Anyone who keeps up with current events couldn’t miss the almost constant stream of articles about organizations, of all types and sizes, that have experienced security breaches resulting in the exposure of customer information. Regulatory bodies and government agencies have taken notice, as well, and have increased their efforts to enforce existing security guidelines, improve guidance while increasing expectations, and develop new requirements and objectives. U.S. organizations in the banking, health-care, and government sectors have long faced security-related regulatory requirements through the Gramm-Leach Bliley Act, the Health Insurance Portability and Accountability Act, and the Federal Information Security Management Act (FISMA). As threats evolve and data breaches become more commonplace, regulatory oversight and enforcement is spreading to other industries. Recent enforcement activities by U.S. bodies such as the Securities and Exchange Commission and Consumer Financial Protection Bureau (CFPB) appear to be signs of things to come.
For example, in March 2016, the CFPB assessed its first data security-related fine against an online payment platform. The CFPB stated that the organization misrepresented its controls and practices around data security, assessed a US$100,000 penalty, and required that the organization address its security practices. According to CFPB Director Richard Cordray, “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.” This was the CFPB’s first enforcement action in the data security space and put many organizations on notice.
Most organizations likely have some form of security controls and processes in place, but those might not always measure up to current industry accepted best practices. There are certain processes and controls that organizations in any industry should consider in anticipation of increased regulatory scrutiny.
Establish a Security Risk Assessment Process The risk assessment is the basis for building and implementing sound information security processes and controls. The traditional approach to information security has been compliance- or rule-based. Taking a risk-based approach is more effective for anticipating where regulatory controls are heading. If organizations do not adequately assess their risks, how can they ensure security controls are implemented to protect their most critical assets?
There are many different approaches to performing a security risk assessment. Usually, organizations will develop an inventory of their assets, catalog where sensitive data resides, and identify potential threats. Each asset is assigned an inherent risk score based on the criticality of the data that is accessible from it. Next, organizations identify the potential avenues for an individual or organization with malicious intent to gain access to the highest risk assets. The organization then identifies what controls or processes are in place to mitigate the identified threats. Where gaps in controls exist, the organization evaluates the cost/benefit of either implementing new mitigating controls or processes or changing existing practices to remedy the issue.
With the ever-changing landscape of security technology, regulatory requirements, threats, and vulnerabilities, the security risk assessment should be performed regularly, and as necessary, based on significant changes to the organization. Most organizations perform assessments either annually or semi-annually, depending on industry and risk tolerance. The risk assessment should be repeatable and well-documented to allow for consistent reporting of results and comparison over time. The results of the risk assessment should be documented and communicated to management and other stakeholders (e.g., legal, compliance) to aid in decision making.
Develop/Enhance the Information Security Program For organizations that want to anticipate future regulatory requirements, adopting an industry accepted security standard is a solid foundation upon which to build. Frameworks include ISO 27001, U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, FISMA, various aspects of COBIT, and the IT Infrastructure Library, among others. One size does not fit all. For example, if an organization adopts NIST 800-53 as a framework, which is comprehensive and applicable to most government agencies, all of the requirements may not be reasonably implemented based on the organization’s risk profile. Organizations should evaluate the framework of choice and map controls to the existing environment. Where there are gaps, management should evaluate the risk exposure and determine action plans in alignment with risk tolerance and overall objectives.
Once the necessary information security controls have been identified, and potentially implemented, the organization should either document or update its security program. This document serves as the foundation of information security processes and practices throughout the organization, and most likely would be one of the first documents a regulatory body would request. The document should describe the governance structure, including policies, and various controls and processes that help mitigate security related risks.
An organization can spend unlimited resources on the most cutting-edge security technology, but if it can be bypassed by an employee accidentally providing credentials or compromising a workstation by clicking on a malicious email link, then it is all for naught. Implementing an employee security awareness program is paramount to the success of a security program. Employees should be educated, tested, and continuously reminded about current security threats and best practices to minimize the effectiveness of social engineering.
Validate the Control Environment Upon implementation of the security program and its supporting processes and controls, organizations should develop a process to periodically assess and validate the control environment. Most organizations with an internet presence are being scanned and assessed by attackers, either manually or via automated scanning, daily. Organizations should strive to stay one step ahead by performing their own assessments, which often include automated vulnerability scanning and penetration testing.
Nontechnical controls such as policy, procedure, and risk assessment processes also should be assessed periodically to determine whether they are being performed in accordance with the established security program. It is common for processes to be defined and then fall behind due to factors such as changes in leadership or competing priorities. By performing validation activities, an organization can demonstrate that it has established an effective security program and that it also regularly reviews its environment to ensure it stays abreast of changes in the security landscape.
Organizations may be preparing for security requirements that have not yet been defined. By performing a security risk assessment, adopting an industry accepted security framework, and implementing and validating the effectiveness of security controls, an organization can position itself to not only decrease the risk for itself and its customers, but also minimize the impact of new legislation and regulatory requirements. Organizations should monitor the ever-changing security threat and regulatory landscape and attempt to anticipate any processes or controls that are not currently part of their program. Also, organizations should monitor the laws in the states and countries in which they operate, or in which they intend to expand, to ensure that guidelines are understood and implemented in the security program. When it comes to information security, both from a regulatory compliance and a technical control perspective, it is more effective to stay ahead of the curve than to work from behind it.