PCI-DSS, ISO, HIPAA; you have probably heard many acronyms like these in reference to IT security. There are so many laws and organizations these days, it can be difficult for a person to know where to begin looking. This blog post will help introduce you to the topic so you can consider what might apply to you.
There are three different categories of acronym you will typically see: Legal requirements, organizations, and specific standards.
HIPAA is an example of a legal requirement. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996. HIPAA is a law applying to certain kinds of healthcare companies. Rather than detailing specific requirements, HIPAA lists broad security objectives and leaves companies to decide how to implement them. This allows the law to scale for company size and with changing technology. Some other examples of legal requirements are: HITECH (Short for “Health Information Technology for Economic and Clinical Health,” an amendment to HIPAA), GLBA (Short for “Gramm–Leach–Bliley Act” which governs financial companies), and FISMA (Short for “Federal Information Security Management Act of 2002” which regulates federal agencies and their contractors).
ISO is an example of an organization. ISO is an abbreviation for the International Organization for Standardization. ISO is an international effort to come up with standardized terms and measurements for everything from timber sizes to laboratory glassware to fingerprint image data. One set of standards is ISO 27001, which details specific IT security requirements. TechGen is ISO 27001 certified, which means we have demonstrated that we meet those security standards. Other examples of organizations that publish their own standards are: The SANS Institute (“SysAdmin, Audit, Network and Security Institute” which is a private company that offers security training), ISACA (Formally the “Information Systems Audit and Control Association” which is a professional association), and HITRUST (The “Health Information Trust Alliance” a joint creation of several healthcare companies).
PCI-DSS is a specific list of standards. It was created by and utilized in the Payment Card Industry to offer a Data Security Standard across businesses that accept credit cards to keep consumers safe and meet government regulations. Lots of organizations have their own list of security standards or certifications, which adds more acronyms to the mix. The SANS Institute offers GIAC or the “Global Information Assurance Certification.” ISACA publishes COBIT, which stands for “Control Objectives for Information and Related Technologies.” HITRUST regularly updates what they call the CSF or “Common Security Framework.” Some organizations use their name in their list of controls, such as CIS (the “Center for Internet Security”) which writes “CIS Controls” and “CIS Benchmarks.”
When looking at IT certifications, it is important to look up what a company claims to have. A company that says they are “HITRUST Certified” is saying that an auditor has evaluated them and found they meet the CSF standards published by the HITRUST organization. That also means there is no such thing as “HIPAA Certified” because HIPAA is a law, not a list of standards or certification. A more accurate designation would be “HIPAA Compliant.”
If you are interested in increasing your level of IT security, you should research what organizations specialize in creating standards for your industry. Unlike some kinds of certifications, there is no “one size fits all” standard for technology, and there are multiple different ways to address a security problem. One sure-fire way to increase security is to utilize vendors that have their own IT certifications, that way you can trust a third party has evaluated their security.
Hopefully, this guide has given you a good start for where to begin your investigations into IT certifications. Thank you for reading, and have a secure day.