Cyber Security Compliance: More Payback Less Pain

Cyber Security Compliance: More Payback Less Pain

By:


Prevention is better than cure

If prevention is better than cure, then good compliance is better than cleaning up after a breach, at any time. The first step is to collect, analyse and store data about how your organisation operates. Undertaking a threat risk assessment (TRA) will establish the data to collect and monitor in order to protect your organisation and information assets. The questions to ask to define these data are:

What information assets go to the core value of your organisation?
What is potentially at risk of cyber attack (from outside or within)?
What are the likely impacts if such an attack is successful?

When collecting and retaining records of electronic activities, keep in mind that the onus of proof will be on you in the event of an adversarial claim. Should you not have complete, evidentiary records, your ability to respond effectively will be limited. Good recordkeeping may sound like just good housekeeping, but in the event of an incident, its irreplaceable.

Equally important is the risk of data breaches by employees. Reports suggest that employees, especially disgruntled ones seeking to get even, are responsible for close to 70% of all data leakage, theft or misuse (McAfee, ECrime Congress, London, March 2009). Those with high level access or familiarity with your IT security systems pose a serious risk; they have passed Access Control and know how to access your IT systems with impunity.

The operational and financial impact of a compliance breach can be profound, which makes preventative efforts crucial. Once the key organisational risks are identified, a few simple steps can be taken to effect compliance management and safeguard your assets:

Develop scalable monitoring and control processes and systems;
Use compliance frameworks to establish and enforce policies for systems usage;
Deploy competent technology to simplify the process and maximise control;
Ensure that all IT activities are logged and retained in full;
Audit IT and security systems for measurable information; and
Report and remediate any noncompliant information access or use.

Automated technology will lighten the burden of collecting and analysing huge amounts of information, but dont be fooled: compliance is not set and forget. Compliance testing should be ongoing in your organisation with regular internal audits. If Zurich UK had done that, the exposure may have been obvious long before the breach occurred. More recently, the Sony Playstation hack exposed 77 million customer details, which werent even encrypted. It was only after the event that Sony decided to appoint a CSIO (Sony must learn from PlayStation Network attacks: Sophos, Norton Computerworld, 27 May, 2011)

Verizons annual survey found that 96% of breaches were avoidable through simple or intermediate controls, so clearly compliance isnt hard to do. The same survey found an astonishing 89% of organizations suffering payment card breaches had not been compliant with PCI DSS at the time of the breach. (Verizon 2011 Data Breach Investigations Report).

The takeaway here is that having enterprise security systems, processes and policies in place isnt enough, and collecting event logs of your electronic transactions isnt either: you need to monitor the effectiveness of your security systems, examine your event logs on a regular basis, and validate your compliance with your industrys regulations frequently. Put another way, you cant stay fit by standing still.


About the Author:
Astal Mark writes for Tier-3 that raise your enterprise security to the highest level with Huntsman, providing intelligent data protection, threat management and Compliance Payback vs Pain for government, finance and critical infrastructure since 1999



Article Originally Published On: http://www.articlesnatch.com


Tags: ,

|

Loading...
Related....
Videos...

Recent Business Articles

Comments

Still can't find what you are looking for? Search for it!

Loading

Site Navigation:

Copyright 2005-2011 ArticleSnatch, LLC - All Rights Reserved.
Privacy Policy | Terms of Service.