• Poornachander Kola

Compliance Frameworks

Organizations with higher business complexity and an expanding regulatory environment have let the focus on governance, risk, and compliance.

The major focus has been on accountability for regulatory compliance, which is followed by more initiatives that are uncoordinated in an era when risks are interdependent and controls are shared. The outcome has been that the initiatives are not properly designed and are managed in silos, increasing the overall business risk for the organization. Adding to the woes is that parallel compliance and risk initiatives lead to the replication of efforts. Before the organization can look at the effectiveness of the initiatives, it causes costs to spiral out of control and the organization altogether ditches the efforts. Governance, Risk, and Compliance process through control, definition, enforcement, and monitoring has the ability to coordinate and integrate these initiatives.

GDPR. PCI DSS, NIST, HIPAA, FeDRamp are some of the acronyms of major r regulatory compliance frameworks that organizations should keep themselves. In this article we will be touching upon compliance rules straight and the effort that goes into it.


The General Data Protection Regulation — better known as GDPR — is the latest and greatest major regulatory compliance framework to debut. The GDPR, which went into effect in May 2018, is a European Union regulation.

At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data.

Under the terms of GDPR, not only do organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.

GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.


The Payment Card Industry Data Security Standard, or PCI DSS, is a regulatory standard developed by credit card companies to help protect cardholder data. It was introduced in 2004.

If you process, store, or transmit credit card data, PCI DSS applies to you.

Organizations that are subjected to PCI DSS standards must be PCI compliant. There are four levels of PCI Compliance and these are based on how much you process per year, about the level of risk assessed by payment brands.

At a high level, the levels are the following:

  • Level 1 – Over 6 million transactions annually

  • Level 2 – Between 1 and 6 million transactions annually

  • Level 3 – Between 20,000 and 1 million transactions annually

  • Level 4 – Less than 20,000 transactions annually

Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities

The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called "control objectives". The six groups are:

  1. Build and Maintain a Secure Network and Systems

  2. Protect Cardholder Data

  3. Maintain a Vulnerability Management Program

  4. Implement Strong Access Control Measures

  5. Regularly Monitor and Test Networks

  6. Maintain an Information Security Policy


The National Institute of Standards and Technology, or NIST, has developed what is known as the NIST Cybersecurity Framework (CSF). Technically, NIST is not a regulatory framework, but rather a policy framework, but, constitute a set of best practices for keeping data secure.

The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today.

Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.


The Health Insurance Portability and Accountability Act, or HIPAA, is one of the best known regulatory compliance frameworks among consumers in the United States which was introduced in 1996. It sets various standards and requirements regarding health data.

HIPAA is relatively high-level and was introduced at a time when technology platforms looked very different than they do today (although it has been updated a bit since then). As such, HIPAA does not include much in the way of specific technical requirements for the way health data is secured. The HIPAA stipulations are based on the interpretation when it comes to the implementation from a technology perspective.

According to HIPAA, the security compliance rules apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.

6 views0 comments