Ten data security standards

Data is a new currency of business. A new business can be built by using data and information and a well-reputed business can be destroyed by misusing information. Information is one of the most important assets to keep secure.

The Consequence of Lack of data Security

– Leakage of critical data & information (e.g. financial data, Passcode, Strategic information etc.)
– Damage to physical infrastructure
– Recurrance of incidents that stop operational activities
– Misuse of information leads to damage databases, public health, national security
– Violation of individual rights and many more

“We are not in an information age anymore. We’re in the information management age.” – Chris Hardwick

Now, it is clear why the protection of information is necessary. To protect the information, many organizations (e.g. ISO, ISACA etc.) and the governments of various countries from various regions (e.g. Europe, USA etc.) design many standards, frameworks and models.

10 Popular Standards/Framework for data Security

1. ISO/IEC 27001:2013

ISO/IEC 27001:2013 is an international standard developed by International Organization for Standardization (ISO) which provides guidelines to establish, implement, manage and continually improve Information Security Management Systems (ISMS).

The purpose of ISMS is to safeguard confidentiality, integrity and availability aspects of information.

ISO/IEC 27001:2013 is the basic standard to implement to practice security measures in an organization.

Any organization across the globe can go for the ISMS implementation regardless of its type of business, size, structure etc. In case of lack of understanding of the standard, the organizaiton may consider seeking professional assistance of IT management consulting service providers.

2. National Electronic Security Authority (NESA)

NESA is a government body of UAE which provides a set of guidelines to protect the critical information infrastructure of UAE and to improve national cyber security.

NESA controls are very similar to ISMS.

The unique points of NESA are,

Threat based approach
Broader scope
Binary Controls
Control Categories, Highest (P1) to Lowest (P4)
A tiered approach to ensuring compliance

NESA is applicable for the organizations which are situated in Europe or those who are handling European data.

3. National Institute of Standards and Technology (NIST)

The United States Congress developed the NIST framework.

The purpose of NIST is to provide a set of good practices to improve the cyber security practices of US-based organizations.

NIST Provides five points structure to improve cyber security practices,

Identify
Protect
Detect
Respond
Recover

NIST is applicable for the organizations which are situated in the US or those who are handling the US data.

4. Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) provides a set of guidelines to ensure all the organizations that process, store, or transmit credit card information maintain a secure environment.

A PCI DSS compliant company can claim that its systems are secure and its customers can trust it with their sensitive payment card information.

Any organization across the globe, which accepts, stores, transmits, or processes cardholder information should comply with the PCI DSS.

5. ISO/IEC 27701:2019

ISO/IEC 27701:2019 is an extension of ISO 27001 developed by ISO.

It provides the guidelines to establish, implement, maintain and continually improve the Privacy Information Management System (PIMS).

The purpose of PIMS is to secure Personally Identifiable Information (PII) by designing,

Rights of PII Principal
Robust Cross border transfer mechanism
Data Controller Rules
Data Processor Rules

Any organization across the globe can go for the PIMS implementation regardless of its type of business, size, structure etc.

6. General Data Protection Regulation (GDPR)

To protect personal data, the European Government developed the GDPR framework in April 2016.

The purpose of GDPR is to harmonise data protection directives and to strengthen citizens’ fundamental rights to personal data protection.

Any organization across the globe which handles European data needs to comply with GDPR.

7. Health Insurance Portability and Accountability Act (HIPAA)

The United States Congress enacted the HIPAA to safeguard the health information or Protected Health Information (PHI) of patients.

HIPAA is applicable for the organizations which are situated in the US or those who are handling the US data.

8. ISO/IEC 27018:2014

ISO 27018:2019 is an extension of ISO 27701 developed by ISO. It provides guidelines to protect Personally Identifiable Information (PII) stored in a cloud platform.

Any organization across the globe can go for the ISO 27018 implementation regardless of its type of business, size, structure etc.

9. ISO/IEC 27032:2012

ISO/IEC 27032:2012 developed by ISO to secure cyberspace information by providing a guide for cyber security.

ISO 27032 and ISO 27001 are closely related to each other.

ISO/IEC 27032:2012 standard is not for certification but, any organization across the globe can practice the guidelines to improve its cyber security.

10. Service Organization Criteria (SOC) 2

Created by the American Institute of CPAs (AICPA), SOC 2 characterizes standards for overseeing client information in light of five “trust administration standards”.

Security
Availability
Processing Integrity
Confidentiality
Privacy

SOC 2 is an internationally recognized standard specifically designed for service providers storing customer data in the cloud. SOC 2 applies to practically every SaaS organization, just as any organization that utilizes the cloud to store its clients’ data.

7 Common Benefits of Implementing These Standards/Frameworks

Establish a benchmark and get a competitive advantage by following best security practices
Improve customer confidence by maintaining effective security posture and efficient processes
Ensure the organization’s reputation by minimizing the chances of security breaches
Avoid penalties by meeting the legal obligations
Distinguish and treat the potential privacy issues at a beginning phase
A better understanding of data management
Increase awareness of privacy and data protection across the organization

Ten data security standards

Data is a new currency of business. A new business can be built by using data and information and a well-reputed business can be destroyed by misusing information. Information is one of the most important assets to keep secure.

The Consequence of Lack of data Security

– Leakage of critical data & information (e.g. financial data, Passcode, Strategic information etc.)

– Damage to physical infrastructure

– Recurrance of incidents that stop operational activities

– Misuse of information leads to damage databases, public health, national security

– Violation of individual rights and many more

“We are not in an information age anymore. We’re in the information management age.” – Chris Hardwick

Now, it is clear why the protection of information is necessary. To protect the information, many organizations (e.g. ISO, ISACA etc.) and the governments of various countries from various regions (e.g. Europe, USA etc.) design many standards, frameworks and models.

10 Popular Standards/Framework for data Security

1. ISO/IEC 27001:2013

ISO/IEC 27001:2013 is an international standard developed by International Organization for Standardization (ISO) which provides guidelines to establish, implement, manage and continually improve Information Security Management Systems (ISMS).

The purpose of ISMS is to safeguard confidentiality, integrity and availability aspects of information.

ISO/IEC 27001:2013 is the basic standard to implement to practice security measures in an organization.

Any organization across the globe can go for the ISMS implementation regardless of its type of business, size, structure etc. In case of lack of understanding of the standard, the organizaiton may consider seeking professional assistance of IT management consulting service providers.

2. National Electronic Security Authority (NESA)

NESA is a government body of UAE which provides a set of guidelines to protect the critical information infrastructure of UAE and to improve national cyber security.

NESA controls are very similar to ISMS.

The unique points of NESA are,

Threat based approach

Broader scope

Binary Controls

Control Categories, Highest (P1) to Lowest (P4)

A tiered approach to ensuring compliance

NESA is applicable for the organizations which are situated in Europe or those who are handling European data.

3. National Institute of Standards and Technology (NIST)

The United States Congress developed the NIST framework.

The purpose of NIST is to provide a set of good practices to improve the cyber security practices of US-based organizations.

NIST Provides five points structure to improve cyber security practices,

Identify

Protect

Detect

Respond

Recover

NIST is applicable for the organizations which are situated in the US or those who are handling the US data.

4. Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) provides a set of guidelines to ensure all the organizations that process, store, or transmit credit card information maintain a secure environment.

A PCI DSS compliant company can claim that its systems are secure and its customers can trust it with their sensitive payment card information.

Any organization across the globe, which accepts, stores, transmits, or processes cardholder information should comply with the PCI DSS.

5. ISO/IEC 27701:2019

ISO/IEC 27701:2019 is an extension of ISO 27001 developed by ISO.

It provides the guidelines to establish, implement, maintain and continually improve the Privacy Information Management System (PIMS).

The purpose of PIMS is to secure Personally Identifiable Information (PII) by designing,

Rights of PII Principal

Robust Cross border transfer mechanism

Data Controller Rules

Data Processor Rules

Any organization across the globe can go for the PIMS implementation regardless of its type of business, size, structure etc.

6. General Data Protection Regulation (GDPR)

To protect personal data, the European Government developed the GDPR framework in April 2016.

The purpose of GDPR is to harmonise data protection directives and to strengthen citizens’ fundamental rights to personal data protection.

Any organization across the globe which handles European data needs to comply with GDPR.

7. Health Insurance Portability and Accountability Act (HIPAA)

The United States Congress enacted the HIPAA to safeguard the health information or Protected Health Information (PHI) of patients.

HIPAA is applicable for the organizations which are situated in the US or those who are handling the US data.

8. ISO/IEC 27018:2014

ISO 27018:2019 is an extension of ISO 27701 developed by ISO. It provides guidelines to protect Personally Identifiable Information (PII) stored in a cloud platform.

Any organization across the globe can go for the ISO 27018 implementation regardless of its type of business, size, structure etc.

9. ISO/IEC 27032:2012

ISO/IEC 27032:2012 developed by ISO to secure cyberspace information by providing a guide for cyber security.

ISO 27032 and ISO 27001 are closely related to each other.

ISO/IEC 27032:2012 standard is not for certification but, any organization across the globe can practice the guidelines to improve its cyber security.

10. Service Organization Criteria (SOC) 2

Created by the American Institute of CPAs (AICPA), SOC 2 characterizes standards for overseeing client information in light of five “trust administration standards”.

Security

Availability

Processing Integrity

Confidentiality

Privacy

SOC 2 is an internationally recognized standard specifically designed for service providers storing customer data in the cloud. SOC 2 applies to practically every SaaS organization, just as any organization that utilizes the cloud to store its clients’ data.

7 Common Benefits of Implementing These Standards/Frameworks

Establish a benchmark and get a competitive advantage by following best security practices

Improve customer confidence by maintaining effective security posture and efficient processes

Ensure the organization’s reputation by minimizing the chances of security breaches

Avoid penalties by meeting the legal obligations

Distinguish and treat the potential privacy issues at a beginning phase

A better understanding of data management

Increase awareness of privacy and data protection across the organization