The Importance of Regulatory Responsibility [& How to Stay Compliant in the Cloud]
“With great power comes great responsibility.”
Known as the Peter Parker principle, this outlook applies just as much to organizations as it does to web-slinging superheroes. You see, most organizations are subject to some degree of compliance, be it from federal, state, or industry regulations; for example, healthcare providers must observe the rules outlined in the Health Insurance Portability and Accountability Act (HIPAA), whereas government agencies are required to comply with the Freedom of Information Act (FOIA). Certain sectors are subject to a greater degree of oversight — for example, financial services firms face stricter regulations than, say, retailers — but compliance is universal.
Many of these regulations are the product of an effort to hold organizations accountable. For example, the General Data Protection Regulation (GDPR), which made headlines around the world when it was implemented in 2018, implemented rules about how enterprises can process the personal data of individuals residing in the European Union (EU). In laymen’s terms, GDPR was created to protect people’s personal privacy from any organization that might try to abuse it — with great power comes great responsibility.
An Ever-Changing Regulatory Landscape
Regulations and, by extension, regulatory compliance can be a good thing because they protect both businesses and their customers. That said, maintaining regulatory compliance can be a real challenge for organizations, in no small part because regulations are frequently subject to change. For example:
- A shift in political power can result in changes to existing regulations, the introduction of new regulations, or even the creation of new regulatory agencies.
- Major events can inspire new legislation, such as the Sarbanes-Oxley Act of 2002, which was enacted in response to the Enron scandal.
- An economic downswing can also elicit a regulatory response, such as the Dodd-Frank Wall Street Reform and Consumer Protection Act, which was signed into law following the 2008 economic crisis.
- Information technology has such a sweeping impact on everything from the way we do business to the way our government is run, which has prompted many — even Microsoft’s own Brad Smith — to call for stricter regulations on the tech industry.
These are just a few factors that might contribute to changes in the regulatory landscape — factors that are often interconnected, weaving an even more complicated web for organizations attempting to remain compliant.
For the sake of this article, though, we’ll zero in on that last item: How information technology — more specifically, cloud computing — affects compliance.
Where Does Cloud Regulatory Compliance Fit In?
Cloud regulatory compliance is a key area where organizations need to dedicate their attention because it has a ripple effect on all other forms of compliance. You see, most major regulations, especially those that pertain to data storage, include some language around cloud computing. It makes sense: Cloud computing has become universal, so much so that you’d be hard-pressed to find a business that doesn’t use the cloud, at least to some degree.
To see this in action, look no further than HIPAA. When HIPAA was signed into law back in 1996, it was designed to safeguard any Protected Health Information (PHI) stored in paper medical records. However, as technology advanced, healthcare providers and health insurers started to migrate patient and member data to the cloud; as a result, HIPAA was amended to include specific data encryption requirements in order to prevent potential security breaches. The U.S. Department of Health & Human Services’ website even features an entire webpage dedicated to helping healthcare organizations utilize cloud computing in a way that is HIPAA-compliant.
One of the best ways for organizations to guarantee cloud regulatory compliance, as well as compliance with industry-specific regulations, is to carefully evaluate prospective cloud providers. But, before we talk about that, let’s review some of today’s most important regulations.
6 Major Regulations to Be Aware of
Listed below are some of the most significant government, federal, and industry-specific regulations that organizations need to be aware of:
- Health Insurance Portability and Accountability Act (HIPAA): According to HIPAA Journal, HIPAA introduced standards to “improve efficiency in healthcare, eliminate wastage, combat fraud, and ensure that health information can be tied to an individual and would allow them to be identified is protected and kept private and confidential.”Under HIPAA, healthcare organizations are expected to:
o Implement a means of access control for electronic PHI (ePHI)
o Introduce activity logs and audit controls
o Implement policies for the use/positioning of workstations
o Implement policies and procedures for mobile devices
o Conduct risk assessment
o Introduce a risk management policy
o Develop a contingency plan
o Restrict third-party access
o And more
For a more complete list of HIPAA requirements, especially as they pertain to ePHI, we recommend looking at HIPAA Journal’s HIPAA compliance checklist.
- Sarbanes-Oxley Act (SOX): SOX is a federal law that implemented auditing and financial regulations for public companies in an effort to “both improve the reliability of the public companies’ financial reporting, as well as restore investor confidence in the wake of high-profile cases of corporate crime” — namely, the Enron scandal.In order to comply with SOX, public companies are required to establish safeguards to prevent data tampering, establish verifiable controls to monitor data access, disclose security safeguards and breaches to SOX auditors, and more. As far as cloud regulatory compliance is concerned, all public companies subject to SOX are only permitted to work with cloud providers that follow the Statement on Auditing Standards No. 70 or the Statement on Standards for Attestation Engagements No. 16 auditing guidelines.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is an information security standard that was developed “specifically to protect payment account data throughout the payment lifecycle and to enable technology solutions that devalue this data and remove the incentive for criminals to steal it.” Simply put, PCI DSS is designed to secure card payment transactions.
In order to ensure PCI DSS compliance, merchants, service providers, and financial institutions must build and maintain secure network and systems, protect cardholder data, implement strong access controls, and more. For a more complete understanding of PCI DSS requirements, we recommend checking out the PCI Security Standards Council’s quick reference guide.
- General Data Protection Rule (GDPR): As mentioned earlier, GDPR was established to strengthen data protections for individuals residing in the EU. GDPR applies to all privacy data, including basic identity information, web data, biometrics, political opinions, and so on. Although GDPR only safeguards the data of those living within the EU, it applies to any company that has a presence in the EU or that processes the data of EU residents, which means that organizations around the world must take heed.According to the official GDPR website, in order to remain compliant, organizations must:
o Explain how they process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”
o Notify users when their personal data is being collected
o Inform data subjects of what personal data is being collected, where it is being collected from, the purpose for processing it, and the length of time it will be held
o Delete any information about data subjects as requested, per the “right to be forgotten”
o And more
- ISO 27001: ISO 27001 — formally known as ISO/IEC 27001 — is an international information security standard created to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS).” In order to earn ISO 27001 certification (translation: compliance), organizations must define their ISMS — that is, define what data needs to be protected — conduct a risk assessment, and define a risk treatment methodology.ISO 27001 is perhaps the best-known standard within the larger family of ISO 27000 standards; to learn about other popular ISO standards, we recommend looking at the International Organization of Standardization’s official standards page.
- Federal Information Security Management Act (FISMA): FISMA is a federal law that was enacted in 2002 in order to establish federal data security standards and guidelines. FISMA requires each federal agency “to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency.”In order to comply with FISMA, federal agencies are expected to:
o Maintain an inventory of information systems
o Categorize information according to risk level
o Perform regular risk assessments
o Implement security controls
o Implement a system security plan
o And more
|Set of standards designed to improve efficiency in healthcare, combat fraud, and safeguard the PHI and ePHI of private individuals.|
|Federal law that implemented auditing and financial regulations to prevent public companies from engaging in fraudulent activities.|
|Information security standard developed to secure card payment transactions for merchant, service providers, and financial institutions.|
|Rules established to strengthen data protections for individuals residing within the EU.|
|International information security standard created to provide a framework for information security management systems.|
Federal law that established federal data security standards and guidelines.
What to Look for in a Cloud Provider
The key to cloud regulatory compliance — and to ensuring regulatory compliance on the whole — is to partner with a cloud provider that offers strong data protection policies. When evaluating prospective cloud providers, ask the following:
- Where do you store your data? Certain regulations have specific requirements around where, geographically, data can be stored — in fact, where your data is stored can even play a role in which regulations you’re subject to, so it’s important to be aware.
- Do you use shared server space or a private server? Some cloud providers will use multi-tenancy as a means of reducing costs but sharing server space can have a major effect on how secure your data is. If a cloud provider you’re considering does use multi-tenancy, be sure to find out whether they have any safeguards in place should your data be compromised.
- Do you perform user de-provisioning? Employees come and go, but if a cloud provider doesn’t revoke an end user’s access when they leave the company, your data could end up in the wrong hands — a major compliance faux pas.
- How do you secure your data? Most regulations include some sort of data security requirements, while some have very specific stipulations — for example, HIPAA requires ePHI to be encrypted.
- How do you propose to adapt to changing compliance requirements? As we’ve already made clear, the regulatory landscape is always changing. It should be your goal to find a cloud provider that has a clear plan for adapting to those changes, so you never have to worry about whether or not your compliant.
How Azure Meets Regulatory Compliance Needs
If you’re in the market for a cloud computing solution that will help you meet compliance obligations, Microsoft Azure might be the platform for you. With an extensive catalog of compliance offerings, an impressive compliance portfolio that spans multiple industries and geographic regions, and a state-of-the-art regulatory compliance dashboard, Azure has everything you need to store data responsibly and meet all of your cloud regulatory compliance requirements.
Want to learn more about Azure, or start your Azure cloud migration today? Contact Hitachi Solutions to get started.