IT Compliance and Cyber Security: Understanding the Differences

IT compliance and cyber security are often used interchangeably, even within the cyber security and compliance fields. This is the basis for the completely incorrect and dangerous notion that achieving compliance automatically equals being secure.

While there is some overlap, and the two fields complement each other, IT compliance and cyber security are not the same, and being compliant – with HIPAA, FedRAMP, PCI DSS, or any other framework – is not the same thing as being secure.

What is cyber security?

Cyber security is the protection of computer hardware, software, systems, networks, and data from cyberattacks. It is a very broad field that encompasses an enterprise’s policies, processes, end user education, and technical controls to address the following areas:

• Application security – securing software and apps
• Information security – securing data, including customer data, employee data, and confidential business information
• Network security – securing the ports and databases within a network
• Operational security – classifying information assets and determining the controls needed to secure them
• Cyber incident management and response

What is IT compliance?

There is much overlap between the goals of IT compliance and cyber security, which is the root of the confusion. They both address securing hardware and digital assets. However, unlike cyber security requirements, which are developed internally, IT compliance requirements are mandated by a third party, such as the government, an industry regulatory body, or a client.

• Organizations operating in the healthcare industry in the U.S. must comply with HIPAA, a federal law
• Organizations around the world that wish to accept major payment cards must comply with PCI DSS, a set of standards mandated by the major credit card brands
• The U.S. federal government requires organizations that wish to sell cloud services to federal agencies to comply with FedRAMP
• Many private-sector businesses require their cloud services vendors to release an SOC 2 attestation

The takeaway is that enterprises implement cyber security controls for their own protection; they undergo IT compliance audits to satisfy a third party.

What are some additional differences between cyber security and IT compliance?

While many IT compliance standards, such as FedRAMP and SOC 2, are quite rigorous, they are not meant to provide full cyber security protection on their own. There’s no way they could.

• The cyber security threat landscape is dynamic; it changes on a daily basis. IT compliance frameworks change very slowly, typically annually or less often.
• Every organization’s data environment and risk profile are different. No IT compliance framework could comprehensively address every possible eventuality at every organization.

Additionally, some IT compliance regulations, such as the GDPR and the California Consumer Privacy Act, focus more on data privacy (giving individual consumers control over the data enterprises collect from them) than cyber security (protecting enterprise assets).

IT compliance complements cyber security

With the costs of IT compliance skyrocketing, some enterprises view compliance quite negatively, as a list of line items that must be checked off to conduct business in a certain industry or with certain clients. However, IT compliance complements enterprise cyber security and provides numerous benefits.

Compliance with certain standards, such as FedRAMP and SOC 2, is seen as a “gold standard” of data security by companies seeking to purchase cloud services, and compliance with the GDPR is seen by some consumers as a testament to a company’s commitment to data privacy. The process of undergoing a compliance audit also helps companies identify issues with their cyber security and data governance that may have otherwise gone undetected. Finally, IT compliance frameworks provide a good starting point for enterprise cyber security.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Understanding FedRAMP security impact levels and baselines

You would never pay $1,000 upfront and $30/month for a security system to protect a shed containing $100 worth of lawn equipment. However, you wouldn’t hesitate to spend that much or more to protect your home and family. The same concept applies in information security. Different kinds of data necessitate different levels of security, which is why FedRAMP security impact levels exist. A government agency that deals with data that is widely available for public consumption doesn’t require as many security controls as an agency that works with classified data.

There are three FedRAMP security impact levels: FedRAMP Low, FedRAMP Moderate, and FedRAMP High. They are based on the three FISMA security objectives outlined in the Federal Information Processing Standard (FIPS199):

• Confidentiality: Protect personal privacy and prevent the unauthorized disclosure of proprietary information.
• Integrity: Prevent the unauthorized modification or destruction of information.
• Availability: Prevent disruptions to information access or use.

FedRAMP Low Security Impact Level

The FedRAMP Low Impact Level applies to cloud service offerings (CSOs) that will be used to work with data that is already publicly available; a breach of this data would not cause significant damage to the government agency or its operations, assets, or individuals. FedRAMP defines two baselines within the Low Impact Level category, the standard Low Baseline and what is known as the LI-SaaS Baseline.

The LI-SaaS Baseline applies to Low-Impact SaaS applications that do not store personally identifiable information (PII) other than what is generally required for login credentials, such as email addresses, usernames, and passwords. The LI-SaaS Baseline has fewer security controls that require testing and verification than the standard Low Baseline, and the required security documentation is consolidated.

FedRAMP Moderate Impact Level

This is the most common impact level, accounting for about 80% of CSOs that attain FedRAMP authorization. It applies to CSOs being used for data that is largely not available for public consumption, such as PII. If Moderate Impact data is breached, the agency’s operations, assets, or individuals would suffer serious adverse effects, such as operational damage, financial loss, or individual harm (though not physical harm or death).

FedRAMP High Impact Level

The FedRAMP High Impact Level, which was released in 2016, applies to CSOs being used by agencies that handle the most highly sensitive unclassified government data, such as law enforcement, emergency services, financial systems, and healthcare systems. A data breach could have catastrophic results, including loss of human life and economic crises. FedRAMP High systems must comply with 421 controls and reduce the probability of human error as much as possible by automating as many processes as possible.

When pursuing FedRAMP authorization, cloud service providers must ensure that they choose the correct security impact level for their CSOs. For example, cloud service providers whose CSOs qualify for standard Low Baseline or LI-SaaS would not decide to pursue a JAB P-ATO, which is more appropriate for CSOs that are Moderate and High Impact.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Advice for writing a successful FedRAMP SSP

A FedRAMP SSP (System Security Plan) is the bedrock of a FedRAMP assessment and the primary document of the security package in which a cloud service provider (CSP) details their system architecture, data flows and authorization boundaries, and all security controls and their implementation.

Keep in mind that to prevent conflicts of interest, 3PAO’s are prohibited by regulation from helping a CSP put together a FedRAMP SSP and also conducting that CSP’s FedRAMP assessment.

A FedRAMP SSP is a highly detailed document that must be readable, relevant, consistent, and complete. Even tiny mistakes can cause lengthy delays in the FedRAMP certification process. Here are some tips for writing a successful FedRAMP SSP.

Allocate sufficient time and resources to writing your FedRAMP SSP

Expect your FedRAMP SSP to be several hundred pages long. Putting together an SSP is never an overnight project, and it’s rarely a one-person job. Organizations generally require the input of several subject matter experts with deep technical knowledge of the systems they are documenting, as well as NIST and FedRAMP security controls.

Make sure the FedRAMP SSP is clear, concise, consistent, and complete

Although an SSP is a group project, it shouldn’t “look” like one when it is finished. FedRAMP PMO’s don’t expect System Security Plans to read like Pulitzer Prize-worthy literature, but they do expect that CSP’s to turn in a logically organized document that describes systems and controls clearly and completely, and that is not riddled with spelling and grammar errors. When reviewing an SSP, a FedRAMP PMO looks for the 4 C’s:

• Do not write meandering, convoluted, or overly long descriptions. Avoid the use of passive voice, as it could cause confusion. Do not include text that is not directly relevant to the specific control being described.
• Describe each system and control completely, but use as few words as possible. Make each word count.
• All system names and abbreviations, hardware and software elements, and citations referenced in the SSP should be referenced in exactly the same way throughout the entire document. The presentation style and level of detail should also be consistent throughout.
• Use the correct FedRAMP SSP template, and do not modify or remove sections. However, sections can be added if necessary. Address all required controls. If a control has multiple requirements, you must address all of them. If a control is inherited or does not apply, use a risk-based justification to explain why. You must describe how each control is addressed in your system; you cannot simply copy/paste or rephrase the control requirements.

Identify all people and places relevant to your controls

All people who are responsible for implementing/enforcing a security control must be identified, by role. All roles defined for a control should also be included in the SSP’s Roles and Privileges table.

The SSP must also describe all possible places where a control is implemented; for example:

• Access for both privileged and non-privileged users
• Access control, audit logging, maintenance, flaw remediation, and configuration management for all platforms
• Physical controls at all facilities

Be sure to select the correct Implementation Status for each control

A common SSP error is checking the wrong Implementation Status; for example, a control is marked Planned but does not identify a planned date. FedRAMP offers the following general guidance:

• If all or part of the control is an alternative implementation, check both “Partially Implemented” and “Alternative Implementation.”
• If all or part of the control is planned, check both “Partially Implemented” and “Planned.”
• If selecting a status of Planned, Alternative Implementation, and/or Not Applicable, clearly explain the aspects of the control that are Planned, Alternative, and/or Not Applicable in the implementation description.
• If the control is solely a customer responsibility, and the CSP has no responsibility for the implementation of the control, check “Implemented,” along with the appropriate customer-related control origination.

Use an automation solution such as Continuum GRC’s ITAM

Traditionally, creating a FedRAMP SSP has been an arduous, manual, and chaotic process involving dozens of text documents and spreadsheets. Updating and maintaining it over time was extremely difficult and prone to error, and it wasn’t integrated with any of the technologies 3PAO’s use to carry out FedRAMP assessments.

Now, CSP’s have access to automation solutions, such as the IT Audit Machine (ITAM) FedRAMP SSP module from Continuum GRC. ITAM is a cloud-based solution that uses pre-loaded, drag-and-drop modules to walk CSP’s through the process of preparing their SSP, ensuring completeness and accuracy. CSP’s not only save time and money upfront, while preparing their SSP, but later on, when they are ready to work with their 3PAO.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.