Cybersecurity frameworks for regulatory compliance¶
Estimated time to read: 11 minutes
In an increasingly interconnected digital landscape, safeguarding information assets is more than a strategic requirement—it's critical to business continuity and resilience. As regulatory environments worldwide become more stringent, organisations must adopt robust information security frameworks to protect sensitive data, ensure compliance, and foster stakeholder trust.
This comprehensive guide explores the most influential information security frameworks that help businesses manage regulatory controls effectively. From widely recognised frameworks such as the NIST Cybersecurity Framework and ISO 27001 to industry-specific standards like PCI DSS for the payment card industry and HITRUST CSF for healthcare, we delve into what each framework entails and its role in shaping an organisation's security posture.
Whether you're an IT professional looking to enhance your organisation's security, a business leader seeking to understand the regulatory landscape, or a cybersecurity student keen to learn more, this guide will provide valuable insights into the world of information security frameworks.
Join us as we navigate through these key frameworks and elucidate how they contribute to a safer, more secure digital ecosystem. Understanding and implementing these guidelines will help you comply with regulatory requirements and build a resilient organisation capable of responding to the dynamic threats of the cyber world.
California Consumer Privacy Act (CCPA)¶
The CCPA gives California residents more control over the personal information businesses collect about them, granting them the right to know about the collection and use of their personal information, refuse the sale of personal information, and access their personal information. Effective since January 1, 2020. - URL: here
Health Insurance Portability and Accountability Act (HIPAA)¶
HIPAA sets national standards to protect individuals' medical records and other personal health information, applying to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically. Compliance is monitored and enforced by the Office for Civil Rights (OCR). - URL: here
Financial Conduct Authority (FCA)¶
The FCA is the conduct regulator for financial services firms and financial markets in the UK. It is also the prudential regulator for over 18,000 of these businesses. Its role includes protecting consumers, protecting financial markets, and promoting competition. - URL: here
Federal Information Security Management Act (FISMA)¶
FISMA is a federal law aimed at improving cybersecurity within federal agencies. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency. - URL: here
Gramm-Leach-Bliley Act (GLBA)¶
The GLBA requires financial institutions to explain how they share and protect their customers' private information. Financial institutions must protect the information collected about individuals, provide privacy notices, and provide a method for customers to opt out if they do not want their information shared with certain third parties. - URL: here
Sarbanes-Oxley Act (SOX)¶
SOX requires all financial reports to include an Internal Controls Report. This shows that a company's financial data are accurate (within 5% variance) and adequate controls are in place to safeguard financial data. Year-end financial disclosure reports are also a requirement. - URL: here
Children’s Online Privacy Protection Act (COPPA)¶
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. - URL: here
Personal Information Protection and Electronic Documents Act (PIPEDA)¶
PIPEDA sets the ground rules for how businesses must handle personal information in the course of commercial activity. It balances the right of privacy of individuals with the need of organizations to collect, use or disclose personal information for legitimate business purposes. - URL: here
Network and Information Systems (NIS) Directive¶
The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring Member States' preparedness, improving their cooperation on cybersecurity, and requiring operators of essential services and digital service providers to take appropriate security measures and to notify serious incidents to the relevant national authority. - URL: here
Cybersecurity Law of the People's Republic of China¶
This law imposes mandatory testing and certification of computer equipment, tightens the requirement to keep data in-country, requires companies to have their security measures certified by the government, and gives the government any assistance it demands in censoring certain content and stopping online crime. - URL: here
The Defense Federal Acquisition Regulation Supplement (DFARS)¶
DFARS mandates that U.S. government contractors implement the cybersecurity standards outlined in NIST SP 800-171. DFARS provides acquisition regulations that government acquisition officials – and those contractors doing business with the government – must follow in the procurement process for goods and services. - URL: here
The National Institute of Standards and Technology (NIST) Framework¶
NIST's cybersecurity framework comprises standards, guidelines, and best practices to manage cybersecurity-related risk. The framework's prioritised, flexible, and cost-effective approach helps promote the protection and resilience of critical infrastructure. - URL: here
General Data Protection Regulation (GDPR)¶
GDPR sets guidelines for the collection and processing of personal data of individuals within the EU and EEA. It came into effect on 25th May 2018 and imposed obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. - URL: here
The Australian Privacy Act 1988 (including the Australian Privacy Principles)¶
The Privacy Act protects personal information handled by large businesses and Australian Government agencies, provides for the privacy of individual's personal information, and regulates the collection, use, storage, and disclosure of personal information. The 13 Australian Privacy Principles (APPs) form part of the Privacy Act 1988. - URL: here
Singapore's Personal Data Protection Act 2012 (PDPA)¶
The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use, or disclose personal data for legitimate and reasonable purposes. - URL: here
Brazil's General Data Protection Law (LGPD)¶
The LGPD creates a legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It applies to any processing done by individuals and legal entities, regardless of the means or the country where they are located, as long as the processing operation is carried out in Brazil. - URL: here (Portuguese)
India's Information Technology Act, 2000¶
The IT Act provides legal recognition for transactions carried out through electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce," which involve the use of alternatives to paper-based communication methods and information storage. - URL: here
California Privacy Rights Act (CPRA)¶
The CPRA, often referred to as CCPA 2.0, builds upon the CCPA and introduces additional data protection rights for California residents. It was passed in November 2020 and will come into full effect in 2023. - URL: here
Federal Trade Commission Act (FTC Act)¶
The FTC Act protects consumers against unfair or deceptive practices and has been applied to offline and online privacy and data security policies. - URL: here
Electronic Communications Privacy Act (ECPA)¶
The ECPA is a federal law that protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. - URL: here
Health Information Technology for Economic and Clinical Health Act (HITECH Act)¶
This U.S. law encourages the adoption of health information technology, particularly electronic health records. It also tightens the HIPAA regulations for protecting patient information. - URL: here
The Privacy and Electronic Communications Regulations (PECR)¶
The PECR is a UK legislation that sits alongside the Data Protection Act and the GDPR. It provides specific privacy rights in relation to electronic communications. - URL: here
Fair Credit Reporting Act (FCRA)¶
The FCRA is a US federal law that regulates the collection of consumers' credit information and access to their credit reports. It was passed in 1970 to address the fairness, accuracy, and privacy of the personal information contained in the files of the credit reporting agencies. - URL: here
Federal Financial Institutions Examination Council (FFIEC) guidelines¶
Although not a law or regulation, the FFIEC's guidelines are influential in setting standards for the intersection of banking and technology in the United States. They issue numerous handbooks that pertain to IT and cybersecurity, including IT service provider management, outsourcing technology services, and more. - URL: here
The Cybersecurity Maturity Model Certification (CMMC)¶
The CMMC is a U.S. Department of Defense certification process that measures a company’s ability to protect sensitive data. It includes five different levels, each with a set of supporting practices and processes. - URL: here
Protection of Personal Information Act (POPIA)¶
This is South Africa's data protection law. It's designed to protect personal information, standardise the way personal data is managed, and provide rights and remedies to protect individuals from data breaches. - URL: here
Russian Federal Law of July 27, 2006 No. 152-FZ "On Personal Data"¶
This is Russia's main data protection legislation, governing how businesses and government agencies handle Russian citizens' personal data, with particular requirements for data localisation. - URL: here
The below frameworks provide best practices for a wide range of cybersecurity and IT governance tasks. Following these frameworks can help your organisation meet its regulatory obligations more effectively.
General Security Agreement (GSA)¶
The GSA in Canada typically outlines the basic terms of a lending relationship between a lender and borrower, including security practices for companies working with the Canadian government. - URL: here
Payment Card Industry Data Security Standard (PCI DSS)¶
PCI DSS is an information security standard for organisations that handle branded credit cards from major card brands. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. - URL: here
ISO 27001¶
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organisations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties. - URL: here
NIST Cybersecurity Framework (CSF)¶
Developed by the National Institute of Standards and Technology, this framework provides a policy framework of computer security guidance for private sector organisations in the United States. - URL: here
NIST SP 800-53¶
This part of the NIST SP 800 series covers federal information security controls. It provides guidelines for selecting security control baselines for various information systems. - URL: here
CIS Controls¶
The Center for Internet Security (CIS) Controls are a prioritised set of actions that collectively form a defense-in-depth set of best practices to mitigate the most common attacks against systems and networks. The CIS Controls are mapped to many regulatory frameworks. - URL: here
Control Objectives for Information and Related Technologies (COBIT)¶
COBIT is a framework for IT governance and management. It’s a bridge between the latest business needs and IT-related goals through a generic process model and its supporting processes. - URL: here
Information Technology Infrastructure Library (ITIL)¶
ITIL is a set of detailed practices for IT service management that focuses on aligning IT services with the needs of the business. ITIL describes processes, procedures, tasks, and checklists which are neither organization-specific nor technology-specific. - URL: here
ISO 22301¶
This is the international standard for a controlled business continuity management system (BCMS). It provides a practical framework for setting up and managing an effective business continuity management system, thereby helping you respond effectively to disruptions. - URL: here