Problem: You’re on the board of a business and want to verify the business is implementing appropriate measures to adhere to security and privacy best practices. What instruments should the business be able to provide you as assurance?
The intent of this document is to provide guidance on how to verify appropriate processes are in place within a business; to ensure and demonstrate that security and privacy controls are implemented and monitored and evolve with changing industry developments. There are processes which should be standard in any business, while others may be domain specific. We’ve also included some anecdotes from experience to illustrate some common pitfalls.
In order for any business to maintain a security and privacy program and adhere to industry and legal standards, there must be personnel who are delegated such responsibilities. These personnel must be provided with adequate training and be able to demonstrate, through experience or other means, that they can service the business needs. Most commonly, these personnel will be granted the roles of Chief Information Security Officer (CISO) and Data Protection Officer (DPO).
The CISO and DPO must have independence from the implementation of controls, in order to monitor compliance and maintain objectivity in the performance of their duties. Their duty is to ensure the business is aware of the risk to the Confidentiality, Integrity, and Availability of any sensitive data. To attain such awareness, there are frameworks which may be adhered to, such that these personnel can identify and measure risk and, based on risk identified, identify controls which mitigate such risk.
Frameworks and regulations
Many businesses will have one or more industry bodies with regulations to which they must adhere. The following are a few examples:
Payment Card Industry Data Security Standard - Global, 2016
Personally Identifiable Information:
General Data Protection Regulation (GDPR) - Europe, 2018
Personal Information Protection and Electronic Documents Act - Canada, 2000
Protection of Personal Information Act (POPI) - South Africa, 2014
Cybersecurity Requirements for Financial Services Companies - New York State, 2017
Health Insurance Portability and Accountability Act (HIPAA) - US, 1996
All of the above share a number of key requirements which can be summarised as follows:
- Perform risk assessments and mitigate the risk
- Maintain an inventory of data
- Limit how much data you maintain to that which is required with business, legal and technical justification
- Limit how long you maintain the data
- Protect the data
- Manage who can access the data
- Monitor access to the data
- Manage your personnel
- Maintain a vulnerability management program
- Manage service provider relationships
- Maintain and test your Incident Response Plan (to include notification/disclosure)
Importance of Proper Risk Management:
Performance of risk assessments includes consideration of at least all of the above. The output of a risk assessment must include the specific steps the business will take to reduce and control risk. These steps must be under the responsibility of appropriate personnel, with appropriate budget and management backing, and must be measurable and revisited after specific timeframes. A risk assessment which enumerates risk without processes for risk management does not address risk.
The following are some examples of risk process failures we encounter:
- Businesses perform risk assessments to demonstrate that a process exists without any process in place to manage or reduce the risk identified.
- Businesses maintain a security program for a limited scope of their environment or services to the detriment of other infrastructure and processes.
- Businesses transfer risk to a third party without performing appropriate due diligence on that entity.
- Businesses, through mergers and acquisitions, have inherited risk over which they have no historical visibility or means to fully identify and resolve.
To avoid the above, any risk management program must include measurable reviews and specific remediation activities.
Looking for a One-Size-Fits-All approach
The NIST CyberSecurity Framework contains a general categorisation of security considerations which can be granularly measured against the comprehensive inventory of controls. These are included in most information security standards and regulations (PCI DSS, ISO 27001, ISAE, NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations). In addition, Appendix J of NIST Special Publication 800-53 Revision 4 includes a selection of Privacy controls which reflect those used in legal and regulatory documents (POPI, GDPR et al).
The NIST CyberSecurity Framework (CSF) categorises controls using the following headings:
Each of the above include additional subcategories - the CSF is a very digestible and actionable framework and, where additional controls should be implemented, reference to control frameworks (ISO 27001, NIST Special Publication 800-53 Revision 4) will provide the necessary information.
Appendix J, for Privacy controls includes the following control areas each of which include further detailed sub-categories:
- Authority and Purpose
- Accountability, Audit and Risk Management
- Data Quality and Integrity
- Data Minimization and Retention
- Individual Participation and Redress
- Use Limitation
From review of existing industry standards, guidance, regulations and legal requirements, it is Foregenix’ belief that reviewing and adhering to the business applicable control requirements of the NIST CSF with inclusion of security and privacy controls from recognised frameworks married with knowledge of the business risk appetite and compliance responsibilities will result in a unified approach to risk management and compliance. Outputs which are to be anticipated by management from this process include specific steps to be taken by the business, under the responsibilities of specified roles, to reduce identified risks within specified timelines.
Helping businesses understand and secure their risk is a big part of what we do at Foregenix. From PCI to PIN, from PIN to Blockchain & Cryptocurrency - we are here to secure our clients. If you'd like to know more about our compliance services and how we can help you, please follow the link below.