Navigating the Regulatory Landscape: An Overview of Key Cybersecurity Regulations

​

Data breaches and cyberattacks are no longer a matter of "if" but "when." For organizations of all sizes, navigating the complex web of cybersecurity regulations is crucial for protecting sensitive data, mitigating risks, and maintaining customer trust. This overview provides some of the key cybersecurity regulations that Small and Medium Sized Businesses (SMBs) must consider:
 

1. CAN/DGSI 104:2021 Rev 1 2024 (Canada) [formerly CAN/CIOSC 104]
 

Focus:
This standard provides guidelines for the protection of critical infrastructure in Canada. It emphasizes the importance of risk management, incident response, and business continuity planning.
 

Key Requirements:

• Risk Assessment: Conduct regular risk assessments to identify and prioritize threats.

• Incident Response Planning: Develop and test incident response plans to minimize the impact of cyberattacks.

• Business Continuity Planning: Ensure business operations can continue in the event of a disruption.

• Information Security Management System (ISMS): Implement and maintain an ISMS to manage and protect information assets.

 

2. GDPR (General Data Protection Regulation - Europe)
 

Focus:

The GDPR is a comprehensive data protection law that applies to any organization processing the personal data of individuals residing in the European Union (EU), regardless of the organization's location.
 

Key Requirements:

• Data Subject Rights: Grant individuals rights such as access, rectification, erasure, and data portability.

• Data Protection by Design and Default: Integrate data protection principles into all stages of data processing.

• Accountability: Demonstrate compliance with the GDPR through appropriate documentation and internal policies.

• Data Breach Notification: Report data breaches to the relevant authorities within 72 hours.

 

3. CCPA (California Consumer Privacy Act - USA)
 

Focus:

The CCPA grants California residents specific rights regarding their personal information, including the right to know, access, delete, and opt-out of the sale of their data.
 

Key Requirements:

• Transparency: Provide clear and conspicuous privacy notices to consumers.

• Data Access and Deletion: Allow consumers to access and delete their personal information.

• Do Not Sell: Provide consumers with the right to opt-out of the sale of their personal information.

• Data Breach Notification: Notify consumers of any data breaches that may have exposed their personal information.

 

4. HIPAA (Health Insurance Portability and Accountability Act - USA)

Focus:

HIPAA protects the privacy and security of protected health information (PHI) held by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses.  
 

Key Requirements:

• Data Security Rule: Implement safeguards to protect the confidentiality, integrity, and availability of PHI.

• Privacy Rule: Establish procedures for the use and disclosure of PHI.

• Breach Notification Rule: Report breaches of unsecured PHI to the Department of Health and Human Services (HHS).

 

5. PCI DSS (Payment Card Industry Data Security Standard)

Focus:

The PCI DSS is a set of security standards designed to protect cardholder data. It applies to any entity that stores, processes, or transmits cardholder data.
 

Key Requirements:

• Build and Maintain a Secure Network: Protect cardholder data by implementing firewalls, intrusion detection systems, and other security measures.

• Protect Cardholder Data: Encrypt cardholder data both in transit and at rest.

• Maintain an Information Security Policy: Develop and enforce a written information security policy.

• Regularly Monitor and Test Networks: Conduct regular vulnerability scans and penetration tests to identify and address security weaknesses.

​

6. NIST CSF (National Institute of Standards and Technology Cybersecurity Framework - USA)

Focus:

The NIST CSF provides a voluntary framework for managing cybersecurity risk. It is a flexible and adaptable framework that can be tailored to meet the specific needs of any organization.

Key Functions:

• Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.  

• Protect: Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.  

• Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.  

• Respond: Take action regarding a detected cybersecurity event.

• Recover: Take action to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.  

7. ISO 27001: An International Standard for Information Security

Focus:

ISO 27001 is an internationally recognized standard that provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System  (ISMS). It helps organizations of all sizes and industries manage and protect their sensitive information.  

Key Requirements:

 

• Establish the Context of the Organization: Understand the internal and external issues that can affect the organization's information security.

• Identify Interested Parties: Determine the needs and expectations of stakeholders, such as customers, employees, and regulators.

• Plan:

  • Define the scope of the ISMS.

  • Conduct risk assessments to identify and prioritize information security risks.

  • Determine the necessary controls to address identified risks.

• Support:

  • Provide the necessary resources, including personnel, technology, and infrastructure.

  • Promote information security awareness and training within the organization.

• Operate:

  • Implement and operate the controls defined in the risk assessment.

  • Monitor and review the effectiveness of the controls.

• Continual Improvement:

  • Regularly review and improve the ISMS based on internal and external audits, incident reviews, and management reviews.

Key Considerations for Compliance:

 

• Risk Assessment: Conduct thorough risk assessments to identify and prioritize the most significant cybersecurity risks.

• Policy Development: Develop and implement comprehensive cybersecurity policies and procedures.

• Employee Training: Train employees on cybersecurity best practices, including phishing awareness, social engineering, and data handling.

• Technology Implementation: Invest in cybersecurity technologies such as firewalls, intrusion detection systems, and antivirus software.

• Regular Monitoring and Testing: Regularly monitor and test your cybersecurity controls to ensure their effectiveness.

• Incident Response Planning: Develop and test incident response plans to minimize the impact of cyberattacks.

• Third-Party Risk Management: Manage the cybersecurity risks associated with third-party vendors and suppliers.

 

Navigating the complex landscape of cybersecurity regulations can be challenging. However, 123 Cyber’s Audit Prep service ensures that clients are cyber secure and meet the CAN/DGSI 104:2021 Rev 1 2024 requirements.

 

Disclaimer: This Learning Module is for informational purposes only and does not constitute legal or professional advice. 

​

--- 

​

This training series is based on the CAN/DGSI 104 NATIONAL STANDARD OF CANADA Baseline cyber security controls for small and medium sized organizations (typically less than 500 employees), the Canadian Centre for Cyber Security controls and the National Institute of Standards and Technology (NIST). 

​

This tutorial is a guideline for best practices, but you are encouraged to review your company's policies to ensure you are following your organization's procedures. 

​

---

​

If you are interested in becoming CAN/DGSI 104 compliant, or would like to join our affiliate program:

​

​