{"id":7711,"date":"2024-03-27T09:00:00","date_gmt":"2024-03-27T09:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2019\/11\/20\/compliance-and-data-privacy-regs-it-security-pros-should-worry-about\/"},"modified":"2024-04-15T21:25:12","modified_gmt":"2024-04-15T21:25:12","slug":"security-compliance","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/","title":{"rendered":"Data Security Compliance: How to Comply with Security Laws"},"content":{"rendered":"\n<p>Data security compliance is the act of applying risk-reducing security controls to match relevant data protection regulations, security frameworks, and security policies. Governments provide the primary data regulations with the largest penalties, yet data security frameworks and policies provide the most tangible guidelines that enable best practices and provide the basis for standardized compliance tools and services.<\/p>\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 ez-toc-wrap-left counter-flat ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66d6cbce6dbb5\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66d6cbce6dbb5\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Major-Security-Regulations-Laws\" title=\"Major Security Regulations &amp; Laws\">Major Security Regulations &amp; Laws<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Major-Security-Standards-Frameworks\" title=\"Major Security Standards &amp; Frameworks\">Major Security Standards &amp; Frameworks<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Why-Comply-with-Data-Security-Laws-Standards\" title=\"Why Comply with Data Security Laws &amp; Standards\">Why Comply with Data Security Laws &amp; Standards<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Challenges-of-Security-Compliance\" title=\"Challenges of Security Compliance\">Challenges of Security Compliance<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#6-NIST-Best-Practice-Categories-for-Data-Security-Compliance\" title=\"6 NIST Best Practice Categories for Data Security Compliance\">6 NIST Best Practice Categories for Data Security Compliance<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Compliance-Tools-Services\" title=\"Compliance Tools &amp; Services\">Compliance Tools &amp; Services<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Potential-Future-Regulations\" title=\"Potential Future Regulations\">Potential Future Regulations<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#Bottom-Line-Compliance-Provides-Security-Opportunities\" title=\"Bottom Line: Compliance Provides Security Opportunities\">Bottom Line: Compliance Provides Security Opportunities<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Major-Security-Regulations-Laws\"><\/span>Major Security Regulations &amp; Laws<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Governments pass data security regulations and laws to force organizations of all sizes to better protect customers and consumers through improved cybersecurity practices. Currently, most laws focus on the protection of data, specifically personal identifiable information (PII), but some regulations also cover financial and healthcare information.<\/p>\n\n\n\n<p>The major international laws for data protection include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/gdpr.eu\/what-is-gdpr\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>General Data Protection Regulation (GDPR)<\/strong><\/a><strong>:<\/strong> The European Union (EU) regulation to protect personal data with extremely broad PII definitions and punishing fines.<\/li>\n\n\n\n<li><a href=\"https:\/\/oag.ca.gov\/privacy\/ccpa\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>California Consumer Privacy Act (CCPA)<\/strong><\/a><strong>:<\/strong> The first of many US state laws to require protection for personal data and a mechanism to sue over data breaches.<\/li>\n\n\n\n<li><a href=\"https:\/\/personalinformationprotectionlaw.com\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Personal Information Protection Law (PIPL)<\/strong><\/a><strong>:<\/strong> The Chinese law to protect the PII associated with citizens within the People\u2019s Republic of China against breach or misuse.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Health Insurance Portability and Accountability Act (HIPAA)<\/strong><\/a><strong>:<\/strong> The US federal law that requires the protection of medical records and personal health information.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.ftc.gov\/business-guidance\/resources\/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Gramm-Leach-Bliley (GLB) Act<\/strong><\/a><strong>:<\/strong> The US federal law that requires financial institutions to protect non-public personal financial information.<\/li>\n<\/ul>\n\n\n\n<p>Some regulations create regulating bodies with broad and less-defined enforcement capabilities. The US Securities Exchange Commission (SEC) and US Federal Trade Commission (FTC) both fall into this category and periodically assess fines and criminal charges related to data breaches.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Security Regulation Requirements<\/h3>\n\n\n\n<p>At their core, the data security laws require companies, non-profits, and other entities to prevent leak or misuse of regulated data. In general, regulations define protected data and security requirements broadly, with some details for definitions and reporting requirements. The table below provides a high-level overview of the major regulations:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">International Law<\/th><th>Protected Data<\/th><th>Security Requirements<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>GDPR<\/strong><\/td><td>Personal data of EU citizens or residents, even if not within the EU.<\/td><td>Demonstrate GDPR compliance, handle data securely, notify EU officials within 72 hours of a data breach.<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>CCPA<\/strong><\/td><td>Personal information of California residents.<\/td><td>Notify any California resident of personal data exposed by a breach; notify state officials of breaches of 500 or more.&nbsp;<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>PIPL<\/strong><\/td><td>Personal information of people within China.<\/td><td>Identify and exclude data from unnecessary processing (collection, storage, use, processing, transmission, provision, publication, and erasure).<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>HIPAA<\/strong><\/td><td>Personal health information and medical records.<\/td><td>Safeguard integrity, availability, and security of healthcare data.<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>GLB<\/strong><\/td><td>Any nonpublic personal information of a financial institution\u2019s consumers.<\/td><td>Safeguard customer information.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Despite broadly defined requirements, regulations apply specific penalties for violations. For example, the GDPR states a maximum penalty of the greater of 4% of annual global turnover or \u20ac20 million. HIPAA civil penalties range from civil fines between $100 and $1.5 million per year to criminal jail sentences up to 10 years.<\/p>\n\n\n\n<p>Companies often settle with regulators on penalty amounts below the maximum penalty, but the amounts can remain high and significantly impact the business. Recent examples of penalties include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u20ac1.2 billion fine in 2023 for Meta GDPR violations.<\/li>\n\n\n\n<li>\u20ac746 million fine in 2021 for Amazon GDPR violations.<\/li>\n\n\n\n<li>\u20ac405 million fine in 2022 for Meta GDPR violations.<\/li>\n\n\n\n<li>$5.1 million fine in 2021 for Lifetime Healthcare Companies HIPAA violations.<\/li>\n<\/ul>\n\n\n\n<p>The broad and vaguely defined security requirements allow the regulations to survive changing technology landscapes, but as a consequence make the requirements unclear and difficult to satisfy. Most organizations defend themselves by selecting a security standard that offers more concrete guidance for implementing, assessing, and reporting compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Major-Security-Standards-Frameworks\"><\/span>Major Security Standards &amp; Frameworks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Security standards are specific requirements for specific IT goals or best practices. Security frameworks consist of collections of security standards, procedures, and best practices. While some frameworks can be developed by governments, private industry groups develop and enforce many of the broadly adopted security standards and frameworks.<\/p>\n\n\n\n<p>Major security standard frameworks include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>National Institute of Standards and Technology (NIST) Cybersecurity Framework<\/strong><\/a><strong>:<\/strong> Develops a common foundation for security applicable to many different organizations.<\/li>\n\n\n\n<li><a href=\"https:\/\/hitrustalliance.net\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Health Information Trust Alliance <strong>(HITRUST) Common Security Framework (CSF)<\/strong><\/strong><\/a><strong>:<\/strong> Defines a set of security principles specifically designed to protect HIPAA data.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.pcisecuritystandards.org\/about_us\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Payment Card Industry Data Security Standards <strong>(PCI DSS)<\/strong><\/strong><\/a><strong>:<\/strong> Defines the security standards that must be implemented to maintain the right to process payment cards.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.iso.org\/home.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>International Organization for Standardization (ISO)<\/strong><\/a><strong>:<\/strong> Offers many security standards to standardize security processes and objectives such as ISO-27001 or ISO 27799.<\/li>\n\n\n\n<li><a href=\"https:\/\/soc2.co.uk\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>System and Organization Controls (SOC) 2<\/strong><\/a><strong>:<\/strong> Provides a framework to certify an organization\u2019s IT security, availability, integrity, confidentiality, and privacy controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Security Framework Requirements<\/h3>\n\n\n\n<p>Frameworks provide much more guidance than regulations by breaking down security principles into areas with specific goals, functions, and policies. Once you decide to adopt a framework for your organization, you need to develop <a href=\"https:\/\/www.esecurityplanet.com\/compliance\/it-security-policies\/\">security policies<\/a> to define how the company will enforce each framework requirement, implement the policies, and then test the systems to ensure they fulfill the goals of the policies and the framework.<\/p>\n\n\n\n<p>Some voluntary frameworks allow for self-enforced and self-certified enforcement with no penalties for non-compliance. Others, such as PCI DSS, require mandatory participation to retain card payment privileges and require independent third-party auditors to verify compliance. Such auditors often must be certified by the association that developed the framework in order to perform certification audits.<\/p>\n\n\n\n<p>Although more prescriptive than regulations, frameworks also tend to remain at a relatively high level to avoid technology lock-in or overly prescriptive requirements. For example, consider endpoint protection.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"924\" height=\"1024\" src=\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/04\/ESP_ComplianceImplementation_2024_DA_rnd2-924x1024.png\" alt=\"Compliance implementation progression for endpoint protection.\" class=\"wp-image-34984\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/04\/ESP_ComplianceImplementation_2024_DA_rnd2-924x1024.png 924w, https:\/\/assets.esecurityplanet.com\/uploads\/2024\/04\/ESP_ComplianceImplementation_2024_DA_rnd2-271x300.png 271w, https:\/\/assets.esecurityplanet.com\/uploads\/2024\/04\/ESP_ComplianceImplementation_2024_DA_rnd2-768x851.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2024\/04\/ESP_ComplianceImplementation_2024_DA_rnd2-1386x1536.png 1386w, https:\/\/assets.esecurityplanet.com\/uploads\/2024\/04\/ESP_ComplianceImplementation_2024_DA_rnd2-1848x2048.png 1848w\" sizes=\"(max-width: 924px) 100vw, 924px\" \/><figcaption class=\"wp-element-caption\">The compliance implementation progression for endpoint protection.<\/figcaption><\/figure>\n\n\n\n<p>The NIST CSF framework for Data Security (PR.DS-01) expects that \u201cthe confidentiality, integrity, and availability of data-at-rest are protected.\u201d PCI DSS endpoint security standard requires organizations to \u201cmaintain a vulnerability management program\u201d and to \u201cprotect all systems against malware and regularly update anti-virus software or programs.\u201d Neither specifically mentions endpoints and only one specifies a technology (antivirus).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Why-Comply-with-Data-Security-Laws-Standards\"><\/span>Why Comply with Data Security Laws &amp; Standards<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We comply with data security laws, standards, and frameworks for three key reasons: We have to comply to avoid punishment, they make us better, and they help us limit damages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">We Must Comply to Avoid Punishment<\/h3>\n\n\n\n<p>We have to abide by laws and regulations or we face penalties and punishments:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial and criminal penalties:<\/strong> Avoid fines, expensive settlements, and even possible jail time that might be triggered by failure to comply with regulations.<\/li>\n\n\n\n<li><strong>Public embarrassment:<\/strong> Escape mandatory reporting laws for breaches by using compliance to limit the potential scope and magnitude of data breaches.<\/li>\n\n\n\n<li><strong>Business loss:<\/strong> Retain business contracts and insurance coverage that require specific security standards or frameworks to be maintained such as PCI DSS for card payments.<\/li>\n<\/ul>\n\n\n\n<p>Recently, many small companies that might otherwise be exempt from compliance began to not receive demands for compliance validations from their large customers. Newer regulations force validation from the supply chain, which widens the requirements beyond the scope of the original regulations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Compliance Makes Us Better<\/h3>\n\n\n\n<p>Compliance with regulations, standards, and frameworks can improve the overall business through security best practices, additional data protection, insurance requirement satisfaction, reputation protection, and new business opportunities.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforces best practices:<\/strong> Informs effective security controls, documentation, monitoring, testing, reporting, and remediation for a broad spectrum of security.<\/li>\n\n\n\n<li><strong>Protects data:<\/strong> Enforces compliance with regulated data that also potentially adds controls to protect corporate secrets from theft and help enforce good business practices.<\/li>\n\n\n\n<li><strong>Meets insurance requirements:<\/strong> Delivers controls and reports that naturally improve an organization\u2019s ability to validate existing controls for cybersecurity insurance coverage.<\/li>\n\n\n\n<li><strong>Protects reputation:<\/strong> Provides security penetration test reports that assure customers, security to minimize breaches, and security system resilience for business continuity.<\/li>\n\n\n\n<li><strong>Wins new business:<\/strong> Adds opportunities to win new business; for example, a CMMC certification enables bids for DoD contracts or to subcontract to existing DoD vendors.<\/li>\n<\/ul>\n\n\n\n<p>Although compliance typically will be seen as a cost center, look for opportunities to work with sales to capitalize on verifiable security levels and compliance certifications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Compliance Limits Damages<\/h3>\n\n\n\n<p>Compliance can\u2019t guarantee security, so an incident or data breach may still occur. Fortunately, compliance implementation, testing, and reporting can limit negligence claims, breach scale, and attack-related costs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Negligence claims:<\/strong> Eliminates inflated negligence penalties through validated third-party standards for good security and defined-reasonable security safeguards.<\/li>\n\n\n\n<li><strong>Breach scale:<\/strong> Reduces the attackers\u2019 reach, quantity of data obtainable, and abuse potential of stolen data when protected by effective compliance controls.<\/li>\n\n\n\n<li><strong>Attack-related costs:<\/strong> Contains attacks to a smaller footprint that reduces the time and expenses for investigation, recovery, and remediation.<\/li>\n<\/ul>\n\n\n\n<p>A breach still incurs costs, but certified data security compliance tends to decrease the overall costs significantly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Challenges-of-Security-Compliance\"><\/span>Challenges of Security Compliance<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Compliance clearly provides legal and financial protection, if not advantages. Yet the challenges of security compliance that limit adoption include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Unclear Identification<\/h3>\n\n\n\n<p>Many organizations struggle to perform the basics for security, let alone apply compliance, when they lack clear identification of devices, compliance obligations, compliance proof, and data.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Device awareness:<\/strong> Continues to fall behind as users unexpectedly add bring-your-own-device (BYOD) and internet-of-things (IoT) devices to networks.<\/li>\n\n\n\n<li><strong>Compliance obligation:<\/strong> Remains vague for vendors, service providers, and small and medium businesses (SMBs) on the edge of complex definitions for regulated entities.<\/li>\n\n\n\n<li><strong>Compliance proof:<\/strong> Variances in consultant and attorney interpretations of laws and policies lead to dangerous differences in standards of proof for compliance.<\/li>\n\n\n\n<li><strong>Murky data:<\/strong> Increases in data quantity, expanding storage locations, and widespread usage add difficulty for data classifications and understanding which regulations apply.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Rapid Changes<\/h3>\n\n\n\n<p>Regulations, frameworks, standards, and internal policies struggle to keep up with constant and rapid changes such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Evolving networks:<\/strong> Expands the network to include remote worker BYOD, edge computing, software-as-a-service (SaaS), containers, and IoT.<\/li>\n\n\n\n<li><strong>Increased complexity:<\/strong> Adds additional skill and time demands by shifting to cloud workloads and adding wireless connectivity to operational technologies (OT).<\/li>\n\n\n\n<li><strong>System users:<\/strong> Challenges compliance definitions of users when artificial intelligence (AI), apps, and application programming interfaces (APIs) access and analyze data.<\/li>\n\n\n\n<li><strong>Volume increases:<\/strong> Increases compliance challenges constantly with more users, added systems, and ever-increasing data to evaluate, control, and secure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Managing Conflicts<\/h3>\n\n\n\n<p>Compliance introduces natural conflicts between security, finance, human resources, and even external parties to manage issues including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Definition ambiguities:<\/strong> Makes legal impose conservative requirements impossible to technically achieve when various laws introduce different and conflicting requirements.<\/li>\n\n\n\n<li><strong>Older technology:<\/strong> Rejects potentially improved solutions (e.g., <a href=\"https:\/\/www.esecurityplanet.com\/products\/edr-solutions\/\">endpoint detection and response<\/a>) because standards still specifically require older tech (e.g., <a href=\"https:\/\/www.esecurityplanet.com\/products\/antivirus-software\/\">antivirus<\/a>).<\/li>\n\n\n\n<li><strong>Regulatory ownership:<\/strong> Applies to one company in a supply chain, but a breach in any other part of the chain still affects every organization and may trigger fines.<\/li>\n\n\n\n<li><strong>Resource limitations:<\/strong> Leads to dangerous compromises and risk denial to meet budgets and impose compliance minimums that might leave systems vulnerable.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"6-NIST-Best-Practice-Categories-for-Data-Security-Compliance\"><\/span>6 NIST Best Practice Categories for Data Security Compliance<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Different regulations, policies, and frameworks will apply to different specifics, but generalized best practices apply to all compliance programs. The <a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noreferrer noopener\">NIST CSF framework<\/a> provides a useful organization we can use to discuss the core best practices of compliance (govern, identify, protect, detect, respond, and recover) before we consider additional best practices.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Govern&nbsp;<\/h3>\n\n\n\n<p>The NIST governance best practices incorporate compliance into broader corporate data, enterprise risk management (ERM), and operations initiatives and these include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Organizational context:<\/strong> Matches compliance objectives with existing organizational objectives such as legal requirements, contractual obligations, and operations goals.<\/li>\n\n\n\n<li><strong>Risk management strategy:<\/strong> Defines priorities, constraints, risk tolerance, risk appetites, and outlines assumptions to inform and support compliance decisions.<\/li>\n\n\n\n<li><strong>Roles, responsibilities, and authorities:<\/strong> Assigns the personnel to implement, oversee, and monitor each compliance component\u2019s implementation and maintenance.<\/li>\n\n\n\n<li><strong>Policy:<\/strong> Places the goals, objectives, principles, roles, and reporting into a written <a href=\"https:\/\/www.esecurityplanet.com\/compliance\/it-security-policies\/\">security policy<\/a> to guide each of the other stages in the compliance process.<\/li>\n\n\n\n<li><strong>Oversight:<\/strong> Formalizes how compliance results will be used to inform, improve, or adjust the compliance process and related activities such as operations and risk management.<\/li>\n\n\n\n<li><strong>Supply chain risk management:<\/strong> Extends compliance to supply chain partners through identification, risk assessment, prioritization, and negotiation.<\/li>\n<\/ul>\n\n\n\n<p>Relevant tools and services to achieve these best practices include compliance and risk management tools and specialized consultants.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Identify<\/h3>\n\n\n\n<p>Best practices related to identification, as defined by NIST, seek to understand the true risks to the organization to be addressed in other compliance stages and require performing all of the steps below.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Asset management:<\/strong> Identifies relevant assets that control, use, or protect compliance assets such as data, hardware, software, systems, services, people, and facilities.<\/li>\n\n\n\n<li><strong>Risk assessment:<\/strong> Evaluates and assigns risk to each asset to help prioritize assets for protection and identify the types of risks to be mitigated through security controls.<\/li>\n\n\n\n<li><strong>Improvement:<\/strong> Locates areas for improvement through evaluations, tests (internal or third-party), operations, and incident response after-action plans.<\/li>\n<\/ul>\n\n\n\n<p>Identification starts within IT operations, but security tools such as <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-iam-software\/\">identity and access management<\/a> (IAM), <a href=\"https:\/\/www.esecurityplanet.com\/networks\/vulnerability-scanning-tools\/\">vulnerability scanners<\/a>, or <a href=\"https:\/\/www.esecurityplanet.com\/products\/penetration-testing-service-providers\/\">penetration testing services<\/a> accelerate the identification process and provide verifiable consistency for reporting.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Protect<\/h3>\n\n\n\n<p>NIST protection best practices reduce risks for <a href=\"https:\/\/www.esecurityplanet.com\/networks\/network-security\/\">network security<\/a> and <a href=\"https:\/\/www.esecurityplanet.com\/cloud\/what-is-cloud-security\/\">cloud security<\/a> to an acceptable threshold as defined by governance best practices and to meet compliance requirements to implement security controls for the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identity management, authentication, and access control:<\/strong> Controls physical or virtual access to assets by validating identities for defined and authorized access levels.<\/li>\n\n\n\n<li><strong>Awareness and training:<\/strong> Educates employees to understand their roles in security or compliance and how to safely conduct operations and identify potential attacks.<\/li>\n\n\n\n<li><strong>Data security:<\/strong> Applies security controls to protect data at rest, data in transit, data integrity, and ongoing availability through protected and maintained backups.<\/li>\n\n\n\n<li><strong>Platform security:<\/strong> Secures physical and virtual systems and connected infrastructure from attacks that might compromise their confidentiality, integrity, or availability.<\/li>\n\n\n\n<li><strong>Technology infrastructure resilience:<\/strong> Accounts for the likelihood of failure of other protection best practices to implement redundancies or backup controls.<\/li>\n<\/ul>\n\n\n\n<p>A huge number of security tools focus on protection from classic endpoint and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/types-of-firewalls\/\">firewall technologies<\/a> to modern <a href=\"https:\/\/www.esecurityplanet.com\/applications\/application-security-definition\/\">application security<\/a> and <a href=\"https:\/\/www.esecurityplanet.com\/products\/secure-access-service-edge-sase\/\">secure access service edge<\/a> (SASE) tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Detect<\/h3>\n\n\n\n<p>NIST best practices for detection locate anomalies, initiated or ongoing attacks, insider threats, and other potential compromises to assets or controls through the implementation of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Continuous monitoring:<\/strong> Uses logs, tools, and personnel to monitor systems, internal staff, external services providers, and processes for attack or potential vulnerabilities.<\/li>\n\n\n\n<li><strong>Adverse event analysis:<\/strong> Examines potential signs of attack and vulnerability to determine risk threat level and segregate true threats from false alarms.<\/li>\n<\/ul>\n\n\n\n<p>Relevant detection tools include <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-network-monitoring-tools\/\">network monitoring<\/a> tools, <a href=\"https:\/\/www.esecurityplanet.com\/networks\/what-is-log-monitoring\/\">log monitoring<\/a> tools, and <a href=\"https:\/\/www.esecurityplanet.com\/products\/siem-tools\/\">security information and event management<\/a> (SIEM) tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Respond<\/h3>\n\n\n\n<p>Response best practices under NIST define the management process that must be implemented to respond to attacks or vulnerabilities based upon the threat level and urgency. These include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Incident management:<\/strong> Determines triage, categorization, prioritization, escalation, elevation, criteria, and third-party roles for responding to attacks and vulnerabilities.<\/li>\n\n\n\n<li><strong>Incident analysis:<\/strong> Defines processes for analysis, actions, record taking, evidence collection, and magnitude for all types of incidents.<\/li>\n\n\n\n<li><strong>Incident response reporting and communication:<\/strong> Establishes notifications and information required for internal and external stakeholders at various incident levels.<\/li>\n\n\n\n<li><strong>Incident mitigation:<\/strong> Provides processes, tools, and potential service providers for escalation to contain and eliminate attacks and other potential threats.<\/li>\n<\/ul>\n\n\n\n<p>Incident response tools vary from <a href=\"https:\/\/www.esecurityplanet.com\/products\/vulnerability-management-software\/\">vulnerability management software<\/a> to specialized <a href=\"https:\/\/www.esecurityplanet.com\/networks\/best-incident-response-tools-services\/\">incident response tools<\/a>. Internal staff will often be complemented by outside consultants or services providing a similar range of services from <a href=\"https:\/\/www.esecurityplanet.com\/applications\/patch-management-as-a-service\/\">patch management as a service<\/a> to <a href=\"https:\/\/www.esecurityplanet.com\/networks\/managed-detection-and-response-mdr\/\">managed detection and response<\/a> (MDR).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Recover<\/h3>\n\n\n\n<p>Recovery best practices in the NIST framework implement the processes to plan, execute, and communicate fixes during and after an incident:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Incident recovery plan execution:<\/strong> Establishes plans, prioritizes actions, verifies backups, restores operations, verifies asset restoration, and creates after-action reports.<\/li>\n\n\n\n<li><strong>Incident recovery communication:<\/strong> Provides accurate, coordinated, and timely information to internal or external stakeholders, regulators, and the public.<\/li>\n<\/ul>\n\n\n\n<p>Recovery processes often require <a href=\"https:\/\/www.esecurityplanet.com\/products\/disaster-recovery-solutions\/\">disaster recovery solutions<\/a> but may also involve coordination with non-technical consultants such as attorneys and public relations specialists.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Additional Best Practices<\/h3>\n\n\n\n<p>While the NIST framework organizes best practices <em>within<\/em> security compliance, it doesn\u2019t address best practices <em>about<\/em> compliance. Improve every data security compliance framework or policy with additional best practices such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Constant improvement:<\/strong> Enables increased security, risk reduction, and potential cost savings through constant improvements in operations and security systems.<\/li>\n\n\n\n<li><strong>Advanced options:<\/strong> Reduces risk from future negligence claims stemming from vague regulations and standards by going above and beyond minimums when reasonable.<\/li>\n\n\n\n<li><strong>Scope limitation:<\/strong> Confines risk and highest compliance obligations to limited systems by restricting data access and implementing controls for least-privilege access.<\/li>\n<\/ul>\n\n\n\n<p>Each compliance regulation, framework, and policy introduces specific requirements. While best practices address the broadest issues, analyze regulations thoroughly to ensure adequate capture of all specific requirements.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Compliance-Tools-Services\"><\/span>Compliance Tools &amp; Services<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Many tool vendors and service providers can provide security controls but don\u2019t manage the compliance processes themselves. Select specialized classes of tools for governance and risk management or even service providers to help accelerate and assist with compliance tasks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Governance, Risk &amp; Compliance Tools<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.esecurityplanet.com\/products\/grc-tools\/\">Governance, risk, and compliance (GRC) tools<\/a> automate and organize the tasks to manage risk, compliance reports, internal policies, and related cybersecurity concerns. The top tool to use depends on the broad or specific needs of the compliance program.<\/p>\n\n\n\n<p>For example, Archer GRC provides the best option for a breadth of features and ServiceNow provides the best automation for GRC solutions. Yet, for specific risk reporting needs, LogicManager may provide the best GRC tool fit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Third-Party Risk Management<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.esecurityplanet.com\/products\/third-party-risk-management\/\">Third-party risk management (TPRM)<\/a> provides specialized vendor risk management (VRM) tools to manage supply chain risk. These tools focus on assisting with the vendor onboarding processes with respect to compliance requirements and risk assessments.<\/p>\n\n\n\n<p>In the eSecurity Planet assessment of best TPRM tools, OneTrust performed the best overall in our evaluation. Other tools to consider would be Venminder for the best customer support category or the Prevalent TPRM Platform for the best VRM assessments.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Service Provider &amp; Consultants<\/h3>\n\n\n\n<p>Consultants, <a href=\"https:\/\/www.esecurityplanet.com\/networks\/what-is-managed-service-provider\/\">managed service providers<\/a> (MSPs), and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/what-is-a-managed-security-service-provider\/\">managed security service providers<\/a> (MSSPs) can supply services to manage or validate compliance. The variety of service providers equals the spectrum of consulting needs from specialized assistance to fully-outsourced turn-key processes.<\/p>\n\n\n\n<p>The largest corporations and governments will seek equally large consulting service providers such as Accenture or NTT. However, smaller organizations may seek a specialized fit from smaller local service providers or specialty service providers such as penetration testing services from vendors like Intruder.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">When to Use Tools or Services<\/h3>\n\n\n\n<p>Which tool or what type of service provider to use depends on available resources and risk maturity. New compliance initiatives need more help and will lean on the guidance of experienced consultants that apply an established understanding of requirements to quickly implement relevant controls.<\/p>\n\n\n\n<p>More advanced programs can switch to internal programs run by internal compliance teams and boosted by GRC or TPRM tools. However, even the most advanced program must still turn to outside consultants for audits and effective pentests.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Potential-Future-Regulations\"><\/span>Potential Future Regulations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The best compliance frameworks provide insurance against future regulations, but they also help to keep an eye out for oncoming laws to avoid unpleasant surprises. Anticipated regulations include additional US privacy laws, new international privacy regulations, AI regulations, expanded or new breach reporting laws, and enforcement details added for US government and DOD contractor compliance requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Additional US Privacy Regulations<\/h3>\n\n\n\n<p>US states continue to enact personal information protection laws, with 22 laws, 15 of them comprehensive, enacted by 2024. Expect additional states to pass laws, but hopefully also a US federal legislation to provide standardized protection and eliminate discrepancies, gaps, and conflicts between state laws.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Additional International Privacy Regulations<\/h3>\n\n\n\n<p>In addition to the EU and China, the United Arab Emirates and South Africa passed laws to protect personal information and consumer data. Expect others to follow suit to protect their citizens and to generate revenue from fines and settlements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">AI Regulations<\/h3>\n\n\n\n<p>The European Union just passed the <a href=\"https:\/\/artificialintelligenceact.eu\/\" target=\"_blank\" rel=\"noreferrer noopener\">AI Act<\/a> that will become enforced later in 2024. The act imposes rules to address AI risks, practices, applications, obligations, assessments, and governance. Best practices for how the law affects AI use will become possible after sufficient attorney evaluation and legal testing of the rules in the months to come.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Breach Reporting Laws Expand<\/h3>\n\n\n\n<p>The 2022 <a href=\"https:\/\/www.cisa.gov\/topics\/cyber-threats-and-advisories\/information-sharing\/cyber-incident-reporting-critical-infrastructure-act-2022-circia\" target=\"_blank\" rel=\"noreferrer noopener\">Cyber Incident Reporting for Critical Infrastructure Act<\/a> (CIRCIA) instructs the US Cybersecurity and Infrastructure Security Agency (CISA) to develop regulation similar to current SEC rules for reporting cyber incidents and ransomware payments. Enforcement potentially begins in 2025 pending definitions of the entities covered, disclosure requirements, disclosure thresholds, and penalties. Expect overall regulations to increase and expand in scope.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" style=\"text-transform:none\">Enforcement of US Government Contractor Compliance<\/h3>\n\n\n\n<p>The US Department of Defense (DOD) will shortly propose version 2.0 of the <a href=\"https:\/\/dodcio.defense.gov\/CMMC\/About\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cybersecurity Maturity Model Certification<\/a> (CMMC) that is required to maintain a DoD contract. The release date for the fully-fledged model and enforcement date remain pending. The Federal Acquisition Regulation (FAR) Council will also require incident reporting and compliance for unclassified federal information systems applicable to all government contractors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"text-transform:none\"><span class=\"ez-toc-section\" id=\"Bottom-Line-Compliance-Provides-Security-Opportunities\"><\/span>Bottom Line: Compliance Provides Security Opportunities<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The most common fears regarding compliance involve increased time, resources, and hassles. Yet, compliance can provide opportunities to rigorously examine security, risk, and operations to determine weak spots in the security stack. Compliance not only helps uncover vulnerabilities, but it also helps to define reasonable security practices, which can protect against potential breaches and lower overall costs associated with security incidents.<\/p>\n\n\n\n<p><strong>Compliance initiatives only define controls and systems. Read more about the <a href=\"https:\/\/www.esecurityplanet.com\/networks\/types-of-penetration-testing\/\">types of penetration testing<\/a> that verify and validate implemented security controls.<\/strong><\/p>\n\n\n\n<p><em><a href=\"https:\/\/www.esecurityplanet.com\/author\/joe-stanganelli\/\">Joe Stanganelli<\/a> contributed to this article.<\/em><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6cbce666dd-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6cbce666dd\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6cbce666dd\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6cbce666dd\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6cbce666dd\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6cbce666dd\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6cbce666dd\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Learn about data security compliance and how it safeguards your organization&#8217;s data. Discover key regulations, standards, and best practices to ensure privacy and protection.<\/p>\n","protected":false},"author":271,"featured_media":34646,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[14],"tags":[4633,627,26264,30744,895,31981,5271],"b2b_audience":[34],"b2b_industry":[],"b2b_product":[237,380,253],"class_list":["post-7711","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networks","tag-compliance","tag-data-privacy","tag-gdpr","tag-governance-risk-and-compliance","tag-hipaa","tag-it-policy","tag-pci-dss","b2b_audience-evaluation-and-selection","b2b_product-governance","b2b_product-policy-compliance","b2b_product-regulatory-compliance"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Data Security Compliance: How to Comply with Security Laws<\/title>\n<meta name=\"description\" content=\"Learn about data security compliance and how it safeguards your organization&#039;s data. Discover key laws, standards, and best practices.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data Security Compliance: How to Comply with Security Laws\" \/>\n<meta property=\"og:description\" content=\"Learn about data security compliance and how it safeguards your organization&#039;s data. Discover key laws, standards, and best practices.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-27T09:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-15T21:25:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Chad Kime\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chad Kime\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\"},\"author\":{\"name\":\"Chad Kime\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9\"},\"headline\":\"Data Security Compliance: How to Comply with Security Laws\",\"datePublished\":\"2024-03-27T09:00:00+00:00\",\"dateModified\":\"2024-04-15T21:25:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\"},\"wordCount\":3525,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png\",\"keywords\":[\"compliance\",\"Data privacy\",\"GDPR\",\"Governance Risk and Compliance\",\"HIPAA\",\"IT Policy\",\"PCI DSS\"],\"articleSection\":[\"Networks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\",\"name\":\"Data Security Compliance: How to Comply with Security Laws\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png\",\"datePublished\":\"2024-03-27T09:00:00+00:00\",\"dateModified\":\"2024-04-15T21:25:12+00:00\",\"description\":\"Learn about data security compliance and how it safeguards your organization's data. Discover key laws, standards, and best practices.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png\",\"width\":1400,\"height\":900,\"caption\":\"Image: KanawatTH\/Adobe Stock\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data Security Compliance: How to Comply with Security Laws\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9\",\"name\":\"Chad Kime\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg\",\"caption\":\"Chad Kime\"},\"description\":\"eSecurity Planet lead writer Chad Kime covers a variety of security, compliance, and risk topics. Before joining the site, Chad studied electrical engineering at UCLA, earned an MBA from USC, managed 200+ ediscovery cases, and helped market a number of IT and cybersecurity products, then transitioned into technical writing policies and penetration test reports for MSPs and MSSPs. In his free time, Chad enjoys walks on the beach with his wife, annoying his children, and trying to carve out time for movies, books, video games, and bike rides.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/chad-kime\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data Security Compliance: How to Comply with Security Laws","description":"Learn about data security compliance and how it safeguards your organization's data. Discover key laws, standards, and best practices.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/","og_locale":"en_US","og_type":"article","og_title":"Data Security Compliance: How to Comply with Security Laws","og_description":"Learn about data security compliance and how it safeguards your organization's data. Discover key laws, standards, and best practices.","og_url":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/","og_site_name":"eSecurity Planet","article_published_time":"2024-03-27T09:00:00+00:00","article_modified_time":"2024-04-15T21:25:12+00:00","og_image":[{"width":1400,"height":900,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png","type":"image\/png"}],"author":"Chad Kime","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Chad Kime","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/"},"author":{"name":"Chad Kime","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9"},"headline":"Data Security Compliance: How to Comply with Security Laws","datePublished":"2024-03-27T09:00:00+00:00","dateModified":"2024-04-15T21:25:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/"},"wordCount":3525,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png","keywords":["compliance","Data privacy","GDPR","Governance Risk and Compliance","HIPAA","IT Policy","PCI DSS"],"articleSection":["Networks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/","url":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/","name":"Data Security Compliance: How to Comply with Security Laws","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png","datePublished":"2024-03-27T09:00:00+00:00","dateModified":"2024-04-15T21:25:12+00:00","description":"Learn about data security compliance and how it safeguards your organization's data. Discover key laws, standards, and best practices.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2024\/03\/esp_20240327-security-compliance.png","width":1400,"height":900,"caption":"Image: KanawatTH\/Adobe Stock"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"Data Security Compliance: How to Comply with Security Laws"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/86e8ee2d3bc71af07dbe303d16f17dc9","name":"Chad Kime","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/08\/2023-Kime-HeadShot-150x150.jpg","caption":"Chad Kime"},"description":"eSecurity Planet lead writer Chad Kime covers a variety of security, compliance, and risk topics. Before joining the site, Chad studied electrical engineering at UCLA, earned an MBA from USC, managed 200+ ediscovery cases, and helped market a number of IT and cybersecurity products, then transitioned into technical writing policies and penetration test reports for MSPs and MSSPs. In his free time, Chad enjoys walks on the beach with his wife, annoying his children, and trying to carve out time for movies, books, video games, and bike rides.","url":"https:\/\/www.esecurityplanet.com\/author\/chad-kime\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/7711"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/271"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=7711"}],"version-history":[{"count":5,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/7711\/revisions"}],"predecessor-version":[{"id":34986,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/7711\/revisions\/34986"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/34646"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=7711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=7711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=7711"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=7711"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=7711"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=7711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}