HITRUST, NIST, NY DFS, EU GDPR
With the deadline fast approaching, anticipation for the EU's General Data Protection Regulation is building.
General Data Protection - GDPR is the flagship of the the new IT regulations model, will be fundamentally different than much of the other guideline legislation that preceded it. While earlier laws governing digital information prohibited specific infractions, this new paradigm forces organizations to completely revamp the practices through which they engage with data. Only through accountability for the whole system can firms achieve compliance with these laws. Data governance, system security, and data loss risk management, are all components of an enterprise for which accountability will need be demonstrated.
This pattern can also be seen in emerging data policy in the United States. Standards of the National Institute for Standards and Technology (NIST) has become increasingly more influential in determining US cybersecurity policy. President Trump signed an executive order last May that made all NIST guidelines the official standard for all government organizations, and the Institute is becoming increasingly more influential in the civilian realm as well. Like the GDPR, NIST maintains a “cybersecurity framework” (CsF) that lays out a comprehensive approach for how organizations can mitigate cyber threats and protect their data. Also similar in flavor to GDPR, the CsF requires that companies develop “detection” and “protection” awareness, to insure that managers are aware at all times of the types of data being collected and the manner in which they’re stored.
The private industry has been busy producing strategies on how to address this new challenge of regulation compliance. One company that has been leader in developing these strategies has been the Health Information Trust Alliance, or HITRUST, a privately held US-based company. In collaboration with other information security leaders, HITRUST recently released what it calls a Common Security Framework (CSF). The CSF was specifically designed to help companies report on their cybersecurity posture “leveraging the NIST Cybersecurity categorization.” HiTrust has not stopped there. The company reported in July that it plans to expand its support for data privacy programs to “incorporate the EU GDPR.”
State & Local Regulations
More local laws are also beginning to pop up in the United States with guidelines geared toward system-wide accountability. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation being one example from the recent period.
The current trend in IT regulation is demanding something new from companies
Organizations will need to implement solutions to put control over system-wide data, back into the hands of managers. GTB’s Data Loss Protection program permeates all facets of an enterprise network, from cloud storage, to hard databases, and provides the tools for companies to stay aware of engagement with sensitive data. Smart algorithms based on intelligent mathematics allow for the seamless detection of critical information, without disrupting operations. Additionally, GTB’s platforms let firms maintain oversight on all elements of a system, from risk management to the outside transfer of data.
System wide regulations will require a system wide solution. Implementing GTB’s Smart programs will empower companies to achieve compliance in the new era of IT-governing laws.