff regarding the standards and procedures you have adopted
- Take reasonable steps to achieve compliance by monitoring and auditing the systems implemented
- Enforce the standards and procedures with adequate discipline for failure to follow them
- Establish a response plan to deal with non-compliance appropriately
Incorporating these elements can prevent companies and their agents from committing unethical and criminal actions. They are also a strong foundation for building an effective cybersecurity program that complies with information security best practices. After all, finding these elements in the most trusted cybersecurity frameworks is not a coincidence.
Cybersecurity Frameworks
Cybersecurity frameworks are a structured collection of cybersecurity standards, guidelines, and best practices to assist cybersecurity professionals in managing risks arising in day-to-day operations. For example, the National Institute of Standards and Technology (NIST) provides a wide array of frameworks to help government agencies, contractors, and companies better understand their risk landscape and how to protect it. For instance, NIST’s Framework for Improving Critical Infrastructure Cybersecurity is intended for sectors considered vital to preserving security, national economy, public health, or safety. Nevertheless, its flexible, repeatable, and cost-effective approach to cybersecurity makes it scalable to other industries.
A framework of importance for government contractors is the Cybersecurity Maturity Model Certification or CMMC. The CMMC program provides cyber protection standards for companies contracting with the Department of Defense (DoD). Its goal is to protect sensitive information critical to national security and ensure contractors clearly understand DoD’s cybersecurity regulatory, policy, and contracting requirements. The framework also nurtures cybersecurity and cyber resilience culture while holding companies accountable for implementing prescribed cybersecurity standards.
Compliance (Or Lack Thereof), Applied
In the United States and worldwide, companies can be hit with fines for not abiding by cybersecurity regulations or suffering data breaches for not being up to date with cybersecurity standards. For instance, evaluate the case of The University of Texas MD Anderson Cancer Center, whose non-compliance with the Health Insurance Portability and Accountability Act garnished them a hefty fine of over 4 million dollars.
Between 2012 and 2013, the covered entity[i] lost two unencrypted USBs with personal health information (PHI). Encryption is one of the addressable implementation specifications under the HIPAA Security Rule. Addressable implementation means that it must be implemented if a risk assessment determines that the specification is reasonable and appropriate to safeguard the confidentiality of the PHI. Even though the Cancer Center’s risk assessment revealed that lack of encryption posed a risk to their patient’s PHI, the two lost USBs were unencrypted. Although not a mandatory specification, encryption is an industry standard. Cybersecurity professionals agree that while not technically required (under HIPAA at least), data encryption is quickly evolving into an essential part of data security.
Cybersecurity Compliance is a Moving Target
Following guidelines and best practices recommended by cybersecurity frameworks is an excellent start to implementing cybersecurity safeguards. Alongside a robust command of laws and regulations that control your business line, achieving cybersecurity compliance will not seem like a daunting endeavor. Both will allow you to operate a security program that efficiently and cost-effectively protects the company’s assets. However, cybersecurity compliance is a moving target. Technologies change, bad actors adapt, and laws are repealed or amended, and all of a sudden, your cybersecurity program with the safeguards and compliance policies you implemented becomes obsolete. Therefore, continuous monitoring is critical to stay on top of regulatory developments and technological advances. A Master of Legal Studies in Cybersecurity and Data Privacy from Cleveland State University College of Law is the best investment for Cybersecurity Compliance Professionals.
[i] Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Why an MLS Graduate from the Cybersecurity and Data Privacy Law Program Will Be an Excellent Fit for Your Company
Companies that try to protect their networks and assets by hiring more IT and InfoSec staff fall behind on regulatory compliance. Paying billions of dollars in fines and losing their client’s trust in the ability to contract with the federal government is not an effective way to conduct business. Therefore, it is critical to be up to date with the legal environment and have a cybersecurity compliance program that is flexible and follows recognized frameworks that will adhere to cybersecurity industry best practices. At CSU College of Law, we prepare our MLS graduates with technical and legal education customized for the cybersecurity field.
For instance, the Cybersecurity I and II courses will help cybersecurity professionals view cybersecurity safeguards from a legal compliance perspective. Students will be introduced to a risk assessment process, a requirement of most federal and state laws intended to protect networks, data, and critical infrastructure. Students will also learn to interpret and customize cybersecurity safeguards to achieve compliance using NIST frameworks. By dissecting various laws, the student will extract the compliance requirements from each law and pair them with NIST guidelines and best practices. The product is a customized plan to implement cybersecurity and privacy compliance.
At Cleveland State University College of Law, we teach both the technical and the legal language that will provide students with the skills required to succeed in this hybrid field. As a result, they will also develop a profound understanding of the American Legal System while delving into specific cybersecurity laws. In addition, our professors will help them master policy writing through a command of legal sources and terms. As a cybersecurity professional transitioning into compliance, an MLS in Cybersecurity and Data Privacy from the Cleveland State University College of Law is a wise investment.
