The Importance of Compliance in Cybersecurity

More than ever, cybersecurity, as an industry and as a field, has been growing exponentially in terms of the workforce and reach.

From commercial and conglomerate entities such as banks, home goods stores, online shopping, email transactions and purchasing to known, new and emerging threat vectors detected in cars, drones, cell phones and tablets and other innovative devices – employing cybersecurity safeguards appear to be creeping into every aspect of everyday life.

End users want to get from point A to point B with relative ease and with full confidence that the information is unaltered and preserved, and that the information they seek will be available. In cybersecurity, we call this desire the CIA triad, where:

• C is for confidentiality. In accessing the information, you should, expect that it will only be available to you and only after you present the correct identifying information to access it.
• I is for integrity. This means the data or information is unaltered and preserved.
• A is for availability. This means end-users are unhindered and unburdened when they seek to access the data.

While the CIA triad is primarily used in federal spaces, the perspective it brings can be embraced by all end users and professionals.

To highlight how easily other industries can and should utilize the CIA triad, we’re going to draw the correlations between the underlying principles of the CIA triad coupled with another buzzword that often gets groans and vocalized frustration: Compliance.

When the term “compliance” is uttered, it is followed by the litany of reasons why being compliant is a challenge. Reasons include there are too many obstacles, too much red tape and too much bureaucracy.

Workforce Management

All personnel – from the CEO to traditional on-site employees and local managers need to follow the rules of their organization when it comes to staffing. Staffing traditionally includes hiring, firing, workplace behavior (rules of behavior documents/policies) and matters specific to personnel retention and growth.

Whether you are working at McDonald’s or Microsoft, Wells Fargo, or Wawa or even when you interact with a waiter at a restaurant or a doctor at a hospital – the organization’s compliance rules must be followed. This usually entrails bringing candidates on board, making sure they are qualified and that they were trained appropriately to manage their roles.

These requirements are not always organizationally developed, but companies may be required to follow these rules as they are federal laws, regulations and acts that apply to the workplace, workforce behavior and operations.

Asset Acquisition

Compliance concepts can also apply to physical, virtual, software and hardware-related information technology (IT) acquisitions (assets) made by an organization – this is often referred to as asset compliance. This can be a cash register or an ATM within a mall, a computer setup for self-service, or even mobile phone displays.

This is doubly so for widely available commercial offerings that aim for convenience over security. If there has ever been a thought along the lines of “why can’t I just do <blank>?” with a piece of available technology, odds are there are requirements that must be followed.

The tricky part with asset compliance is that it is the one thing that can be guaranteed to not be universal across organizations – federal and commercial – public or private.

The type of data a system processes, stores, transmits, and reads can also present compliance related impacts. Comparatively, publicly available information and workers’ financial information will each have subsequent compliance impacts contingent upon organizationally defined implementation standards.

These requirements may be by the Federal Communications Commission (FCC) or another federal entity that deemed it prudent to require specific parameters or requirements before an action can be taken.

An example of this would be FCC 15-92.¹ This FCC rule was enacted in 2015 and mandated that RF (Radio/Frequency) devices be updated with appropriate markings and labels.² It covers routers, firewalls, networks, and other similar devices. Commercial entities must comply with its provisions or reach deals with the FCC if violations are identified and present.³

As another example, suppose an organization is unaware of the assets and systems it owns, or the person managing those assets. In that case the door is open to malicious attackers and threats to expose and exfiltrate that information.

The organization size and scope will vary over time; however, without knowing the lay of the land, the terrain remains uncharted and untenable.

Going Forward

Each organization should be aware of the compliance requirements for responding to incidents but also be aware of federal mandates, acts and requirements that have identified critical areas that will need a response process in place.

Compliance has a unique duality to it – it lacks ubiquity in that not every organization or entity will face the same compliance requirements – but also reinforces ubiquity in the perspective that rules and mandates must be followed no matter the organization. This double-edged sword is a large part of why becoming compliant and remaining compliant is a challenge. It will require robust collaboration and growth to overcome, so that we as a community not only understand the rules, but we also understand why we must follow them.

References

¹ FCC. (2015, August 8). Federal Register / Vol. 80, No. 151 / Thursday, August 6, 2015. Proposed Rules.
² Benchoff, B. (2016, August 2). Hackday. Retrieved from https://hackaday.com/2016/08/02/fcc-reaches-agreement-with-router-manufacturers/
³ FCC. (2022, 2 28). In the Matter of Secure Internet Routing. Federal Communications Commission FCC 22-18.