Regulatory Compliance of MidPoint

Last modified 20 Nov 2024 12:41 +01:00

MidPoint is a practical identity governance and administration platform, designed to address real-world challenges. MidPoint deployments are subject to numerous regulations, industry standards and similar specifications. This page provides a summary of regulatory compliance frameworks that are likely to affect midPoint deployments.

International

International Organization for Standardization (ISO) is a prime international standards body, publishing several specifications that affect midPoint deployments.

  • ISO/IEC 27000 Series of standards deal with information security management systems (ISMS), an essential building block of cybersecurity. The standard series describes best practice in the field, providing recommendations and guidance.

    • ISO/IEC 27000 specification provides an introduction and a vocabulary.

      ISO 27000 vocabulary was mapped to midPoint vocabulary to improve understanding. Moreover, some terms of midPoint vocabulary were adapted to standard ISO27000 vocabulary.

    • ISO/IEC 27001 specification is the normative core of 27000 series. It specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Annex A of the specification provides list of concrete information security controls.

    • ISO/IEC 27002 specification provides additional information on best practice and further guidance for implementation and maintenance of information security management system (ISMS). Controls listed in ISO 27001 Annex A are further explained in ISO 27002 document.

  • PCI DSS (PCI DSS 4.0) helps protect the people, processes, and technologies across the payment ecosystem to help secure payments worldwide. It is mandatory to all organizations that participate in the storage, processing, or transmission of cardholder data.

ISO specifications are not regulation or legislation, therefore they are not binding per se. However, several legislative documents and regulations are referencing ISO specification either directly or indirectly (as "industry best practice"). Therefore, ISO specifications form a practical baseline for cybersecurity requirements. Compliance with ISO specifications is required or expected in many legislative and regulatory environments.

ISO specifications are not freely accessible, therefore we cannot link to the documents directly.

European Union

European Union is a global leader in information technology and cybersecurity legislation. There are numerous regulations and directives, many of which have applicability far beyond the boundaries of European community. This page lists the most important legislative acts, focusing mostly on the near future. Many of the acts are at the very beginning of their applicability, or even just being shaped for future use.

  • NIS 2 Directive (2022/2555) specifies requirements for cybersecurity of networks and information systems.

  • Digital Operational Resilience Act (DORA) (2022/2554) is a sector-specific regulation applying to financial sector. It sets rules for financial institutions to follow sound cybersecurity practices, including strict requirements for use of third-party services.

  • Critical Entities Resilience (CER) Directive (2022/2557) deals with resilience of critical entities, such as providers of essential services. CER directive applies broad approach to security and resilience, including both cybersecurity and physical security practices.

  • Cyber Resilience Act (CRA) (2024/2847) is a regulation placing responsibility for security of digital product on manufacturers, integrators and importers rather than users.

  • Product Liability Directive (PLD) (COM/2022/495 final) is a proposed directive that changes the rules of liability for defective products. The directive places liability for defective products on manufacturers, integrators and importers, including liability for software products and cloud services.

  • Artificial Intelligence Act (AIA) (2024/1689) is a proposed regulation on artificial intelligence, specifying limits of acceptable use of AI technologies.

  • Cybersecurity Act (CSA) (2019/881) establishes European cybersecurity certification framework for digital products, services and processes, granting permanent mandate to ENISA.

  • EU Common Criteria (EUCC) (C(2024) 560 final) is a proposal of product cybersecurity certification scheme based on Common Criteria. It is based on framework set up by the Cybersecurity Act (CSA), following principles of ISO/IEC 15408.

  • eIDAS 2.0 (COM/2021/281 final) is a proposed update to European digital identity (eID) framework. It aims at providing secure and trustworthy electronic identification and authentication, including European digital identity wallet.

  • General Data Protection Regulation (GDPR) (2016/679) is a broad regulation dealing with protection of personal data.

Most of the listed regulatory acts are based on EU Cybersecurity Strategy for the Digital Decade, a cybersecurity strategy document published in 2020.

EU legislation primarily applies to the European Union member states. However, as many regulations apply to any entities that participate on European markets, the legislation has much broader applicability. It is perhaps not an overstatement that EU legislation has a global impact. Compliance with EU legislation is applicable to many entities with a global reach.

In addition to legislation and regulation, there are recommendations and best practices:

United States

US National Institute of Standards and Technology (NIST) publishes cybersecurity standards relevant for US environment.

  • NIST Cybersecurity Framework (CSF) (1.1, 2.0) is set of guidelines for mitigating cybersecurity risk. It provides taxonomy of high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize, and communicate its cybersecurity efforts.

  • NIST SP 800-53 (NIST SP 800-53 Rev. 5) - Security and Privacy Controls for Information Systems and Organizations. It is mandatory for all U.S. federal agencies (federal information systems) except those related to national security. It is also applied to government contractors who operate on or manage federal IT networks.

  • NIST SP 800-171 (NIST SP 800-171 Rev. 2) - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Compliance is required for non-federal information systems and organizations that process, store or transmit Controlled Unclassified Information (e.g., contractors for the Department of Defense, General Services Administration, NASA or other federal or state agencies’ supply chain).

  • Gramm-Leach-Bliley Act (GLBA) - requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

  • Health Insurance Portability and Accountability Act (HIPAA) - healthcare organizations (Covered entities) and their employees that have access to PHI (protected health information) and organizations that provide services to covered entities that involve access to PHI.

  • Sarbanes-Oxley Act (SOX) - is required of all companies that are traded publicly in the United States, as well as subsidiaries that are wholly owned. The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.

US regulation primarily applies to US government and agencies. However, it may apply to entities that deal with US government as well, e.g. US government suppliers. Moreover, NIST publications are considered to describe general best practice, accepted by many organizations and governments globally. Compliance with NIST CSF may be required even outside US environment.

Disclaimer

We provide the information on legislation, regulation and compliance in good faith. However, we are not lawyers, and the globalized international environment can get very complex. It is not easy to determine which regulation or specification applies to specific entities, under which circumstances, and what are the implementation details for a specific environment. Please, take the information provided here with caution. Always seek professional legal advice when in doubt.

Please also note that most compliance requirements apply to organizations, not products. However hard we might try, midPoint cannot guarantee you compliance with any regulation out-of-the-box. This is not how it works. MidPoint, being an identity governance platform, is an essential tool for compliance with almost any cybersecurity regulation. However, midPoint is just one of the tools that you will need to comply with regulations. There will be other tools, as well as policies, processes and practices specific for your organization. We are doing our best to make sure midPoint can help you reach cybersecurity compliance. However, all we can do is help, the task of being compliant is ultimately up to you.

Was this page helpful?
YES NO
Thanks for your feedback