Regulatory Compliance & Standards
Compliance may be the biggest driver in information security. Unless your organization doesn’t use technology, this probably isn’t news to you. High profile breaches in the retail and healthcare industries have made PCI and HIPAA household terms. Compliance, however, has a negative connotation for many individuals and organizations, alike.
Widespread frustration and disillusionment within the information security profession has led to phrases like, “compliance doesn’t equal security.” We agree. We believe, however, that in its proper place, compliance can be incredibly healthy and helpful. Ultimately, this requires a strategic shift that changes the target of compliance from being focused on external regulations to being driven by internal requirements.
Internal requirements include regulatory and contractual requirements and so much more. By shifting your compliance focus from being consumed by PCI or HIPAA to being directed by internal requirements, you can save your organization from falling to the folly of regulatory tunnel vision. Your internal requirements should focus on your unique threats and be built upon an industry standard, such as NIST SP 800-66 for the healthcare space.
Once you have a security program that is strategically focused on what matters to your organization, compliance again becomes valuable. Internal compliance ensures that your security controls are addressing your unique risks. Internal compliance, when properly defined, also ensures that you are meeting your regulatory requirements. That is why, at TRUE, we say that compliance doesn’t equal security, but security equals compliance.
True has extensive experience with many different standards and regulations. Some of the most prominent ones are listed below.
PCI DSS The Payment Card Industry (PCI) Data Security Standard (DSS) is one of many PCI standards created to protect cardholder data. As a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV), True is uniquely qualified to help your organization navigate PCI requirements. Learn more about our PCI Compliance services.
NIST SP 800-66 is focused on information security within the unique confines of the Healthcare industry. We are highly experienced in building security programs and performing Information Security Risk Assessment services based upon this standard.
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is revolutionizing security in the Healthcare industry and we are on the front lines with our clients and partners in this space. Learn more about our HIPAA Compliance services.
The NIST Cybersecurity Framework pertains especially to companies in the Energy & Utilities industry. We frequently perform Information Security Risk Assessment services and build security programs mapped to this standard.
NERC CIP The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are designed to protect North America's bulk electric grid, thereby affecting the Energy & Utilities industry. Learn more about our NERC CIP Compliance services.
NIST SP 800-53 is tailored to organizations within State, Local and Tribal Government. We frequently perform Information Security Risk Assessment services and build security programs mapped to this standard.
FFIEC Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) audits are becoming increasingly challenging for financial organizations as IT Examiners become increasingly capable of evaluating the intricate details of the complex security controls required to protect against today's advanced threats. True is here to help. Learn more about our FFIEC Compliance services.
NIST SP 800-171 pertains especially to companies within the Manufacturing industry. We are adept at building security programs and performing Information Security Risk Assessments mapped to this standard.
ISO 27001/27002 are universally applicable information security standards that we routinely utilize within our Information Security Risk Assessment and Security Program Development services.