Don't Get Spooked by Compliancy Requirements
If your company deals with customers’ personal information or sensitive data from the government, the need for sufficient cybersecurity measures isn’t just good housekeeping; it’s the law. Below, we’ll explore some of the important rules your organization should know about and one simple step you can take toward staying compliant.
It should come as no surprise that there are a number of PCI DSS requirements. The Payment Card Industry Data Security Standard is meant to provide conditions necessary for keeping cardholders safe from the countless individuals out there who would love to have that information.
Obviously, it’s not always up to cardholders to keep their data safe either. The moment they use it, that onus falls on the company doing the processing. This makes these companies huge targets for money-hungry hackers. There are a number of requirements where PCI DSS is concerned. However, let’s just take a look at the ones regarding passwords.
First, you and your employees cannot use the default passwords provided by vendors for your systems or other security parameters. Second, you must create and maintain a policy regarding information security for your staff. Among other things, this will need to address the requirements for an acceptable password.
PCI DSS was designed with the understanding that credit card information had to be protected, but that this meant safeguarding the passwords of employees who had access to these numbers too. You can use as many firewalls as you want, if just one of your employees uses a lackluster password, all of your customers can be compromised in the blink of an eye.
Another hugely important form of data is one’s healthcare records. Any individual’s medical and personal information could be used against them in a number of different ways if it was accessed by a malicious individual. From carrying out an act of fraud to committing blackmail, this type of personal information could quite easily be weaponized if it fell into the wrong hands.
This is where HIPAA (the Health Insurance Portability and Accountability Act) comes in. The act sets out legal requirements that must be followed by those who work with this kind of data. As far as password management goes, you must create a standard that reasonably and authentically safeguards the type of info described above. To quote the actual law (§ 164.308(a)(5)(ii)(D)), your company must put in place, “Procedures for creating, changing and safeguarding passwords.”
Therefore, just making sure employees use passwords isn’t good enough. They must also be trained in safeguarding said passwords and given an infrastructure that makes it reasonably easy to do so.
These demands also cover protecting employees from themselves, so to speak. For example, your company will be expected to take steps toward keeping employees from sharing their passwords. The same goes for writing them down and keeping the paper somewhere that would be easy for another to find it.
CJIS stands for Criminal Justice Information Service. This division falls under the umbrella of the Federal Bureau of Investigation. Established back in 1992, CJIS has grown into the largest division of the bureau.
When it comes to cybersecurity, CJIS also has some specific standards regarding its computerized information system that stores data related to criminal justice. As it is open to criminal justice agencies across the country, from local to state to federal authorities and some third parties, naturally, CJIS is concerned with making sure password protection doesn’t fall through the cracks.
The other reason cybersecurity is such a huge concern is because of the information stored within CJIS. People’s criminal histories, terrorist activities and even info relevant to ongoing investigations could all be accessed by the wrong people if a password is compromised.
Therefore, under 126.96.36.199 of their policy, you can find requirements CJIS makes about password management and usage. 188.8.131.52.1 also elaborates on what each password must involve. There are a number of other sections that do as well, but the point is that those with access to the database must be extremely careful with their passwords or face serious penalties.
The Answer Is MFA
Between the seriousness of the responsibility that comes with using systems associated with the above rules and the severity of the consequences that go along with violations, it can be very intimidating trying to deal with this sensitive information. The more employees you have, the more worrisome it can be trying to keep faith that no one within your organization will drop the ball. After all, it just takes a single mistake. One password that’s easy enough to guess or one person who lets a coworker sign in under their credentials and you could have a huge disaster on your hands.
With multi-factor authentication (MFA), your employees’ login credentials become nearly impossible to fabricate, guess or steal.
As the name suggests, employees can only log into their desired system if they first meet at least two requirements. Obviously, the more requirements you demand of them, the more secure your system will be.
Three very common factors of identity you could use are:
- Something the user knows (a password)
- Something the user has (a keyfob that generates a pin)
- Something the user is (their fingerprint)
Compliance Made Simple
While it’s probably a huge relief knowing that MFA can help to eliminate many of the cyber threats your company faces, it also makes staying compliant with HIPAA, PCI and CJIS extremely easy. Should the worst ever happen, you’ll be in much better shape if you can prove your company took steps to ensure the utmost in cybersecurity by investing in MFA, as opposed to hoping for the best by following old-fashioned methods.