It feels great to get to the point where you have built a cybersecurity program for your business. As a CISO you got the executive buy-in, everyone has backed the need for a data security and risk management program and you feel a sense of accomplishment. You’ve spent time involving the whole organization to build the program and now you can relax - wait, not yet! This is when the real work begins as you have to successfully run your data security program.
Building an effective data security and risk management program is just the start of your cybersecurity journey. This isn’t a build it and you’re done situation. It requires constant maintenance in order to remain effective. Just writing policies and procedures is not enough - you have to ensure they are being followed and check in with different departments on a regular basis to ensure they are following the procedures that were put in place and make sure they acknowledge that they are up-to-date. If you are going through an audit certification process you will typically be required to show 4-6 months of evidence in the form of audit logs to prove that you are indeed operating your security program.
What areas should I focus on when running a security program?
A standard security program has many controls that need to be managed on an ongoing basis. Here’s an example of 5 ongoing activities that you will need to work on during the operate phase of your security program:
- Track and manage documents. You need to consider the following questions:
What is the expiration date of each document and is it current? Who owns the document and who is the audience?
Who approved the document and did the audience acknowledge receipt and consent to abide by it?
How are you managing version control and tracking all data associated with prior versions?
- Track and manage security training. You need to consider the following questions:
Who has been trained and on what?
Was training individual or role based?
Is the training mandatory for all or required for a particular role?
Are you tracking comprehension by performing assessments?
- Track and manage assets. Your company data is stored in multiple locations including in servers, laptops, workstations and other computer-based devices. All these locations require maintenance, are sometimes swapped around and ultimately need to be replaced. If you are not tracking assets then you are not tracking your data and specifically controlling who has access to it. Use the asset management module of your data security platform to track and manage all assets.
- Track and manage vendors. Vendors perform different functions with some having access to your sensitive data. Since you do not directly manage the vendor organization it is essential you are tracking how they are managing their cybersecurity program, which clearly is a shifting environment. Use the vendor management module of your data security platform to issue vendors with security and risk management assessments. Ensure that you track their completion and set them up to send on a regular basis so you have the latest version available for audit.
- Prepare for an audit. Most security audits such as AICPA SOC 2 Type 2 or HITRUST require you to demonstrate that you are operating your security program by providing activity logs and other types of retrospective evidence. This cannot be made up on the fly and must be collected on a day to day basis over a period of months. Make sure you are running and testing your procedures and policies. Show a record of version control and acknowledgement that actions have been taken. Use your data security platform to manage and track your documentation in preparation for an audit. Ensure that it can track information according to the standards set by specific audits as this will save you time when it comes to the actual audit process.
- It is easy to sink into the false comfort of thinking that having a policy or procedure means you will automatically be safe. As discussed in our recent blog post about the Twitter breach, you need to be sure IT controls and administrative controls are in place to be sure employees are following the policies and procedures that have been published.
In the end, policy won’t prevent a data breach. Your company will need to encourage a culture of security which involves all employees and inspires them to follow standards that are set out in your policies and procedures. As we have seen in many recent data breaches, employees are often the weakest link due to the increase in sophistication of phishing attacks and other cyberattacks, so it is essential that your whole organization is onboard. A recent report shared “the financial impact of data breaches, revealing that these incidents cost companies studied $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause.”
Ostendio has over 7 years of experience helping companies to build, operate and manage their data security and risk management programs. Using the industry leading Ostendio MyVCM collaborative risk management platform can simplify the process of preparing your organization for a security audit. Our Professional Services team is a group of industry experts who are ready to help customers as they implement their security programs. If you need additional help, engaging our Professional Services team is the perfect solution to supplementing your organization’s compliance team when you are setting up your security program for the first time or preparing for an audit. Speak to an expert at Ostendio who is happy to help your organization with their cybersecurity journey.