IT Regulatory Standards Are an Alphabet Soup
by

IT Regulatory Standards Are an Alphabet Soup

IT regulatory standards got you down? If you work in IT or IT compliance, you’ve probably heard of the “Alphabet Soup” of regulatory standards. Think SSAE 16, SOC 2, HIPAA, PCI DSS, FISMA, ISO 27001, and others. However, what do they all mean?  Which one is right for me? Which one should I pursue? Why would I get this audit over that audit?

As auditors, we are most frequently asked these questions. To help answer these questions and familiarize you with the different audit frameworks, we’ve broken down the who, what, and why for the most commonly reported frameworks.

SSAE 16

If you work with publicly traded companies, financial institutions, or state or local government, you will often need to undergo an SSAE 16 audit by a third party. This audit is the most commonly used form of attestation for service providers in the US. So, what is an SSAE 16? It’s an audit and report on internal controls (related to information security, financial, operational, or compliance controls) at a service provider relevant to their client’s data. The SSAE 16 audit takes a risk-based approach, with specified objectives created to address client risk and controls or activities to accomplish each objective. A third-party auditor would examine your environment to ensure that your objectives are appropriate, your controls are effectively designed, and you are doing what you say. The effectiveness of an SSAE 16 audit depends on its scope.

SOC 2

Typically, the same clients asking you for an SSAE 16 will ask you for a SOC 2. Whereas SOC 1 was designed to validate internal controls at a service provider that relate to client financial reporting and validate information security, SOC 2 was a framework specifically designed for companies delivering technology-related services. The SOC 2 framework is finally gaining popularity. SOC 2 was specifically designed to report on five principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The established criteria for each principle address the following questions: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

HIPAA

If you work for a healthcare provider or a business associate who services a healthcare provider, you will be asked to validate your compliance with HIPAA laws. Any entity that handles Protected Health Information (PHI) will be responsible for compliance with HIPAA. Legislation requires appropriate Physical, Administrative, and Technical Safeguards to protect PHI. Much like the SSAE 16, HIPAA compliance is risk-based. You must begin by performing a Risk Assessment to determine what the appropriate physical, administrative, and technical safeguards are, implement those, and then perform regular monitoring to ensure the safeguards are still appropriate. There is no “hard list” of requirements for HIPAA, and there is no certification. A third-party audit would validate your controls and their appropriateness and effectiveness.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) primarily applies to the industry. You must comply with PCI DSS to store, transmit, or process cardholder data. Additionally, if you have a client who is required to comply with PCI DSS, they must also validate your compliance with the standard. PCI DSS is a robust information security standard and is sometimes used as a best practice, even if you don’t handle credit card data. A PCI audit is an information security audit focused on protecting credit card data. All PCI audits are performed by a PCI Qualified Security Assessor (QSA). The framework and process consist of over 200 controls and 1,000 audit tests. There are six control objectives with 12 subject areas. When a third-party auditor performs a PCI audit, it results in a PCI Report on Compliance (ROC).

FISMA

FISMA Compliance is mandatory for anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. FISMA is a federal law. NIST Special Publication 800-53 outlines the security controls necessary to comply with FISMA. A FISMA audit thoroughly evaluates your information security practices concerning NIST SP 800-53 requirements. It includes a detailed risk assessment and the selection of comprehensive controls based on whether you are categorized as low, moderate, or high risk. Among the frameworks we’ve discussed, FISMA is the most comprehensive.

ISO 27001-27002

You may be asked for an ISO 27001 audit if your customers conduct business globally. ISO 27001 is a comprehensive information security standard widely recognized and respected worldwide. 27001 encompasses the entire standard, while 27002 refers explicitly to the controls. An ISO 27001 audit thoroughly examines your Information Security Management System (ISMS), including management systems, risk management, internal audit, management review, continual improvement, and information security controls.

Choosing the best audit framework for your organization depends on various factors, such as your clients, clients’ clients, and the type of information you handle.

IT regulatory standards are indeed an alphabet soup of sorts. For more information on IT compliance or a specific framework, or if you’d like to speak with an information security specialist for a consultation, contact us today!

Sarah Morris is the managing editor at KirkpatrickPrice and a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations updated on information security and regulatory compliance by being a thought leader and developing valuable content centered on industry trends and best practices.