A compliance framework is a list of controls, policies, and procedures against which companies can be evaluated to demonstrate their alignment to legal and/or ethical requirements.
Compliance frameworks also help organizations think through risk management and how becoming/remaining compliant with a compliance framework can create visibility around various risks to the business (i.e., risks from not being compliant, risks from implementing controls, outside risks like cyber incidents, and internal risks).

Why Do We Have Compliance Frameworks?

They Help Establish Trust

In the world of cybersecurity, trust is essential. In order for a business to feel comfortable engaging in business with another organization, there needs to be some basic foundation of trust. This is where compliance frameworks can be extremely useful.
For example, if a doctor’s office is looking for a new Electronic Medical Records (EMR) system, they would evaluate various EMR vendors and check that, at a minimum, the EMR vendor is HIPAA compliant (we’ll dig into HIPAA a little later in this post, but for now, just know that HIPAA is a law that acts as a compliance framework for how businesses must handle and secure Protected Health Information (PHI) of patients.), which will ensure that the patient records the doctor’s office stores in the EMR will have a guaranteed baseline of security controls in place to protect the data.

They Aid in Risk Management

Compliance frameworks help companies ensure that they are adhering to any legislation that is in effect that applies to them and/or the data they are interacting with. They are also an outstanding tool in a company’s utility belt to help identify, mitigate, or avoid risks to the business. While yes, this will require some work upfront from the business that is working on compliance, it will help build the foundation of risk management within the organization by forcing the business to be thinking about risks and how to best manage them in the course of day-to-day operations.
Most, if not all, of these compliance frameworks also have penalty mechanisms in place to dissuade companies from ignoring the regulations and controls set out within the framework. Usually, these penalties come in the form of fines that a company gets charged when they are not in compliance. Learning what’s needed to avoid these penalties helps keep a company accountable while also helping them factor in the different kinds of risk faced by the business.

They Provide a Common Language

Compliance frameworks allow businesses (and individuals) to have a common set of terminology, expectations, and understandings around what types of data a company handles and the minimum measures needed to consider that data secured as per the regulations in the framework(s).

Does My Business Need to Adhere to a Compliance Framework?

Here comes everyone’s favorite answer: “it depends…” When trying to understand if your business needs to be compliant with a particular framework or deciding on which framework you want to pursue compliance with, you must understand what your business is doing, the kind of data it handles, which entities it conducts business with, and what industry it’s in. These are a few of the questions that need to be answered when trying to determine what framework, if any, your organization must adhere to.

Additional Impacts of a Compliance Framework

While compliance frameworks provide a lot of the benefits we discussed previously, they also come with additional impacts to your organization.

Noncompliance Penalties

As mentioned before, noncompliance with a given framework can cause your business to incur penalties, this could be financial (e.g., fines), reputational (customers losing confidence in your abilities to secure their data or the data of their customers), or take on another form that could cause problems for your business.
Electing to adhere to a compliance framework must be a decision made very carefully and with all of the relevant information available to inform those decisions. Sometimes, the decision is made for us by way of legal requirements, but there are other frameworks that can be optionally chosen to increase customer confidence, fulfill a contractual obligation, or just ensure proper business practices.

Additional Resource Allocation

Alongside fines or other penalties, adhering to a compliance framework brings the additional business costs of additional resourcing, both internal and external, to ensure compliance throughout the year (not just during audit season).
Being compliant with a compliance framework is not a “set it and forget it” operation. As regulations, requirements, and tooling changes, so do the controls and requirements of compliance frameworks.
In order to properly account for a business being adhering to the latest version of a framework, businesses must undergo regular (usually annual) auditing from an external third-party to ensure that the new requirements and controls have been met.
While having dedicated internal resources to help ensure compliance is not a requirement, it is definitely recommended, as it will equip your business to ensure it remains in good standing with the framework(s) it must adhere to.

Internal Culture Modifications

Sometimes, adhering to a new compliance framework requires modifying (or in some cases, completely reworking) existing ways of working at your organization. Some examples of these changes may be requiring a multi-factor authentication (MFA) method to sign into company apps, restricting how and where company data is accessed, or restricting what employees can or cannot do on their company computers.
While this may not seem like a big issue, some organizations may face increased internal pressures against implementing changes to “how we’ve always done things” or any adjustments to the status quo. This can be a pretty significant hurdle for a business to overcome and requires intentionality and leading by example from members of the leadership team (executives, business owners, managers, etc.).

Examples of Compliance Frameworks

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) in the United States, is a law passed by Congress in 1996 which sets out to ensure that any Personal Health Information (PHI) collected, handled, or transferred by businesses have a standardized set of controls guiding how the data should be secured and protected.
Some companies that fall under the scope of HIPAA include medical providers (think doctor’s offices or hospitals), health insurance companies, and any businesses that aid these companies in performing their duties with regard to handling PHI.
To learn more about HIPAA, you can visit the official site here.

GDPR

The General Data Protection Regulation (GDPR) is a data privacy law passed in the European Union that dictates how Personally Identifiable Information (PII) about citizens of the EU must be handled and secured.
You’ve probably come across one of the more visible effects GDPR has had on the world in the form of cookie consent banners that pop up when you try to navigate to almost any website. Due to the requirements and controls outlined in GDPR, more control is placed in the hands of the individual user when it comes to what data a site or company is allowed to collect about them and what data it can collect.
To learn more about GDPR, you can visit the official site here.

PCI DSS

The Payment Card Industry Data Security Standard is a data security regulation put in place to help ensure the security of payment data throughout the payment process.
With PCI DSS, any companies handling payment processing need to ensure compliance with the recommended security controls that help ensure that customer banking/financial information remains protected and secured during and after the transaction has occurred.
To learn more about PCI DSS, you can visit the official website here.

How Attainable Security Can Help

Our mission at Attainable Security is to demystify cybersecurity for businesses and make security, wait for it…, Attainable (did you see what we did there?).
Part of that mission includes helping businesses on their journey to grow their cybersecurity program (more on this in another article) by providing the tech, tools, and services to help support your business in this endeavor.
Specifically as it pertains to compliance frameworks, our team of cybersecurity professionals can work with you to:
  • Perform our Cybersecurity Posture Assessment, which is an in-depth look at your current cybersecurity posture and also provides a practical list of action items you can perform (with or without us) to improve your business’ security, and/or
  • We can help enroll your business into our Human Risk Management platform that will provide your workforce with the training necessary to ensure compliance alongside a template library for various policy documents, should you need to create and manage a policy document as part of your compliance journey.
As always, we are here to help! If you want to learn more about how we can help your business, please reach out with the link below!

more similar articles