First Time Compliance

The short version:

  1. Start with a compliance assessment. It will save you time and money.
  2. Pick the smallest relevant compliance or framework to start.
  3. The most affordable way to solve compliance is automation.
  • Automation provides you with the quickest way to stay on top of costs.
  • This immediately lowers your project costs.
  • It lowers your operational costs in the future.
  • Unfixed costs with large surprise expenditures will be a thing of the past.
  • The future would be easily budgeted as fixed costs with small expenditures.
  • Tracks changes, auto-send alerts for review.
  • Professional services costs would be minimal compared to traditional means.
  • This provides plenty of extra leftover budget, saves a ton of money.

The longer version:

Choosing which compliance to take on is always a thoughtful process, and you may have questions about it.  Even when you think it is obvious, there might be some new information to consider.

For those of you who might want to know more about the field. We won’t get too much into the details, but this might help you visualize what is being asked of you in relation to the world’s standards as we start 2021.

To do this, we will go over some of the more common standards that we work with here at Variable Path. This is a nice graphic, it helps explain a little, credit going to ComplianceForge.  As you can see, some frameworks have simpler coverage, some are more diligent.  There is even variability within a framework or standard.  For example, we help some of our retail customers with PCI, which has 4 tiers.  The newer DoD CMMC has 5 stacking tiers.  You don’t need to look up those acronyms, we will explain them below.

I would have liked to have seen a tier structure broken apart in a chart, but I’m not sure how to visualize it.  Security professionals need to figure out a better way to show these different charts and standards in relation to each other. Failing a perfect chart for me to show you, here’s my analogy for compliance standards.


Pass / Not pass is a good one to start with.  So what if I was to tell you :


“This water doesn’t meet the EPA’s standards for clean drinking water.
Here, have as much as you want to drink”

You might not know (or need to know) the specifics, but you would understandably be wary.

If I was to tell you that:

“This does not meet the FDA’s standards for food. Have a taste”

Again, different government department, different area, both immediately raise alarms with you.

1) Pass / Not-Pass:   This is because of their thumbs up and thumbs down status.  Both the EPA and FDA have broad enough impact that we never would question crossing that line.  We know we should never see a Not-Pass and be happy about consuming that product.

2) PERCENT:     Now lets add in a little more variability.  Things get a little more interesting with a grading system that broadens out from more than 2 points (pass/not pass) to 100.  Most of us are familiar working with the sequence 1 to 100.  We often, but not always, call  this a PERCENTAGE based score.

3) LETTER:     A letter score can further expand Percentage based data to be a SUPERSET for an even more defined SUBSET.  In this case, a subset for PERCENTAGE is the LETTER based grading system.  We often think of this as the scores A, B, C, D, or F.

4) LETTER+/-:     An additional SUBSET of the A B C D F grading system would be the (+/-) SUBSET.  This is wherein we add (+/-) to each score to further delliniate scores.  Is it a mid-range A or an A+?  A C- does not carry the same meaning as a C+ for us, even though they are both C scores.

This can easily be seen in places where scores are important.  Schools immediately jump to mind, but of more relatable importance, the food industry works with health standards.  This in turn means sanitation standards, with grades for eating establishments.  Most of us have seen letter-based posted health scores. 

There is always a percentage grade associated with that letter grade.  This provides a better sense of your level of risk.  It allows you to seek out and reward the sanitary restaurants for providing a safer dining experience.  This page’s publication provides pre-covid examples that may not currently exist, they are for reference.  We all hope the riskiest endeavor for 2021 is a restaurant with a low rating.

A “C” is a passing grade.  Restaurants are allowed to serve food when it has a “C” rating or better.  But they will benefit from cleaning things up and getting a better score. 
Hopefully you caught on to the idea of SUBSET and SUPERSET from the above example. That will be helpful to understand how some of the frameworks work. Below is a brief summary of some of the more common frameworks, certifications, and standards we run across. More summaries to help you out to come shortly.

Just because the restaurant is able to pass it’s certification, doesn’t mean they won’t make you sick.  It also means they have a lot of room for improvement in those areas.  The health department just shuts you down if you have anything below a “C”, which is where you see the “U” score.

Hopefully you also caught on to the idea of SUBSET and SUPERSET. That will be helpful to understand how some of the frameworks work. Below is a brief summary of some of the more common frameworks, certifications, and standards we run across. More summaries to help you out to come shortly.

The take-away from this analogy is that there are many ways to pass an audit.  You can pass a simpler audit with ease.  Or pass a more complete audit just barely squeaking by.  Also, just because a company passed a certification, audit, or score does not mean the same today.  Does a food sanitation score from 2 years ago hold the same pluck today?  No.  You must maintain the proper due diligence and keep the controls today that were legitimately certified yesterday. 

Quick summaries to help people starting out:

(National Institute of Standards and Technology Cyber Security Framework)
A good starting point for anyone.

Five simple points provide a concise framework that is useful to organizations both small and large.

NIST compliance as a service is available from Varpath.

Pro: An ideal start for most organizations due to it’s concise format, ease of implementation, and speed. Quick turn-arounds mean the CSF results provide an easy to follow cybersecurity roadmap that includes the entire organization. The simpler format of the CSF translates to also being more affordable.

Con: Not as recognizable as PCI or HIPAA. This standard is on an island all it’s own, so it is not applicable as either a superset or subset of a more comprehensive standard such as ISO27001 or NIST 800-53.

Take-Away: The NIST CSF is ideal for small or large organizations that don’t have an explicit standard to follow. This makes it an ideal place to start for general business and legal organizations. Additionally, any organization that does not want to look negligent in the case of an insurance payout would be well advised to start here if with nothing else.

(Health Insurance Portability & Accountability Act)
The must-have for patient data.

Although every organization has personal data in it’s HR systems, this standard is focused on healthcare data.  If you have access to see patient data under any condition, this applies to you.

Pro: This standard is well published, well understood and well known.  Varpath also has a HIPAA solution package for you or anyone in the healthcare industry. Since HIPAA is based on the NIST 800-53 superset, many parts can be recycled if needed.

Con: This standard is mandatory for the healthcare industry. For most organizations, the impact is focused on the safety of patient data and information.

Take-Away: If HIPAA is not required, you do not want to consider it unless there is a strategic reason. That said, it is a subset of NIST 800-53, so adopting HIPAA today would still be applicable if you later plan on getting NIST 800-53 certification.

(Payment Card Industry Data Security Standard)
You run credit cards. Lots of them.

Most of the time, credit card payments can be offloaded to a financial services business. But for restaurants and retail, (or anyone that has the opportunity to see a customer’s credit card) you have to be compliant.

Pro: This standard is well published, well understood, and well known. It is the gold standard for credit card data, and is tiered, making it easy to get started with. It’s tiers are based on gross value processed.

Con: This standard is mandatory for any credit card handlers, and gets onerous quickly. More importantly, it is primarily focused on the safety of credit cards, which might not be the primary goal of your organization.

Take-Away: If the PCI-DSS standard is not being required of you, you will not even want to consider it.

More Pros, Cons, & Take-Aways coming soon!

(Cybersecurity Model Maturity Certification)
NIST 800-171 subset.

Largely replaces the NIST 800-171 certification for smaller suppliers, which is Varpath’s focus.

(General Data Protection Regulation)
Covering European citizen data protection.

If your organization works with data from citizens of the European Union, this regulates all aspects of your business which touch EU citizen data. 

GDPR compliance as a service is available from Varpath

SOC2 Type2
(Systems & Controls 2, Type 2)
An attestation of the fitness of the company from the management team.

The SOC2 is an attestation of the fitness of the company’s systems.  It also is accompanied by a description of a service organization’s design and operating effectiveness of in place controls.

NIST 800-171
(Government Supplier)
Securing & managing the US supply chain.

Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations

NIST 800-53
(Government Supplier)
Controls for  data privacy and protection.

Assessing Security and Privacy Controls in Federal Information Systems and Organizations

ISO 27001/27002
(International Standards Organization)
International Managment Standard.

Internationally known management standard with 114 controls in 14 groups and 35 control categories.

It used to be that only the larger companies needed compliance, but compliance is definitely trickling down supply chains. Companies want to do business with secure partners. If your primary customer base is B2B, you should adopt a standard immediately.

We’ve seen this everywhere. Not just banking, finance, medical, the usual ones you think about. Now we are seeing more requests and business from customers in real estate, legal, communications, marketing, and (before Covid hit), even event venues. This broad play of customers clearly shows that data security is on the rise for all of us after decades of neglect.