User:Shawndouglas/sandbox/sublevel3

From LIMSWiki
Jump to navigationJump to search

To be fair, the question of which regulations and standards affect how an organization implements cybersecurity is a most difficult one to answer. Not only do related regulations and standards vary by industry, they also vary by geography, complexity, and ease of implementation. Let's turn to the example of data retention requirements for businesses. Consider this software system requirements statement:

The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.

Through recent updates to LIMSpec, the following national and international regulations, standards, and guidance (Table 1) that tie into data retention and the protection of that retained data have been found (and that list will certainly continue to grow):

Table 1. Regulations, standards, and guidance affecting data retention and the security of retained data

7 CFR Part 331.17 (c)
9 CFR Part 121.17 (c)
21 CFR Part 11.10 (c)
21 CFR Part 58.195
21 CFR Part 211.180
21 CFR Part 212.110 (c)
21 CFR Part 225.42 (b-8)
21 CFR Part 225.58 (c–d)
21 CFR Part 225.102
21 CFR Part 225.110
21 CFR Part 225.158
21 CFR Part 225.202
21 CFR Part 226.42 (a)
21 CFR Part 226.58 (f)
21 CFR Part 226.102
21 CFR Part 226.115
21 CFR Part 312.57
21 CFR Part 312.62
21 CFR Part 606.160 (d)
21 CFR Part 812.140 (d)
21 CFR Part 820.180 (b)
29 CFR Part 1910.1030 (h-2)
40 CFR Part 141.33
40 CFR Part 141.722
40 CFR Part 704 Subpart A
40 CFR Part 717.15 (d)
42 CFR Part 73.17 (c)
42 CFR Part 493.1105
42 CFR Part 493.1283
45 CFR Part 164.105
45 CFR Part 164.316
45 CFR Part 164.530

AAFCO QA/QC Guidelines for Feed Laboratories Sec. 2.4.4 or 3.1
AAVLD Requirements for an AVMDL Sec. 4.10.1.2
AAVLD Requirements for an AVMDL Sec. 4.10.2.1
AAVLD Requirements for an AVMDL Sec. 5.4.3.2
ABFT Accreditation Manual Sec. E-33
AIHA-LAP Policies 2018 2A.7.5.1
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.14.1.2 and 4.15.1.2
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.9.3.6 and 5.9.7
ASTM E1578-18 E-17-4
CJIS Security Policy 5.3.4
CJIS Security Policy 5.4.6–7
CJIS Security Policy 5.5.2.1
E.U. Annex 11-7.1
E.U. Commission Directive 2003/94/EC Article 9.1
E.U. Commission Directive 2003/94/EC Article 11.4
EPA 815-R-05-004 Chap. III, Sec. 15
EPA 815-R-05-004 Chap. IV, Sec. 8
EPA ERLN Laboratory Requirements 4.9.18
EPA ERLN Laboratory Requirements 4.11.17
EPA QA/G-5 2.1.9
ISO 15189:2012 4.3
ISO/IEC 17025:2017 8.4.2
NIST 800-53, Rev. 4, AT-4
NIST 800-53, Rev. 4, AU-11 and AU-11(1)
NIST 800-53, Rev. 4, SI-12
OECD GLP Principles 10
USDA Administrative Procedures for the PDP 5.4
USDA Sampling Procedures for PDP 6.5
WHO Technical Report Series, #986, Annex 2, 15.8–9

You'll notice many nods to U.S. Code of Federal Regulations (CFR), as well as E.U. law, agency requirements, accreditation requirements, standards, and guidelines for just this one system specification and security control. Additionally, there are surely other entities not listed in Table 1 that demand this requirement out of information system users. This example illustrates the complexity of making a complete and accurate list of regulations, standards, guidance, and other bodies of work demanding data protection from organizations.

That said, other types of legislation and standards relevant to cybersecurity stand out. Examples of legislation that mandate cybersecurity action include 23 NYCRR 500, the Federal Information Systems Management Act (FISMA), the General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), IC Directive 503, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Sarbanes Oxley Act.[1] Of standards not mentioned in Table 1, ANSI UL 2900-2-1 for networked medical devices, IEEE 1686-2013 for intelligent electronic devices, and ISO/IEC 27032:2012 for cybersecurity are also representative examples of standard-based efforts to improve cybersecurity in numerous industries.[2]

Despite the difficulty of laying out a complete picture of regulations and standards impacting cybersecurity approaches, we can confidently say a few things about those types of regulations and standards. First, the risks and consequences of poor security drive regulation and, more preferably[3][4], standardization, which in turn moves the "goalposts" of cybersecurity among organizations. In the case of regulations, those organization that get caught not conforming to applicable regulations tend to suffer negative consequences, providing some incentive for them to improve organizational processes. One of the downsides of regulations is that they can at times be "imprecise" or "disconnected"[4] from what actually occurs within the organization and its information systems. Rather than compelling significant focus on regulatory conformance, cybersecurity standards may, when adopted, provide a clearer path of opportunity for organizations to instead focus on improving their cybersecurity culture and outcomes, particularly since standards are usually developed with a broader consensus of interested individuals with expertise in the field.[3] In turn, the organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of cybersecurity.

That's not to say that compliance with regulations and standards alone can stop critical risks in their tracks[5]:

Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.

Second, modern cybersecurity standards frameworks and controls, which help guide organizations in developing a cybersecurity strategy, are typically harmonized with other standards and updated as business processes, technologies, cyber threats, and regulations evolve. For example, the industry-specific Water Sector Cybersecurity Risk Management Guidance v3.0, which contains a set of cybersecurity controls as they relate to the water and wastewater sectors, is harmonized with the NIST Cybersecurity Framework.[6] And NIST's Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations has controls mapped to ISO/IEC 27001:2013 controls.[7] These and other signs point to some consolidation of thought on influential cybersecurity standards, as well as what constitutes relevant and necessary action towards preparing an organization to be more prepared for cyber threats and their potential consequences.

Third, when it comes to the question of what regulations are driving an organization to embrace cybersecurity, the general answer is "it's specific to each organization." While it's true that industries have their own regulations, and organizations in those industries often share the same set of challenges, additional factors such as regional requirements (e.g., the European Union General Data Protection Regulations [GDPR] and California Consumer Privacy Act [CCPA]) and even local requirements (e.g., privacy rules and guidelines, banning of specific technology in a city[8]) will affect how the organization must operate. This information gathering process is a unique aspect of organizational cybersecurity planning; in the end it's up to the organization to "identify all obligatory cybersecurity requirements and controls with which it must comply."[9] Armed with that information, the organization can integrate those identified requirements and controls with an existing baseline framework of broad and industry-specific cybersecurity controls, as well as any internal standards and control objectives specific to the organization and its policy requirements.[9]

References

  1. Aulakh, M. (25 February 2019). "CISOS Ultimate Guide for Top 30 Security Control Frameworks - 2019". Ignyte Assurance Platform. Mafazo LLC. https://ignyteplatform.com/top-30-security-frameworks-2019/. Retrieved 23 July 2020. 
  2. Cleaveland, P. (24 September 2018). "10 key private-sector cybersecurity standards". Enterprise IOT Insights - Fundamentals. Arden Media Company, LLC. https://enterpriseiotinsights.com/20180924/fundamentals/10-key-private-sector-cybersecurity-standards. Retrieved 23 July 2020. 
  3. 3.0 3.1 Ciocoui, C.N.; Dobrea, R.C. (2010). "Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management". In Nota, G.. Advances in Risk Management. IntechOpen. doi:10.5772/9893. ISBN 9789535159469. 
  4. 4.0 4.1 "Data Standardization: A Call to Action" (PDF). JPMorgan Chase & Co. May 2018. Archived from the original on 14 December 2019. https://web.archive.org/web/20191214203246/https://www.jpmorganchase.com/corporate/news/document/call-to-action.pdf. Retrieved 23 July 2020. 
  5. Kaplan, R.S.; Mikes, A. (June 2012). "Managing Risks: A New Framework". Harvard Business Review. https://hbr.org/2012/06/managing-risks-a-new-framework. Retrieved 23 July 2020. 
  6. West Yost Associates (4 September 2019). "Water Sector Cybersecurity Risk Management Guidance". American Water Works Association. https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance. Retrieved 23 July 2020. 
  7. "NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. February 2020. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final. Retrieved 23 July 2020. 
  8. Waddell, K. (29 June 2019). "Cities are writing privacy policies". Axios. https://www.axios.com/cities-data-privacy-laws-fa0be8cb-234f-4237-b670-10ad042a772e.html. Retrieved 23 July 2020. 
  9. 9.0 9.1 "Understanding Cybersecurity Standards" (PDF). CGI, Inc. April 2019. https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf. Retrieved 23 July 2020.