Complying with the law

Depending on your organization’s industry and what countries you operate in, there are likely one or more compliance regulations you’re required to follow. These regulations frequently mandate how you can treat personally identifiable information (PII), protected health information (PHI), payment card data, and other regulated data.

By enforcing data loss prevention policies and access policies and encrypting cloud data, McAfee MVISION Cloud can help your organization meet these compliance requirements. The first step is understanding what regulations apply to your organization and how those regulations impact your cloud usage. We’ve summarized some of the most common regulatory requirements below.

PCI DSS (Payment Card Industry Data Security Standard)

PCI is not a law, but it’s a standard that’s required for all organizations that handle or process payment card information. It’s administered by an independent body that represents the major payment card brands including Visa, MasterCard, and American Express. There are 12 requirements for PCI with detailed sub-requirements. Failure to comply with these rules can result in fines levied by the acquiring bank, increased transaction fees, or termination of card processing.

HIPAA and HITECH (Health Insurance Portability and Accountability Act & Health Information Technology for Economic and Clinical Health Act)

These US laws apply to health insurance companies, healthcare clearinghouses, and healthcare providers such as doctors and hospitals. Together, HIPAA and HITECH require organizations to safeguard protected health information. In the event of a breach, mandatory disclosure rules require you to report data loss, resulting in fines, loss of business, and litigation. By encrypting data, you can avoid these breach notification requirements if encrypted data is leaked.

Read HIPAA and HITECH Cloud Compliance Requirements

GLBA (Gramm-Leach-Bliley Act)

This US law applies to financial institutions and mandates they protect the security and confidentiality of their customers’ personal information. There is a requirement to disclose to customers where their information is being stored, what steps have been taken to protect their data, and to provide customers with an opt-out of data being shared with third parties. Some cloud providers claim the right to share data uploaded to their service with third parties, complicating compliance with the law.

SOX (Sarbanes–Oxley Act)

Sarbanes-Oxley is a US law that applies to public companies. Under the law, companies are responsible for accounting and financial wrongdoing, even if it’s the result of actions by a third party such as a cloud provider. As a result, companies covered by the law should look for cloud providers that have SAS 70 or SSAE 16 auditing standards in place.

GDPR (General Data Protection Regulation)

This applies to any organization based anywhere in the world that handles data on European Union citizens and residents. The regulation provides rules about informing users of their rights and mandates breach notifications and fines up to 4% of global turnover.

Learn More

FIPS 140-2 (Federal Information Processing Standard Publication 140-2)

FIPS 140-2 is a US government security standard issued by the National Institute of Standards and Technology (NIST). It provides accreditation of cryptographic modules. US federal agencies are required to use FIPS-certified encryption modules in cases where encryption is mandated, but NIST does not specify which levels are appropriate for different applications. For the private sector, FIPS 140-2 signals that an encryption solution meets the highest security standards.

FISMA (Federal Information Security Management Act)

FISMA is a law that applies to the US federal government. The law requires agencies to develop, document, and implement a security program that includes technology managed by the agency as well as third parties, such as cloud providers. To achieve FISMA compliance, cloud providers need to meet FISMA standards, be hosted in a FISMA-compliant data center, and have Authority to Operate (ATO). FISMA also mandates the government to use FIPS 140-2 compliant encryption.

ITAR (International Traffic in Arms Regulations)

ITAR is a US law that applies to US citizens and organizations. The law restricts the export or sharing of certain types of defense-related technology outside the United States to protect US national security. Encrypting sensitive data is not enough—the US Department of State recommends tokenizing data before uploading to the cloud.

Federal Information Technology Acquisition Reform Act (FITARA)

Enacted in December 2014, the Federal Information Technology Acquisition Reform Act (FITARA) is intended to improve the acquisition and management of federal IT assets. Its benefits include reducing the amount of waste and duplicative IT systems and improving communication and visibility within agency IT teams.