“Compliance” is just a subset of “governance” and not the other way around.
—Pearl Zhu, from Digitizing Boardroom (2016)
Mention the word “Compliance” to an application development team, and you may get some quizzical looks. What exactly is compliance and why does it matter to application developers? This chapter will provide a brief overview of compliance, why it’s needed, how it benefits application providers, and how to approach it.
What Is Compliance?
Compliance required by legislation
Compliance required by an industry
Elective compliance
For compliance that is required by legislation or a particular industry, you must determine if the compliance requirements apply to your project and take steps to comply if so. For elective compliance, you can determine if it is advantageous to you to comply. A later section will explain why compliance can be beneficial for your project. If you are part of a larger company, compliance requirements may be given to you by a compliance team, possibly in conjunction with outside auditors. If you are part of a small startup building a new application, you may wish to hire an auditor to help you understand the requirements that apply for your type of project.
Government-Mandated Compliance
Many governments have established legislation regarding privacy and data protection.i Perhaps the most well known is the GDPR (General Data Protection Regulation).ii Enacted in the European Union, it took effect in May of 2018. It contains 99 articles which describe the principles underlying the GDPR, the specific provisions of the GDPR, supervisory authorities, penalties for nonconformance, and practical matters related to implementation. The GDPR describes a legal basis for processing personal data, outlines the obligations of organizations which collect and process personal data, and establishes the rights of data subjects whose personal data is being processed.
The scope of the GDPR is any product or service that processes (e.g., collects, stores, uses, transmits, deletes) personal information (PI) of EU residents regardless of where such information is held. This includes companies in countries outside the EU who merely hold data about people in the EU. It applies to companies of any size, though Article 30 of the GDPR outlines some recordkeeping exemptions for companies with fewer than 250 employees and who meet additional criteria for data processing. The GDPR also requires that the latest technology be used for developing applications, privacy must be embedded into the design of the application, and the application is released with privacy default settings. If your service is likely to be used by residents of the EU, you need to understand and comply with the requirements stemming from this legislation.
The GDPR is the most comprehensive change to data privacy legislation in over 20 years. Its effects are being felt globally, and other countries are establishing similar changes. In the United States, the State of California passed the California Consumer Privacy Act (CCPA), a bill that enhances consumer rights for residents residing in the state. The CCPA goes into effect in January 2020 and entitles residents to know what personal data is being collected, whether it’s sold or shared, the right to opt out to the sale or sharing of their personal data, access to their data, and equal service and price even if they exercise their opt-out choice. Other states, including Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, Rhode Island, and Vermont, are drafting their own consumer privacy acts.
At the US Federal level, the Federal Trade Commission (FTC) Fair Information Practice Principles (FIPP)iii is designed to ensure that the practice of collecting information is fair and provides adequate information privacy protection. It is based on the principles of Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security, and Enforcement/Redress. The FTC gives recommendations for maintaining privacy-friendly, consumer-oriented data collection practices which are self-regulated. These principles form the basis for many sectoral laws, including the Fair Credit Reporting Act and the Right to Financial Privacy Act.
Similarly, HIPAA (Health Insurance Portability and Accountability)iv and HITECH (Health Information Technology for Economic and Clinical Health)v are US legislation which apply to the handling of healthcare-related data. These frameworks may apply to you if you process, store, or transmit any electronic healthcare data for your customers. These are just a few examples of government-mandated requirements.
Industry Compliance
Compliance requirements can stem from an industry when a consortium of companies in an industry creates a standard and a means of enforcing it. The payment card industry requires all organizations that handle payment card data, including credit and debit cards, to comply with a set of standards, known as PCI DSS (Payment Card Industry Data Security Standard).vi This set of security standards was created by the PCI Security Standards Council, which was founded by five international credit card companies (AMEX, Discover, JCP, MasterCard, and Visa).vii The standards are designed to protect payment card data held or processed by companies.
Compliance with PCI DSS is enforced by the individual payment brands (the five financial institutions that founded the PCI DSS). The PCI DSS controls apply to systems which process, store, or transmit cardholder data or authentication credentials and also apply to any systems connected to an environment that directly contains or processes such cardholder data. If your organization accepts, handles, or stores any type of payment card data, or if you outsource payment processing to a third-party vendor but can impact the security of the payment transactions in some way, you likely have obligations under PCI DSS.
Elective Compliance Frameworks
There are other security-related standards for which compliance is elective. Companies can choose to be audited against these standards to demonstrate their practices and operations follow the standard. For example, a company can elect to comply with the ISO 27000 (International Organization for Standardization 27000 family of standards for information security management systems).viii Another elective security standard is from the CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk) Program.ix The CSA STAR program provides a comprehensive list of controls known as the Cloud Controls Matrix (CCM). Compliance with these or other elective standards is a choice. Companies can weigh the cost and level of effort for compliance against the benefits, which can include achieving competitive advantage, expanding into new markets or industries, supporting a brand image, or responding to customer audit requests efficiently.
Why Compliance
Protect the sensitive data they process or hold
Use certification as a competitive sales tool
Show due diligence to minimize penalties in the event of a breach
Cost savings and efficiency in handling customer audit requests
Each of these reasons can offer significant benefits, as described in the following sections.
Data Protection
The first reason for pursuing compliance with an elective standard is to ensure your organization is doing its due diligence to protect the data for which you are under contract to protect. This is essentially the “sleep well at night” argument for compliance. The process of preparing for an audit initiates a thorough review of security- and privacy-related practices. This identifies any lapses from policy or defined procedures that might lead to vulnerabilities, so they can be fixed. Regular audits reinforce security best practices as your organization grows and changes. Of course, passing an audit does not guarantee an absence of security incidents. Target was certified against the PCI DSS standard and unfortunately still suffered a significant breach.x However, a properly implemented compliance framework and certification should reduce the risk of a security incident and subsequent impact should an incident occur.
Competitive Advantage
A second reason to obtain a compliance certification is because it can be used as a competitive sales tool. With so many breaches in the news, and penalties for data breaches increasing, customers are demanding more security assurances from their vendors. Having a certification from an independent, third-party auditor can help assuage customer concerns. This can reduce delays related to security concerns during the sales cycle and may help close deals. Vendors with security-conscious customers may find certification valuable for this reason.
Reduce Penalties
Another good reason to obtain certification is to reduce penalties in the event of a breach. For example, with the GDPR, the existence of a previously earned certification is one factor taken into account when a fine is levied on an organization related to a compromise of personal data. A certification is no guarantee against a breach, but if you have audit evidence of due diligence in implementing best practices, you may receive lower fines than if you do not have a certification in place.
Efficiency
A final impetus to earn certification is efficiency and cost reduction. A given cloud service today typically uses many components in its software stack and relies on a number of cloud services. Many of the cloud services used by a company may have visibility into its sensitive data including personal data of its customers. In order to provide a secure service to customers, a company must ensure that every third party it uses protects the data it shares with them. The challenge is how to obtain such assurance efficiently from the vendors.
In the absence of any standards for privacy and security, each company would need to define privacy and security standards and examine each of its vendors against them. Such an examination would need to review policies and procedures for managing employees, assets, access, physical and environmental security, software development, operations, network security, incident management, and business continuity. The examination would also need to check evidence that policies and procedures for all those areas are being followed and the organization’s documented controls are operating effectively. This is a lot of information to analyze!
The field work for such an audit can take a week or more. Even a small company will typically have several vendors to review, and because there is always entropy in organizations, it is wise to repeat audits at least annually. It would be very costly for a company to conduct its own audits of every vendor it uses. From a vendor’s perspective, it would be time-consuming to provide such evidence individually to each of their customers. In the absence of standards, different customers would request different data and perhaps in different formats, making the work to provide evidence to every customer unmanageable.
Security- and privacy-related standards provide a standard list of practices and a consistent expectation for evidence to demonstrate compliance with the standard. This enables a company to hire an independent third-party auditor to conduct a review and certify the company’s practices against a standard. A company’s customers can then rely on the independent auditor’s assessment instead of conducting their own audit. A vendor undergoes one audit (for each type of assessment) and can then share the official audit report with all of its customers. Customers can use an auditor’s report as evidence that they’ve done their due diligence to ensure they are using vendors who provide an adequate level of data protection. The entire process is made more efficient and manageable for vendors and customers alike.
Compliance Landscape
Compliance frameworks are often divided into privacy and security categories, but privacy frameworks often include some form of security requirements because security is a prerequisite for privacy.
Security Compliance
Security compliance frameworks are mandatory for some industries. Compliance with PCI DSS is required for the Payment Card Industry. Compliance with HIPAA and HITECH security rules is required in the United States for the healthcare industry. FISMA is required for US government agencies and FedRAMP for cloud providers providing services to US government agencies. Companies can also elect to be certified for elective security compliance frameworks. A list of some security-related compliance frameworks is provided in Appendix G.
Privacy depends on security, so it is common for privacy-related legislation to contain security requirements. The GDPR contains articles that require security of data and privacy by design. HIPAA in the United States has a “Security Rule” that similarly requires data stewards to adequately protect healthcare data. When creating a security compliance roadmap, be sure to include security requirements stemming from any privacy-related obligations your project may have.
Privacy Compliance
Many countries have now enacted privacy-related legislation to protect the rights of individuals with respect to how their personal data is handled. In fact, over 100 countries around the world have enacted some sort of privacy legislation.xi A few data privacy laws and sources for identifying more are listed in Appendix F. Your project may be subject to a region’s privacy laws if you receive, collect, process, or store data about people in that country. In other words, you may need to comply with a country’s legislation, even if your business does not have a legal presence in the country, as with the GDPR (General Data Protection Regulation) in the EU.
The role you play in handling data influences your obligations. Privacy legislation often differentiates between the responsibilities of a data controller and a data processor. A data controller controls how personal data is used as documented in a contractual agreement or policy. The data controller collects data from end users and has obligations such as providing privacy notices, obtaining user consent for the use of their data, and providing users with certain access to their data as well as the ability to correct it. A data processor, on the other hand, processes data in accordance with instructions from a data collector in a data processing agreement. Knowing your role as data controller or processor is essential to understand your privacy obligations.
It is also important to determine privacy obligations early in the project cycle, because they can impact the application design in order to give notice about the purposes of data collection, obtain consent for how data is used, manage data retention, and implement data correction and erasure features. Knowing such requirements early in the project cycle is critical for a realistic project plan.
If you are writing an application that has any personal data about individuals, you should understand the locations of your users and the privacy requirements that apply for the jurisdictions applicable to your user population. You should also check security- or privacy-related legislation for your industry. You need to know your role in the handling of data, whether data collector or data processor, and the requirements for your role. Once you have your compliance requirements, it’s time to prepare for and pursue certification.
Assessment and Certification
Some standards rely on self-assessment, but most require an audit by an independent third-party organization certified to conduct the particular type of audit. Self-assessment requires an organization to examine their policies and practices against the standard and remedy any gaps. The CSA STAR framework’s first level of compliance is one example that involves self-assessment. Even if insufficient for official certification, self-assessment can be a useful first step in preparing for an independent, third-party audit.
For many other standards, an independent, third-party audit of policies, practices, and operations against the standard is a requirement. The ISO 27000 family of standards, for example, requires an independent audit for an organization to be considered certified against these standards. When third-party assessment is required, the organization creating a set of standards for compliance will typically certify auditors or establish the standards for certifying them. Certified auditors then conduct the assessments, in accordance with audit standards, to evaluate whether an organization complies with the standards. Auditor certification ensures audits are carried out in a rigorous, standard, and unbiased way and the use of certified auditors is required for many certifications.
How to Proceed
Identify the national, state, or industry-specific privacy legislation applicable for the regions in which your business operates.
Research privacy and security requirements for the countries or regions in which your users reside.
Identify cybersecurity requirements applicable for your industry.
If you supply services to public sector organizations or process government data, check for applicable government requirements.
Identify elective security standards which may be beneficial to demonstrate your security practices to prospective customers.
Consult with legal, privacy, or security experts if you have any questions about which legislation or security requirements apply.
Create a data map that describes the data elements of all data repositories and data flows for all data you handle.
Note all data elements in the map which involve personal data.
Document the reason for collecting the data and the data processing activities to be performed with the data.
Review data processing to ensure your application collects the minimum data required in accordance with your privacy statement.
If available, use a self-assessment tool for a compliance standard to identify gaps that must be mitigated before an official audit.
Retain a secondary auditor for advice on what to expect or an informal assessment before an official audit to help you prepare.
Know the scope of evidence required for an audit. For some certifications, a year’s worth of past evidence is required.
Make a list of audit evidence required, and identify owners within your organization for each category of evidence.
Periodically check that owners understand the evidence required and their teams are generating the evidence needed for an audit.
Select a reputable third-party auditor with experience in your domain and who will provide both an official audit result and an internal report on recommended improvement activities.
Prior to an audit, get the official list from the auditor of evidence required. Work with owners to obtain the requested evidence.
During the audit, additional information is often requested. Have parties ready to gather additional evidence.
Conduct a postaudit assessment after an audit to identify what went well and how to improve the process for the next audit.
Focus on one certification at a time.
Summary
Privacy-related compliance is usually mandatory, by virtue of government legislation to protect people’s privacy and personal data. Security-related compliance may be elective in some cases, but is undertaken for several reasons: as a sales tool, to efficiently satisfy customer demands for audits, to demonstrate due diligence and reduce penalties in the event of a breach, or simply to help you sleep at night. There are myriad privacy laws and security standards, but there is a lot of overlap across them. Once you’ve passed a certification for one, you will likely be able to reuse some of the work to satisfy the requirements of additional compliance frameworks. This chapter concludes our advice for current projects, so in the last chapter, we’ll share our ideas about why we think identity management will be even more important and necessary in the future.
Key Points
Compliance involves assessing and demonstrating adherence to a set of controls.
Privacy- and security-related compliance may be required by legislation or industry.
Security-related compliance can be chosen for security and business advantage in scenarios where it is not mandatory.
Privacy-related legislation is mandatory for entities which meet the criteria set out in the legislation.
Over 100 countries have enacted privacy-related legislation.xii
In the United States, privacy-related legislation is being enacted by many states.
- Certification against privacy- and security-related compliance frameworks:
Demonstrates due diligence in protecting data you manage
Can be used as a competitive sales tool
May lessen fines in the event of a breach
Is an efficient way to respond to audit needs of individual customers
A critical first step for compliance is building an inventory of systems and the data they contain, along with the reason for collecting any personal data and how the data is processed.
Notes
- i.
- ii.
- iii.
- iv.
- v.
- vi.
- vii.
- viii.
- ix.
- x.
- xi.
- xii.