By The Integrity360 Team on January 29, 2021

A Focus on Regulations and Frameworks

Cyber Risk and Assurance, Industry Trends & Insights

What’s being done to prevent costly, damaging cyber attacks? New and
upcoming regulations and frameworks are providing an industry standard for cyber security. Here’s what has happened this past year in the realm of cyber security regulation and frameworks — and what’s coming down the line.


PSD2

Effective 1 January 2021, the PSD2 takes effect. It’s hard to escape the news about the PSD2, or Payment Services Directive 2, as a set of region-wide regulations for electronic payment services that will affect all banks, businesses, and customers.

To offset the effects of the pandemic, many of these changes will not be enforced until 14 September 2021 in the UK, the rest of the European Economic Area (EEA)—including Ireland— has until 31 December 2020 to make necessary changes. This also means that if UK businesses accept EEA cards, they still need to work toward having changes implemented by the start of the year.

Once in effect, customers will be asked to take extra steps to confirm their identity when shopping online using a strong customer authentication (SCA), and even after Brexit, these regulations will still apply to the UK, which means organisations need to start strengthening their eCommerce practices now to meet these regulations, if they haven't already.

SOC 2

Since information security is a growing concern for organisations across all industries, including those that outsource their operations to thirdparty
vendors like SaaS and cloud-computing providers, SOC 2 (System and Organisation Controls) was created to define specific criteria to manage customer data.

Mishandled data can leave companies vulnerable to attacks like data theft, extortion, and malware installation. For this reason, the American Institute of CPAs (AICPA) created the SOC 2 certification to audit business practices to be sure that service providers are securely managing data. It’s now basically a minimum requirement when choosing SaaS providers. The criteria are based on five “trust service principles,” as follows:

  1. Security
  2. Availability
  3. Processing integrity
  4. Confidentiality
  5. Privacy

SOC 2 compliance isn’t brand new and it isn’t a hard-and-fast requirement for SaaS and cloud computing vendors, but it’s becoming increasingly popular as businesses continue to understand the potential for threat exposure
from their third-party vendors, especially as more and more organisations move to the cloud and SaaS providers during the pandemic.

 

Download our Guide to 2021: What's Next in Cyber Security

 

ISO 27001

ISO 27001 continues to be one of the most popular information security standards globally. Organisations who have achieved compliance with ISO 27001 have proven that they are serious about keeping their data secure.

The need for an ISO 27001-compliant information security management system is no different in 2020 and 2021, where a risk management assessment can mitigate potential disasters. An assessor’s evaluation of a system is still a valuable way to locate risks and determine the best course of action, whether they treat, tolerate, transfer, or terminate the risk based on the risk assessment.

While ISO 27001 isn’t new, it’s a leading choice for companies searching for a framework to establish a security strategy.

Cyber Essentials

Now managed by IASME since mid 2020, this globally recognised IT security standard continues to remain a popular alternative to ISO 27001.

In the UK, if you want to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification.

For UK companies with less than £20m turnover, they are entitled to Cyber Liability Insurance (terms apply) once they achieve self-assessed certification.

GDPR

The ongoing pandemic has affected EU data protection authorities and the organisations they regulate as more people work from home and enterprises adapt their network securities to allow for this to happen.

Data processing authorities from France, Germany, Ireland, and the UK recently outlined their stance on the matter of enforcement of the GDPR as the pandemic continues. The takeaway? They plan to uphold enforcement actions and hold organisations accountable when they do not meet GDPR standards, even during the COVID-19 crisis.

This means that it’s more important than ever for businesses to understand how the changes they have made to their infrastructure during the pandemic have affected their data; they need to ensure they are still fully GDPR compliant.

CSA Cloud Controls Matrix (CCM)

With so many organisations moving to the cloud, more are choosing to implement a cybersecurity control framework such as the Cloud Security Alliance’s Cloud Controls Matrix (CCM). This security tool is composed of 133 control objectives across 16 domains to cover all the key aspects of security in the cloud. The CCM can be used to assess cloud implementation and gain guidance on which security controls should be implemented, and where.

This framework is considered a benchmark for cloud security assurance and compliance and is mapped against industry-accepted security standards. It can be used to:

  • Strengthen security control environments
  •  Reduce audit complexity
  • Normalise security expectations

The CCM also offers a questionnaire that can be used to assess cloud providers and document which security controls exist in each provider’s IaaS, PaaS, and SaaS.

 

2021-report

If you are required to comply with any of the regulations above or are considering aligning your orgnisation to any of the frameworks mentioned please contact us to arrange a meeting with some of our expert team to discuss further.