The Compliance Crossover: Identity Security Requirements Within Compliance Frameworks and Privacy Regulations

Compliance is crucial to build trust with prospective customers and partners, especially in highly regulated industries. Your organization likely already allocates significant resources ensuring that you adhere to compliance frameworks. And while we strongly believe that identity security is a necessity in its own right — we have some good news: Strong identity security practices will help you adhere to many compliance frameworks and privacy regulations as well. Two birds, one stone, as they say.

Investing in a robust identity security program helps protect important data and assets within your organization and simultaneously strengthens your compliance program. Plus, identity security is a specific requirement within many frameworks. 

Below, we review the most common frameworks and regulations that include identity security requirements. These require organizations to implement robust identity security measures, including authentication, authorization, access controls, and monitoring, to protect sensitive information and comply with legal requirements.

General Data Protection Regulation (GDPR)

GDPR is a comprehensive data protection law with its roots in the European Union that requires organizations who process EU citizens’ data to implement appropriate technical and organizational measures to protect personal data. This includes ensuring data security through access controls, encryption, and identity management.

Specific identity security requirements within GDPR include:

• Article 32: Security of Processing, which states organizations must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including ensuring confidentiality, integrity, availability, and resilience of processing systems. Applying the principle of least privilege is a recognized method to achieve these security objectives, as it limits access to personal data to only those individuals or systems that need it to perform specific tasks, thereby minimizing the risk of unauthorized access or data breaches.
• Article 25: Data Protection by Design and by Default, which states that organizations must implement measures to ensure that, by default, organizations only process personal data that is necessary for a specific purpose. This requirement implies that data access should also be restricted to what is required to carry out a function, further reinforcing the concept of least privilege.

For more information: GDPR.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. law that mandates the protection of sensitive or identifiable healthcare patient information. It includes security rules that require covered entities to implement administrative, physical, and technical safeguards, including identity management and access controls, to safeguard electronic protected health information (ePHI).

Specific rules relevant to identity security include:

• Administrative Safeguards, which require organizations to assign security responsibility, conduct risk analysis, manage information access, and establish workforce security policies.
• Technical Safeguards, which include the following specific guidance:some text
  • Access Control: Implement technical policies and procedures to ensure only authorized individuals can access electronic protected health information (ePHI).
  • Audit Controls: Implement mechanisms to record and examine activity in information systems.
  • Integrity: Implement policies to protect ePHI from improper alteration or destruction.
  • Authentication: Verify that persons or entities seeking access to ePHI are who they claim to be.

For more information: HIPAA.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It includes requirements for access control, user identification, and authentication, including:

• Requirement 7 mandates organizations restrict access to cardholder data to those with a “need to know” basis.
• Requirement 8 mandates organizations identify and authenticate access to system components via the following:some text
  • Assign a unique ID to each person with computer access.
  • Implement two-factor authentication for remote access.
  • Ensure proper user identification and authentication.
  • Use MFA as a best practice.
• Requirement 10 mandates organizations track and monitor all access to network resources and cardholder data.

For more information: PCI-DSS v4.0.1

National Institute of Standards and Technology (NIST) Special Publication 800-53

This publication provides a catalog of security and privacy controls for U.S. federal information systems and organizations. It includes identity and access management controls, such as authentication, authorization, and account management. Specific controls include:

• Access Control (AC) requires organizations to control the flow of information and access to information systems and implement least privilege, separation of duties, and account management.
• Identification and Authentication (IA) requires organizations to identify and authenticate users, processes, and devices uniquely and use multifactor authentication for privileged accounts.

For more information: NIST.gov.

Sarbanes-Oxley Act (SOX)

SOX is a U.S. law that protects people against accounting mistakes and fraudulent financial practices. While not explicitly focused on identity security, it includes requirements for internal controls and data protection, which can encompass identity management practices.

For example, the “Internal Controls and Data Security” mandate states that organizations must implement controls over financial reporting, which can include access controls and identity verification to prevent unauthorized access and ensure data integrity.

For more information: Sarbanes-Oxley Act.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

The CPRA was passed in 2020 to amend the original CCPA and further extend its protections. These California regulations provide residents with rights regarding their personal information. For example, they require businesses to implement reasonable security measures, including identity and access management controls, to protect personal data.

Specifically, the Reasonable Security Measures section calls for appropriate security measures to protect personal information. Though not explicitly defined, these may include:

• Authentication controls to verify identities before granting access.
• Access controls to ensure only authorized personnel can access sensitive data.

For more information: The CPRA.

Federal Information Security Management Act (FISMA)

FISMA requires U.S. federal agencies to develop, document, and implement information security programs. It includes requirements for access control and identification and authentication:

The Security Controls (Based on NIST SP 800-53) section includes two subsections related to identity management. Access Control (AC) requires organizations to implement access controls based on least privilege and need to know. Identification and Authentication (IA) requires that organizations ensure users are uniquely identified and authenticated.

The Continuous Monitoring requirement of FISMA requires organizations to regularly assess and monitor the effectiveness of security controls, including those related to identity management.

For more information: FISMA.

ISO/IEC 27001

This international standard for information security management systems (ISMS) includes requirements for access control, information security policies, and risk management, encompassing identity security measures.

Specific requirements include: 

• A.9: Access Control states that organizations should establish an access control policy, user registration and de-registration, and privilege management. It also advises organizations to require secure log-on procedures and multifactor authentication where appropriate.
• A.13: Communications Security requirement states that organizations must protect information in networks and their supporting information processing facilities.

For more information: ISO.org

Gramm-Leach-Bliley Act (GLBA)

GLBA is a U.S. law that requires financial institutions to protect consumer information. It mandates implementing security measures, including identity management, to protect sensitive data.

Specifically, the Safeguard Rule states that organizations must develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards to:

• Control access to customer information.
• Authenticate individuals accessing customer information systems.
• Protect against unauthorized access to or use of such information.

For more information: GLBA.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian law that governs how private sector organizations collect, use, and disclose personal information. It includes provisions for protecting personal data through security safeguards, access controls and identity verification.

Specifically, PIPEDA includes a Safeguards Principle (Principle 7) requiring organizations to:

• Protect personal information with security safeguards appropriate to its sensitivity, including physical, organizational, and technological measures.
• Ensure that only authorized personnel have access to personal information.

For more information: PIPEDA.

Identity Security as a Compliance Advantage

Clearly, comprehensive identity security measures will help satisfy requirements for many compliance frameworks and privacy laws. This is a good thing, because identity security plays a critical role in protecting sensitive data. As the regulatory landscape continues to evolve, organizations must prioritize identity security to safeguard information and uphold the trust and confidence of customers, partners, and stakeholders. 

Moreover, investing in robust identity security is not merely a compliance obligation — it's a crucial step toward building a secure digital environment. Opal helps organizations simplify adherence to these compliance requirements by automating time-consuming manual work associated with identity management, including user access reviews and implementing least privilege. 

While in most cases, meeting compliance requirements does not equal being fully secure, identity security is one area where implementing and upholding strong controls will help you achieve both security and compliance objectives — win-win for your organization’s risk profile and the protection of your data and systems.

‍

‍Learn more about how Opal helps organizations achieve continuous compliance.