Your organization and its risk management leaders face disturbances on multiple levels every day, encompassing cybersecurity, privacy, regulatory management, and focused and widespread malicious actions and actors, technological weaknesses, organizational apathy, human errors, etc. Preparation, assessment, and pragmatic execution of the needed controls are vital to address these disruptions and deliver an effective cybersecurity program.
Here is a list of key control areas that should be well understood, implemented, and assessed regularly so your organization doesn’t fall prey to known or suspected ineffective control, regulatory sanction, or human error.
- A full and accurate risk assessment is required for any organization using protected electronic data. At least annually and at any significant event, a documented and reported risk assessment is needed and is required by several laws, regulations, and standards. Find a standard (NIST, PCI DSS, SANS, CIS…) that reasonably fits with your organization’s complexity and complete the documented assessments. This is a key report that will drive all of your controls, systems enhancements, budgeting, and many other cyber and data protection factors.
- Increase your focus on the workforce and human elements of security; your users are your best defense if you do, and your worst enemy if you don’t. Least rights access controls, training programs, and any other user management controls need to be specific and repeatable. Phishing testing should be a standard process, and those who repeatedly fail the tests should be involved in advanced training. All workforce (staff, management, Board, volunteers, etc.) must be trained and their access fully understood and documented.
- Invest in your cyber protection future. Security and risk management performance must be completely aligned with documented security governance efforts so your infrastructure can benefit from being an enabler of, not reactionary to, your organization’s strategic risk management objectives. This will take significant effort, expertise, and understanding along with specific funding that should be separated from any other IT or operational funding so it can be matched to your needed return on protection.
- Form a team now to investigate and document your specific policy and needs for the use of AI. That team needs to be cross functional and include technology, business, compliance, information security, and client facing (internal and external) team members.
- Explore who and where continuous threat exposure management programs can help you assure that issues and events are not slipping through your cracks. Managed Detection and Response tools are becoming the norm in many areas and industries and, when implemented effectively, provide a layer of assurance, assessment, and response that is repeatable and metric-based.
- Avoid siloing data sets and assets. Make certain you have a detailed data and asset inventory. Track data and technology assets across the business lanes. An ability to cross-assess and manage all assets has become the expectation and is required for effective business intelligence, including the effective use of data, retention, classification, compliance, and overall management. You need to be able to, at any request, track data ownership to respond, and to mobilize controls, to reduce data cyber exposures that put the organization at risk.
- Know what and who your third- and fourth-party service providers/vendors (TSP) are doing to manage, protect, and secure your data. An effective risk management policy and program addressing those TSPs is mandatory for an effective cybersecurity program. All organizations are increasing their dependency on TSPs as a business practice, but your organization’s ownership of cyber risk is not something a business can outsource.
- Use an expert. It should go without saying, but the ability to manage and effectively implement cyber and data protections requires unique skills. A chief information security officer brings that expertise.
- Compliance efforts and audits have greatly increased in complexity, due to new, and often conflicting, requirements arising from new regulations in targeted regions. You should have a team focused on staying abreast of all the changes and what actions, sanctions, and weaknesses have been discovered by your regulators at other organizations so you can add or enhance your needed controls and reporting. Your Compliance Officer is the key member for this team, but not the only one; to be effective, the CISO and General Counsel should at least be on the team.
- Explore how you can integrate cybersecurity outcome-driven metrics as additional operational metrics to help enable cybersecurity’s stakeholders to draw reasonable conclusions for cybersecurity investment and the delivered protection levels that investment generates (ROP). These metrics are central to establishing a defensible cybersecurity investment strategy.
- Build, document, and implement an Information Security Management System (ISMS). The ISMS is a governance program, not just a policy or suite of policies. It entails your cyber footprint and organizational expectations, with the basic tenets of information security completely built in and encompassing your assets’ confidentiality, integrity, and availability. Every element of the ISMS must be designed to implement one or more of these principles.
FoxPointe Solutions, The Bonadio Group’s Information Risk Management (IRM) division, is a nation-wide cybersecurity advisory practice that helps private, public, municipal, and other organizations reduce threats, close gaps, and reduce/ manage risk. We are a highly experienced team of dedicated specialists in IT/IS risk management, PCI, HITRUST, penetration testing, cybersecurity, and regulatory compliance (HIPAA to FISMA, GLBA to NYDFS, GDPR to FERPA, State, Federal and International) within a mega-regional consulting and audit firm. We likewise hold the requisite certifications and industry affiliations within many of the leading information risk management and cybersecurity frameworks and industry associations.
We are a technology/vendor-agnostic firm and as such, the cyber compliance and consulting we provide is unbiased and not influenced by information security hardware or software companies.
Our clients cross all verticals and range in size from sole proprietor, financial institutions, to Fortune 50 multi-national corporations. Our services help clients strengthen their overall information security posture, taking into consideration controls surrounding people and processes across your administrative, technical, and physical environments. We would be glad to speak to you on any of your needs. Please reach out to Charlie Wood, CISA (email@example.com) or any member of the team!