Chapter 8. Industry Compliance Standards and Frameworks

Businesses may be required to conform to one or more regulatory compliance regimes, which are administered by a variety of governing bodies. Failure to comply with these standards can result in heavy fines or, in some cases, hinder the ability to conduct business (such as by preventing the capability of processing credit card transactions). Frameworks differ from regulatory compliance standards in that they are not required for a specific industry or type of data; they are more like guidelines.

The requirement to comply with one standard or the next does provide a few benefits to your organization. Certain standards leave significant room for interpretation, giving you the ability to tie security measures that should be implemented to a portion of that same standard. When compliance is involved, there are social, political, and legal components that can be leveraged to implement security controls and process changes that may not have been possible otherwise. It also may present the opportunity to piggyback off another department that has excess budget for a project.

As both standards and frameworks change frequently over time, in this chapter we’ll just focus on explaining what each is used for, and some “gotchas” that some may have. Note that the majority of the standards discussed here are from the United States; international organizations have a whole different set of reporting requirements.

Industry Compliance Standards ...