Regulatory monitoring services are now a requirement for GRC teams. More and more jurisdictions are strengthening regulations related to cyber security, data retention and privacy. To stay ahead of the curve and avoid ugly surprises, a compliance management solution is a must. Very often, compliance teams will say they have alerts in place for changing regulations, but too often this boils down to newsletter subscriptions and word of mouth. For the very large and well publicized regulatory changes such as SOX or GDPR, this approach can work. However, the real risk for missing critical updates is found in the myriad of smaller regulations from states, provinces and other jurisdictions. Implementing a robust regulatory and standards monitoring and compliance management system is absolutely critical.
There are no shortage of examples of regulatory bodies and specific requirements being imposed on organizations. Some examples of regulations that impact cyber security in the USA include SOX, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), Department of Homeland Security (DHS), and many state level regulations such as Wisconsin DBR and Ohio State DDPA. In Canada there is the Personal Information Protection and Electronic Documents Act and the upcoming CCSPA-Bill C-26 (Canada). There are also provincial items such as the Personal Information Protection Act (PIPA) in Alberta and the Information Privacy & Security (FOIPPA) in British Columbia.
In addition to regulations that apply to all companies, there are also Industry specific regulations. Three examples of industry specific cyber regs include those from the North American Electricity Corporation (NERC) CIP for energy producers and transmitters, Maritime Transportation regulated facilities MTSA (USA) and the Payment Card Industry DDS regulations which govern anyone storing credit card data.
Internationally there are more and more regulations, with countries like China having some of the most stringent requirements as outlined in their Cyber Security Law. If your organization operates in critical industries and has operations internationally, it can be a real challenge to monitor all the various agencies for upcoming, changed and new regulations.
In addition to the regulatory requirements imposed on an organization by governments and industry bodies, many companies agree to requirements through the contracts they sign. These obligations are often left in contracts or shuffled over the legal teams who are already overwhelmed. Sometimes, these obligations will be stored in a Contract Management Software, but those tools are mostly designed for the financial elements of contracts and not the operational or cyber and data retention requirements. To effectively manage operational requirements, it is critical to establish a single source of truth.
A proper compliance management program should be based on ISO 37301:2021, but it should also incorporate the necessary elements from the programs for which you wish to manage compliance. Cyber security programs have their own standards such as: IEC 61511, IEC 61508, ISA S84, and the recommendations from these standards can be incorporated into your broader compliance program. In all likelihood, other parts of your organization want to monitor for regulatory change too and it makes sense to pull together all the teams that are responsible for regulatory compliance and attempt to select a single tool such as Nimonik’s regulatory and standards compliance management software.
Like all best practices, compliance monitoring needs to be matched with resources with the organization and continuously monitored for their effectiveness. There is no magic solution, but with ever increasing regulatory burden, a robust compliance solution with integrated regulations and standards is a critical tool for any medium or large organization.
If you need help implementing a Comprehensive Compliance program for your Cyber Security Team or for your organization and your stakeholders, please contact us at email@example.com of at +1-888-608-7511