The new year is a perfect time to get organized with your data security and compliance management planning for the year ahead. As a busy CISO, it can feel overwhelming to balance the number of activities that need to be completed against the pressure to get the most done on a tight security budget. However, with some thoughtful planning, you can manage and monitor your compliance program efficiently, reducing stress in the year ahead and beyond.
Without proper planning, you may find yourself unprepared due to outdated training, old policies, and missing assets. This can lead to data breaches which, in 2022, cost an average of $4.35m per data breach. Organizations need to take the time to establish an annual data security and compliance plan to protect their sensitive data and their company reputation.
“Start this new year off by focusing on the basics…identify and classify your data!
I know data/asset management is an age old issue but it’s something we all need to do. You simply cannot adequately protect what you don’t “see” or know what it is.
It’s tempting for businesses to want to handle everything the same but that’s not a great strategy for most.
Start with your HR data, then your financials or other sensitive internal data. From there, any IP or protected data…
Akin to new year’s resolutions, you just need to start!”
So, how do you get started on your compliance management planning?
Follow these 6 expert tips from the Ostendio Professional Services team.
1. Identify the assets you want to protect
Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:
- Identify the systems, data, and people assets that you need to protect.
- Identify the threats to those assets, and prioritize them.
- Identify what you want to do to protect your priority assets from their most significant threats.
2. Identify the activities you need to complete
It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2023 compliance program.
Ostendio provides you with a full list of Information Security activities required to achieve a successful data security program. This list includes activities such as:
Review policies and procedures (including Acceptable Use Policy)
Complete a risk assessment - this should be done annually
Review security training - to ensure new employees, as well as current employees, are up to date on all their training
Test and update your Business Continuity Plan - this should be done on an annual basis to account for any new situations that may occur
Review regulatory and legal compliance requirements - especially important for organizations that need to consider regulations such as GDPR, CPRA, etc.
Conduct an inventory of your data assets - data assets change over the year so it is important this document is updated regularly.
3. Assign the right people and resources
It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.
4. Schedule all your meetings and tasks for the year
It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.
5. Document, document, document!
If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice.
6. Plan ahead to future-proof your security program (you’ll thank yourself later)
Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs.
Kevin Brown is the Information Security Officer at Ostendio and he offers this advice to clients building their compliance management programs, “Security is about more than complying with a framework. Organizations need to work on their data security and risk management planning, and with that discipline, they will develop the policies and procedures necessary to pass complex data security audits. Passing a framework should be a by-product of a successful data security program.”
To learn more about compliance management you should seek expert advice from serious security professionals like the Ostendio Professional Services team.
Ostendio works with companies of all sizes and industries to help them prepare for, and pass complex data security audits. The Professional Services team are security experts who work directly with you to ensure your organization’s security and risk management program protects you in increasingly complex environments where a single breach could spell disaster. Schedule a time to speak to an Ostendio expert and get organized for the year ahead.