By John South, Senior Director of Global Threat Intelligence Development at NTT, Ltd.
When an individual responsible for security, compliance and risk management in a corporation addresses these topics, the first hard step is understanding where to begin. This is indeed a massive task. That individual has a finite group of people, software and hardware to deploy, all to detect malicious actors who probe the company’s networks for weaknesses 24 hours a day. This same individual must also assist in meeting all compliance and regulatory obligations of the company. Lastly, they must serve in the role of internal advisor to departments deploying applications and information technology infrastructure. The company may take advantage of third-party partners or managed security service providers who can contribute to a portion of these tasks, but at the end of the day, that individual and the security operations he or she manages are responsible for the success of protecting the company’s people, assets and most importantly—data.
Where do we begin?
The first step is to understand what it is we are protecting. This may include sensitive data, such as credit card accounts, health records, banking information, or personal identity data. We may need to protect intellectual property, such as the formulary for a new medicine. Or, we may need to provide physical protection for our employees and assets. In many cases, what we are protecting includes all of the above. Combined, these protected assets establish our baseline of risk. What are the factors that may put this data and people at risk? How do we detect malicious activity? And how do we stop it? Most important of all, how do we prevent future activity by malicious actors?
There are many ways to model the security and compliance risks that companies face on a daily basis. A simple approach is to use a formulaic model measuring the probability of a risk occurring, along with an estimate of the probable loss should an asset be compromised. But, let’s face it—it’s quite difficult to accurately estimate either one of these factors. There are applications and third-parties that can assist in building more complex risk models, but what we are looking for are direct factors that present an imminent risk to our operations, our people and our data.
While you could look for the next best security apparatus or rely heavily on your compliance obligations to reduce your risk, for many organizations, the answer is much simpler: implementing good security hygiene will go a long way towards reducing the risk presented to the company. Good security practices include:
- Vulnerability assessment;
- Penetration testing;
- Two-factor authentication;
- Reducing authorization to a minimum number of people;
- Addressing application security;
- Deploying anti-virus software and end-point agents;
- Reviewing logs;
- Ongoing security awareness training; and
- Encryption of sensitive information.
Meeting compliance obligations complements securing the corporation. Many compliance frameworks were designed to provide minimum practices to protect the security and privacy of the data being held by the company. As with security, however, it can be difficult to know how to address multiple compliance obligations effectively. Some companies may need to meet HIPAA requirements, and others, PCI requirements; some need to meet ISO 27001/2; some may need to meet Gramm-Leach-Bliley (GLBA) requirements, and others may need to meet all of the above, and more.
One could gather all the compliance framework requirements into a spreadsheet and begin working through each requirement. But that strategy typically leads to redundancy in inquiries and becomes an inefficient use of people’s time. It’s possible to group similar requirements together, but this is a huge manual effort and could lead to redundancy concerns when new versions of compliance frameworks are released.
A better approach would be to subscribe to a product that references multiple compliance frameworks and regulations. Authority documents for the various compliance obligations are mapped into the Unified Compliance Framework (UCF) and the data is viewed and extracted through the Common Controls Hub (CCH). It simplifies a view of all these compliance requirements in one dashboard, rather than looking at the same controls multiple times to address each individual industry standard or regulation.
The overall best approach to meeting risk and compliance obligations is to engage a Governance, Risk, and Compliance (GRC) tool. These tools integrate risk and compliance into a package that establishes a unified view of the state of identified risk and compliance requirements. These tools follow risk protocols that create your risk register, assign and track mitigation efforts and follow the impact of these on your risk posture. From the compliance side, most of these tools use the UCF, permitting you to view any number of compliance obligations in one dashboard.
The cost of GRC software can range from moderate to very pricey, but there should be an affordable option for just about any business. As such, the business may want to consider hiring a third-party firm that specializes in building and maintaining a GRC environment. In some cases, companies purchase the software, they have the third-party work with them to run the platform and educate the employees who will take over running the tool.
One of the factors that complicate matters when implementing an effective and efficient risk and compliance environment has always been staffing. Specifically, this is a qualified individual who can truly establish and maintain the risk and compliance campaign. Few companies have all the security personnel they really need. Though there may be financial considerations contributing to this problem, often it’s the inability of the security team to develop a business case that prioritizes a quality security, risk and compliance operation. With a fully populated GRC tool, the security team can more effectively leverage their available resources and showcase the need for additional resources. Given the economic impact of a potential compromise, as well as the impact on the company brand, firms should elevate the priority of positioning the right security resources, people and software.
At the end of the day, all our efforts to mitigate risk while meeting our compliance obligations are focused on the No. 1 priority. Protecting valuable data and—more importantly by proxy—the actual people and families who represent this data we’re entrusted to protect.
About the Author
John South is the Senior Director of Global Threat Intelligence Development for NTT, Ltd. South works with NTT’s Threat Intelligence and Incident Response teams to develop policy and strategy to assess and mitigate threats to company assets and employees. He can be reached at firstname.lastname@example.org.