How to Build a Proactive

Compliance Program with

Identity Security
Insights on Nearly 20 Regulations’ and Frameworks’
Security Requirements and How to Address Them
 Table of Contents
Introduction 03
Chapter 1: Security Regulations Applicable To Any Industry 04
NIST SP 800-207 Zero Trust Architecture 04
ISO/IEC 27001 05
Payment Card Industry Data Security 05
Sarbanes-Oxley Act Financial Fraud Controls 06
Cybersecurity Maturity Model Certification 07
EU General Data Protection Regulation 07
Meeting Compliance Requirements in Cloud Environments 08
Chapter 2: Financial Sector Regulations 09
SWIFT Customer Security Controls Framework 09
Digital Operational Resiliency Act 09
MAS Technology Risk Management Guidelines 10
Gramm-Leach-Bliley Act 10
SEC Deadlines and the Role of Automation 10
Chapter 3: Healthcare Industry Security Regulations 11
Health Insurance Portability and Accountability Act 11
Health Information Technology for Economic and Clinical Health Act 12
German Federal Data Protection Act 12
Chapter 4: Critical Infrastructure Security Regulations 13
EU Network and Information Systems (NIS2) Directive 13
German Critical Infrastructure Regulation 14
French Military Programming Law 14
Australian Critical Infrastructure Security Act 15
Singapore Cybersecurity Act 15
Strengthen Your Compliance Initiatives with CyberArk 16

2
13 How to Build a Proactive Compliance Program with Identity Security
Introduction The stakes of compliance are high,
as regulatory violations can result in
stiff penalties. For example:
Complying with data privacy and security regulations is a challenge for most organizations. As the requirements
evolve, teams like yours must apply time and resources toward: • Regulatory non-compliance increased the
average cost of a data breach by $218,915 to a
• Ensuring IT systems and practices conform with applicable government and industry standards. total of $4.67 million in 20231.
• Tracking requirements, instituting the right controls and reporting mechanisms and handling security audits.
• Enterprises with high levels of non-compliance
You can streamline compliance initiatives, simplify audits and mitigate risk by implementing a comprehensive saw the average cost rise 12.6% to $5.05 million2.
identity security strategy to closely monitor and control access to IT systems and applications.
• The EU’s NIS2 introduces stricter penalties
This eBook reviews nearly 20 global regulations and frameworks such as DORA, NIS2 and GDPR, with details on their
for non-compliance than the original NIS
security-focused requirements. In each section, you’ll find insights on controls and strategic approaches that can
directive, including fines of up to 10% of an
help you meet global audit and compliance standards. We’ll begin with examples applicable to any industry and
entity’s annual turnover.
continue with sector-specific regulations and framework, including those focusing on critical infrastructure.
• The U.S. Health Information Technology for
Economic and Clinical Health regulation imposes
penalties of up to $1.5 million for compliance
violations in multiple categories per year.

• Executives can be fined up to $5 million and

sentenced to up to 20 years in prison for breaking
Sarbanes-Oxley rules.

1,2
IBM, “Cost of a Data Breach Report,” 2023

3
13 How to Build a Proactive Compliance Program with Identity Security
Chapter 1: Security Regulations Applicable To Any Industry
NIST SP 800-207 Zero Trust Architecture
Across the U.S. federal government and regulated industries, many security teams are required to comply with
National Institute of Standards and Technology (NIST) guidelines.

NIST Special Publication (SP) 800-207 defines a modern enterprise cybersecurity architecture based on Zero Trust
principles. And it’s emerging as the defacto standard for Zero Trust architecture, globally.

As an example, U.S. federal government agencies are required by executive order to adopt NIST SP 800-207. And
many private-sector organizations across the world are following suit. Two things to keep in mind about Zero Trust
architecture and approaches: NIST Guidance for Securing Identities Interwoven
• They’re specifically intended to protect contemporary IT environments in which organizations run workloads in in Software Development
the cloud as well as in enterprise data centers, and users access applications from anywhere. NIST also provides guidance on securing the ecosystem of
• Organizations should assume all users and devices are implicitly untrusted and must be authenticated, human and non-human identities inherent to software
authorized and continuously validated regardless of their location or network. development.

Comprehensive identity security controls are central to the NIST SP 800-207 framework. For example, the NIST spec In its updated Secure Software Development Framework
mandates locking down privileged accounts (e.g. IT admins) and using multi-factor authentication (MFA) and other (SSDF) 1.1, NIST offers best practices for securing software
security controls to prevent unauthorized access to critical systems and data. Since not all authentication types are from unauthorized access and tampering.
equally secure, NIST offers guidance for selecting the most effective MFA methods. In its SP 800-63 guidelines, NIST
This includes the critical need to manage secrets used
provides best practices for authenticating users such as employees and third-party contractors – who don’t fall into
by applications, scripts and other non-human identities
the textbook definition of privilege, but often have high-risk access to sensitive resources.
across DevOps environments and CI/CD pipelines.

4
13 How to Build a Proactive Compliance Program with Identity Security
ISO/IEC 27001
ISO/IEC 27001 is an internationally recognized standard for building and managing an information security
management system (ISMS) comprising policies and controls for protecting sensitive data – with a focus on
confidentiality, integrity and availability.

The standard applies to organizations of various industries, regions and sizes, with best practices on vetting people,
processes and technology through rigorous assessment. ISO 27001 advocates ensuring that only the right people
can access information held by an organization, aligning with the principle of least privilege.

Developed by the International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC), the standard can apply to any identity with access to sensitive resources. For example,
organizations should apply controls not only for external threats, but for everyday staff members who have the
ability to accidentally, or purposely, damage customer data.
Recognizing that data security applies to any environment, ISO calls out the need to secure information in all forms,
including data that is cloud-based or entrusted to third parties.
Why Identity Security Begins with Privileged
Access Management (PAM)
Payment Card Industry Data Security Standard (PCI DSS) Privileged accounts represent one of the greatest security
Payment card data was compromised in 37% of breaches in 2022 – higher in sectors such as hospitality (41%). vulnerabilities any organization faces today. Why? Because
What’s more, threat actors keep innovating: 18% of attacks on e-commerce businesses entailed malicious code they’re fundamental for managing IT infrastructure (on-
embedded in card processing webpages.2 Recognizing these evolving threats, a new version (4.0) of the Payment premises and in cloud environments and for administering
PCI DSS will build on existing requirements for protecting credit and debit cardholders’ privacy. applications. Threat actors often exploit these accounts
If your business accepts major credit cards and stores, processes or transmits cardholder data electronically, you and the privileges they enable. Not surprisingly, many
must follow the PCI DSS v 4.0 guidelines, which are a global standard. PCI DSS specifies organizations must follow regulations require organizations to adopt robust PAM
strong access control measures to prevent threat actors from breaching IT systems and stealing confidential controls to protect against breaches and data theft. And
cardholder data. given that any identity can become privileged based on
what it can access, it’s up to you to interpret mandates for
a broader scope of human and non-human identities,
including developers and the applications they create.
1,2
Verizon, “2023 Data Breach Investigation Report,” 2023

5
13 How to Build a Proactive Compliance Program with Identity Security
PCI DSS - Continued
Key PCI DSS requirements include:
• Assigning access to system and cardholder data on a need-to-know basis and defining access
requirements by role.
• Employing controls for logging, tracking and monitoring all access to system data and components.
• Ensuring vendor-supplied default passwords and configurations are removed and/or replaced.
• Closely monitoring and controlling access to all administrative accounts on point-of-sales terminals and any
systems processing or storing cardholder data.

Sarbanes-Oxley Act Financial Fraud Controls
The Sarbanes-Oxley Act (SOX) is a U.S. federal law intended for U.S. public companies to establish and maintain an
adequate internal control structure, including controls over financial reporting and to fight financial fraud. Section
404 of the Act describes internal controls businesses must put in place to detect and prevent the types of failures
and fraud that have resulted in substantial financial losses. SOX directs corporations to institute appropriate
security measures to prevent unauthorized access to IT systems and safeguard confidential data.
This includes accountability for which identities – including those of highly-privileged IT users – that access your
systems, as well as the specific actions they take.
However, when taking a holistic identity security view of SOX, it becomes clear that high-risk access also entails
everyday staff members who interact with customers’ financial accounts and process transactions (think: bank
employees, financial advisors, customer service representatives and more).
On a related note, the Securities and Exchange Commission (SEC) adopted rules in July 2023 requiring companies
to make timely disclosure of material cybersecurity incidents, as well as annual disclosure of information regarding
cybersecurity risk management, strategy and governance.
The Connection Between Strong Controls and
Strong Compliance
An integrated identity security approach, centered on protecting any
identity – human or non-human – with access to sensitive resources,
can help you:
1. Comply with frameworks and regulations by restricting access to
any identities that malicious insiders and external threat actors can
exploit – be it to steal data, commit fraud or disrupt operations.
2. Streamline audits by helping you demonstrate security controls
efficiently, while ensuring accountability for your identities’ access
and actions.
3. Rapidly retrieve detailed log records or session recordings of users
ranging from IT admins to rank-and-file employees, to demonstrate
compliance.
There’s a direct link between strong controls and strong compliance.
Having the right capabilities for discovering, securing and reporting
high-risk access can help you meet regulatory demands.

6
13 How to Build a Proactive Compliance Program with Identity Security
 Cybersecurity Maturity Model Certification (CMMC)
Organizations that wish to participate in the Department of Defense (DoD) supply chain must meet a cumulative
set of processes and practices to certify they meet the appropriate standard level within the CMMC framework.
Key CMMC requirements include Access Control stipulations such as:
• Managing and enforcing access rights.
• Authorizing and restricting access to information.
• Ensuring secure account creation and assignment.
• Determining when and how privileged and non-privileged credentials should be used.

Related CMMC Audit and Accountability requirements involve determining audit events and ensuring those events
are adequately recorded and analyzed, and that the audit records are reliable and protected. Additional CMMC
requirements for Asset Management, Configuration Management, Identification and Authorization and Incident
Response also stress the need for PAM controls and an identity security mindset. Bear in mind that, when it comes
to data security, CMMC focuses on confidentiality. In today’s regulatory landscape, it’s important for organizations
to also focus on data integrity and availability.

EU General Data Protection Regulation

General Data Protection Regulation (GDPR) is a European Union legislation that aims to strengthen and unify data
protection for individuals within the EU. However, GDPR is not limited to EU-based companies; any organization
“An integrated identity security offering consumer goods or services in the EU must comply with GDPR.

approach can help you comply GDPR Article 25 is rooted in the principle of least privilege, which requires that all identities have the minimum
permissions necessary to perform their duties. The article stipulates businesses must proactively implement
with regulations such as GDPR “technical and organizational measures for ensuring that, by default, only personal data which are necessary for
by applying intelligent privilege each specific purpose… are processed.”

controls to any identity with In other words, organizations must proactively restrict unnecessary access to personal data. This applies of course to
privileged IT users and accounts within on-premises use cases. However, GDPR-regulated organizations must also
high-risk access to sensitive data.” address the risks of excessive, unused and misconfigured permissions in the cloud, which attackers often exploit.

713 How to Build a Proactive Compliance Program with Identity Security

Meeting Compliance Requirements in Cloud Environments The Case for Cloud Compliance
Your organization may have a solid program for reporting on
privileged access among a defined group of IT admins. And you
That’s the percentage of IT leaders now adopting the hybrid cloud3. might be meeting requirements for on-prem environments. But

80% It’s also the percentage of breaches involving data stored in public,
now it’s time to apply compliance best practices to the cloud.

99%
private and/or multi-cloud environments4.

The proliferation of identities in organizations’ cloud environments adds another dimension to complying with

security decision-makers say they’ll face an identity-related
compromise in the year ahead.6
frameworks and regulations. Every human and non-human identity in a cloud environment can be configured with

No.1 reason
thousands of different permissions to access workloads containing sensitive data.

Excessive, unused and misconfigured cloud permissions expose organizations to the risk of data breaches – and
regulatory fines. The average cost of a data breach is $4.45 million. That cost increases when a breach involves Transformational initiatives such as cloud migrations.7
data stored in the public cloud ($4.57 million) or across multiple environments ($4.75 million).5

An attacker controlling an identity with excessive cloud permissions can establish an easy path toward stealing data,
installing ransomware and more. One way to mitigate these risks: apply Zero Standing Privileges (ZSP), which entails:
40,000
Different access controls entailed in the 1,400 native services offered
• Enforcing real-time least privilege in the cloud by granting only the relevant permissions a user needs – and via the 3 top cloud service providers.8
only when needed – to accomplish a given task.

• In turn, reducing the impact of an attack: if a threat actor takes over an account, their options would be
extremely limited without admin-level access.
$4.57 million
Average cost of a data breach involving data stored in public cloud.9
Some regulations like ISO/IEC 27018 (the international standard for protecting personal information, or PII, in cloud

45-to-1
storage) make it clear that securing access to sensitive resources in the cloud is imperative. Other regulations may
not explicitly discuss cloud use cases. Regardless, high-risk access – in all environments – requires fierce
protection. Ratio of non-human to human identities – at a time when all
3
The Identity Defined Security Alliance, “2022 Trends in Securing Digital Identities,” 2022
identities require protection.10
IBM, “2023 Cost of a Data Breach Report,” 2023
4, 5, 9

6, 7
CyberArk, “2023 Identity Security Threat Landscape Report.” 2023
8
CyberArk, “PAM and Cloud Security: The Case for Zero Standing Privileges,” 2023
10
CyberArk, “2022 Identity Security Threat Landscape Report.” 2022

8
13 How to Build a Proactive Compliance Program with Identity Security
Chapter 2: Financial Sector Regulations

SWIFT Customer Security Controls Framework Digital Operational Resiliency Act (DORA)
The Society of Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security DORA is designed to enhance the digital operational resilience of EU member states’ financial
Controls Framework (CSCF) is intended to secure global finance and banking systems sector. Given the Sector industry’s role as a key EU critical infrastructure operator, DORA’s
infrastructure and data. requirements are meant to help organizations withstand and recover from cyberattacks.

The framework, updated in 2023, is designed to safeguard IT environments, control access to The act aims to harmonize and tighten requirements for EU financial firms, as the current landscape
systems, and detect and respond to anomalous activity. Any financial services institution that is a entails myriad regulations and standards. With DORA, the EU financial sector will have a binding,
member of the SWIFT interbank messaging network must demonstrate CSCF compliance annually. comprehensive risk management framework for information and communication technology (ICT).

Strong PAM controls are a fundamental CSCF requirement. In fact, SWIFT CSCF Control 1.2
explicitly states:
“Access to administrator-level operating system accounts is restricted to the maximum
extent possible. Usage is controlled, monitored, and only permitted for relevant activities
such as software installation and configuration, maintenance, and emergency activities.
At all other times, an account with least privilege access is used.”
SWIFT members are also required to securely store authentication credentials, implement MFA for
remote access, and – focusing on the cloud – secure virtual infrastructure and VMs hosting SWIFT
related components.
Of note, DORA also applies to third parties that provide EU financial firms with ICT systems and
services, including cloud service providers. The act calls for financial institutions to develop ICT
third-party risk strategies and conduct due diligence to vet providers’ suitability.
Overall, DORA’s requirements include:
• Conduct recurring security and resilience tests, and “fully address”
identified vulnerabilities.
• Employ solutions and controls for areas such as identity and access management
and threat detection and response.
• Establish approaches for monitoring, managing and reporting ICT incidents.
• Overall, ensure resilience to the point you have a plan for rebuilding after a serious attack,
which begins with identity – especially in cloud use cases.

Accountability and Security for All Identities – SWIFT Reflects the Evolving Nature of Privilege
Also essential for SWIFT compliance: applying least privilege to any workforce user who can access and take high-risk actions with sensitive resources. Consider a bank employee’s
power to view, change or disseminate customers’ data – or process high-value financial transactions.That’s privilege, delegated across the business. Foundational PAM controls
such as session monitoring can help organizations mitigate risk for any identity. The evolving nature of privilege requires organizations to secure SWIFT infrastructure users (those
who build, maintain and secure SWIFT systems) and end users (those who log into SWIFT for processing transactions). As part of an identity security approach, you can use PAM
solutions to implement mandatory CSCF controls, simplify attestation and demonstrate compliance.

9
13 How to Build a Proactive Compliance Program with Identity Security
MAS Technology Risk Management Guidelines SEC Deadlines and the Role
The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines is a collection of best
practice standards intended to help financial institutions strengthen cybersecurity and mitigate risk. TRM of Automation
guidelines apply to all financial services companies licensed to do business in Singapore and their service As new regulations emerge, how can IT security teams meet
providers including banks, insurance companies, brokers and dealers, credit card companies and investment firms. requirements and deadlines, despite a lack of bandwidth, staffing
Some financial services firms that don’t do business in Singapore are also adopting the TRM recommendations. and time?
For example, research shows that the mean time for organizations
The TRM framework includes guidelines for authenticating and authorizing users, controlling access to IT to identify a data breach is 204 days5. And yet, the SEC now
infrastructure and assets, and managing privileges. TRM guidelines recommend financial institutions conduct requires public companies to report attacks within four days of
periodic, independent audits to verify compliance. determining an incident is “material.”
Here’s one way to regain time. Enterprises can apply automated
PAM controls, as part of an integrated identity security approach, can help you simplify audits and satisfy the TRM capabilities to replace resource-intensive, manual tasks that often
privileged access management guidelines by locking down privileged accounts, monitoring privileged account bog down IT security teams down.
activity and identifying anomalous privileged activity symptomatic of a cyberattack. This includes automating governance processes to ensure checks
and balances are in place to maintain compliance. For example:

Gramm-Leach-Bliley Act • Continuously enforcing least privilege with access reviews and
certifications scheduled for recurring dates.
The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law requiring companies that offer consumers financial
• Integrating access certification processes with your PAM
services (e.g. loans, investment advice or insurance) to explain their information-sharing practices and safeguard
program and generating detailed logs and reports for audits.
sensitive data. Companies covered by GLBA must follow the relevant U.S. Federal Trade Commission (FTC)
• Continuously discovering which identities have access to
guidelines for protecting non-public personal information (NPI). Informally known as the Safeguards Rule, these
specific privileged accounts and sensitive resources.
guidelines specify a variety of authentication and access requirements to prevent unauthorized NPI disclosure or
The SEC rule also requires public companies to describe the
modification. PAM controls can help you comply with GLBA in general, and the FTC Safeguards Rule in particular, by
processes for assessing and identifying risk from cyber threats.
controlling access to the privileged accounts threat actors often use to steal or modify NPI. A strategy centered on identity security can help organizations
demonstrate just that.

5
IBM, “Cost of a Data Breach Report,” 2023

10
13 How to Build a Proactive Compliance Program with Identity Security
Chapter 3: Healthcare Industry Security Regulations How PAM Helps Improve Compliance Programs
Privileged access management (PAM) can help you strengthen
HIPAA security and reduce risk by improving visibility and control over
privileged account credentials, isolating and monitoring privileged
The Health Insurance Portability and Accountability (HIPAA) Act is a U.S. regulation including privacy and
sessions, and auditing privileged account activity.
security rules to safeguard protected health information (PHI) in electronic health records (EHRs),
computerized physician order entry (CPOE) platforms and other healthcare IT systems. PAM controls and capabilities can help you address various
aspects of the data privacy and security regulations described in
Any U.S. healthcare provider, plan administrator or clearinghouse that stores or transmits PHI electronically this eBook by:
must comply with the HIPAA Security Rule. More specifically, healthcare organizations must ensure the
• Maintaining strict governance over privileged accounts to
confidentiality, integrity and availability of PHI, and protect against unauthorized disclosure and improper use
defend against cyberattacks and protect against data theft
of PHI. and abuse.
The Privacy Rule also specifies the need to restrict all access to PHI to the “minimum necessary” standard, • Providing detailed reporting on privileged account
very much akin to least privilege access. The Privacy Rule specifies covered entities “must develop and information and usage, simplifying compliance audits and
implement policies and procedures that restrict access and uses of protected health information based on risk assessment exercises.
the specific roles of the members of their workforce.”
• Automatically detecting anomalous privileged activity to
PAM solutions accelerate compliance with these rules by implementing tight approval workflows that control identify in-progress attacks in real-time, accelerate incident
response and simplify incident reporting.
the use of all privileged accounts used to read or modify PHI. These are the precise identities bad actors
often target. • Mitigate the fact that many users can see and/or take actions
with sensitive data – but shouldn’t be able to. These identities
As healthcare organizations move to the cloud, it’s essential to apply visibility and controls for least privilege are prime targets for attackers.
access in cloud environments. This applies to identities – human and machine – involved in developing
healthcare applications that interact with cloud-hosted PHI.

Some healthcare organizations may also be required to comply with critical infrastructure cybersecurity
guidelines described in Chapter 4.

11
13 How to Build a Proactive Compliance Program with Identity Security
HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act is a U.S. law enacted to promote
and expand the adoption of health information technology in general, and electronic healthcare records in
particular. Sometimes informally referred to as HIPAA 2.0, the law strengthens the enforcement of HIPAA privacy
and security rules by significantly increasing penalties for compliance violations.

In addition, the HITECH Act mandates the Department of Health and Human Services (HHS) periodically audit
covered organizations’ compliance with HIPAA privacy and security rules. PAM solutions can help your organization
adhere to the HIPAA Security Rule, streamline HITECH audits and protect against unauthorized PHI disclosure and
costly penalties.

German Federal Data Protection Act

The Federal Data Protection Act or Patientendaten-Schutz-Gesetz (PDSG) is a German law intended to safeguard
electronic patient records and e-prescription workflows. Any healthcare institution, insurance provider or
pharmacy that is part of German healthcare and processes patient information or prescribes medications must
adhere to PDSG.

More specifically, organizations must take precautions to safeguard the availability, integrity and confidentiality of
patient data and protect against both internal and external data exfiltration. PAM solutions can help you comply
with PDSG by controlling access to the administrative accounts malicious insiders and external threat actors often
exploit to steal or manipulate electronic patient records and prescription data.

12
13 How to Build a Proactive Compliance Program with Identity Security
Chapter 4: Critical Infrastructure Security Regulations
EU NIS2 Directive
The EU adopted a new version of the Directive on Security of Network and Information Systems (NIS) in January 2023.
Building upon NIS’ original guidelines for securing IT infrastructure and reporting incidents, NIS2:
• Includes a broader range of sectors – for example aerospace firms, cloud service providers and social media
companies join the existing list, which includes critical infrastructure operators (e.g. energy, healthcare, water).
• Places critical importance on securing supply chains – enterprises must assess risk and secure their IT supply
chains and third-party supplier relationships.

Similar to ISO/IEC 27001, NIS2 requires building an information security management system (ISMS) that assesses
people, policies and technology, to protect sensitive resources and ensure operational resiliency.

As a general rule, all operators of essential services are advised to implement strong identity and access Regional Versions of NIS2 in Play
management controls, including robust PAM controls to defend against cyberattacks. For example, PAM solutions
EU member states must transpose NIS2 into their own national
help satisfy NIS2 requirements by improving visibility and control over privileged account credentials, isolating
legislation. Germany, Switzerland and the Netherlands are
privileged sessions and auditing privileged activities.
examples of countries creating their own laws, interpreted for
In light of NIS2’s focus on supply chains, organizations should extend key PAM principles and controls toward organizations in their regions.
securing access for vendors and suppliers, as well.

13
13 How to Build a Proactive Compliance Program with Identity Security
 German Critical Infrastructure Regulation
The Critical Infrastructure Regulation is intended to improve the resiliency of
essential infrastructure in the Federal Republic of Germany. The current version
(KritisV) builds upon the EU NIS Directive. The forthcoming NIS2 enhancement –
expected to be in force in Germany by the end of 2023 – will apply not only to
essential service providers such as utilities, healthcare and financial firms, but also
to:
• The supply chains of companies falling under NIS2.
• The government itself.
• Many more industries and sizes of business.
It is expected that almost all enterprise size companies need to comply with this
directive given the broad approach.
French Military Programming Law
The French Military Programming Law (MPL) includes provisions for strengthening
cybersecurity and protecting critical infrastructure. The MPL builds upon the EU NIS
Directive, requiring operators of essential services (utilities, food services, financial
services organizations, healthcare providers, etc.) to comply with French National
Cybersecurity Agency (ANSSI) recommendations for securing the administration
of IT systems.
The ANSSI recommendations include guidelines for identifying and authenticating
privileged users and securing administrative flows. A key example: PAM solutions can
help you adhere to these guidelines by isolating privileged sessions, tightly
controlling and monitoring privileged account access, and securing and rotating
privileged account credentials.

An identity security approach can help you comply with the Kritis/NIS2 regulation
by controlling access to the privileged accounts attackers often use to target
critical infrastructure IT systems. For example, Kritis advises operators of critical
infrastructure to implement robust PAM controls and monitoring solutions to
defend against cyberattacks, ransomware and other malicious acts.

As organizations increase cloud adoption, it’s essential to secure non-human identities that rely on secrets to access sensitive resources.
Here are some best practices for compliance relevant to DevOps:

• Centralize and consistently manage, rotate and audit secrets across cloud and hybrid environments.

• Monitor, assess and develop comprehensive audit trails for non-human identities.

• Discover, certify, and report on non-human identities’ access to data, e.g. customer, employee and patient data.

14
13 How to Build a Proactive Compliance Program with Identity Security
 Australian Critical Infrastructure Security Act
The Security of Critical Infrastructure Act is intended to protect essential
infrastructure against cyber threats. The Act applies to 11 sectors including entities
involved in communications, data storage or processing, defense, energy, financial
services, food and grocery, healthcare, higher education and research, space
technology, transportation, water and sewage.
The Act requires entities responsible for critical infrastructure assets to report
critical cybersecurity incidents to the government within 12 hours of detection. A
strategic approach centered on securing identities with high-risk access can help
you comply with the Act by monitoring privileged account activity and detecting
unusual behavior symptomatic of a cyberattack.
PAM controls, when deployed in conjunction with other security solutions and best practices, can help your team:
• Satisfy audit and compliance requirements for government and industry regulations.
• Improve your bottom line and help you avoid costly financial penalties.
15
13
Singapore Cybersecurity Act
The Singapore Cybersecurity Act aims to protect Critical Information Infrastructure
(CII) against cyberattacks. The Act is applicable to organizations in the energy,
water, banking and finance, healthcare, transportation, media, security and
emergency services, and government sectors. It requires operators of CII to adhere
to best practices and standards directives issued by the government, to report
cybersecurity incidents to the government, and to conduct regular cybersecurity
audits and risk assessments.
PAM solutions can help you comply with the Act by monitoring privileged accounts,
detecting anomalous privileged activity, and supporting government privileged
access management best practices and standards directives as they emerge. PAM
solutions also provide centralized usage and entitlement reports for each privileged
account to help streamline audits.
How to Build a Proactive Compliance Program with Identity Security
Streamline Compliance Initiatives with CyberArk Watch our webinar, “How to Achieve Continuous
Audit and Compliance with PAM.”
CyberArk Privileged Access Management (PAM) solutions provide foundational controls for
safeguarding and auditing privileged access across on-premises, cloud and hybrid Contact us to schedule a meeting to discuss your
environments. Our solutions can help you satisfy stringent compliance and audit requirements organization’s needs.
by efficiently managing privileged credentials, and closely tracking and controlling their usage.
CyberArk PAM solutions proactively monitor privileged access activity, helping you quickly
Contact Us
detect and respond to actions symptomatic of an attack.

In addition, CyberArk PAM solutions:

• Are an essential part of the CyberArk Identity Security Platform. Centered on intelligent
privilege controls, the platform seamlessly secures human and machine identities accessing
workloads from hybrid to multi-cloud, and flexibly automates the identity lifecycle all with
continuous threat detection and prevention – protecting organization’s identities and most
critical assets by enabling Zero Trust and enforcing least privilege.
• Support adaptive multi-factor authentication (MFA) for an added layer of security. Adaptive
MFA provides positive confirmation of a privileged user’s identity and mitigates credential
theft by requiring two or more distinct forms of identification such as a password and a
fingerprint. Security standards like PCI DSS, SWIFT CSCF and NIST frameworks mandate MFA
for remote privileged access.
• Are available as a SaaS Solution (known as CyberArk Privilege Cloud) or a self-hosted software
deployment. CyberArk Security Services teams are available to implement PAM solutions
quickly with expertise garnered from over 8,000 customer deployments. CyberArk can help
resource-constrained teams close compliance gaps quickly and achieve rapid time-to-value.

16
13 How to Build a Proactive Compliance Program with Identity Security
Three Areas Where an Identity Security Approach Can Help Organizations
Meet Compliance Requirements
1. S
 eamless and Secure Access for
All Identities
• Discover, certify and gain visibility into
users’ access rights and activity across
the entire enterprise.
• Apply SSO and MFA controls to maintain
compliance with key regulations.
• Audit and monitor high-risk web sessions.
• Ensure identity information is up to date with
seamless HRIS system integrations.
• Collect, analyze and visualize behavioral insights
in real time with user behavior analytics.
17
13
2. Intelligent Privilege Controls
• Leverage unified platform to meet compliance requirements for credentials and
secrets management.
• Report on adoption of PAM controls with PAM telemetry.
• Gain visibility with comprehensive audit trails of privileged sessions and day-to-day
privileged user actions.
• Streamline audit reviews with risk scoring of privileged sessions.
• Meet cyber insurance requirements for internal and third-party privileged access
and endpoint privilege security.
• Adhere to industry-standard risk frameworks across human and machine identities.
• Integrate PAM with additional audit, compliance and response tools.
• Consistently audit and monitor both standing and just-in-time access and
privileged actions across hybrid cloud environments.
How to Build a Proactive Compliance Program with Identity Security
3. Flexible Identity Automation
and Orchestration
• Integrate with human resources information
systems (HRIS) to ensure consistent and up-to-
date entitlements based on employee lifecycles.
• Federate access to applications and services.
• Automate identity management through no-code
app integrations and workflows for identity data
and events.
• Discover, certify and report on access to apps and
resources secured through the identity security
platform to meet compliance requirements.
CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity — human or
machine — across business applications, distributed workforces, hybrid cloud workloads and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help
secure their most critical assets. To learn more about CyberArk, visit www.cyberark.com, read the CyberArk blogs or follow us on Twitter via @CyberArk, LinkedIn or Facebook.

©Copyright 2024 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of
CyberArk Software. CyberArk®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and
other jurisdictions. Any other trade and service names are the property of their respective owners.

CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is
subject to change without notice.

THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED, INCLUDING WARRANTY
OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND
IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR
LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. | U.S., 01.24 Doc: TSK-5443