Regulatory compliance has become a regular component of every business industry today. With the relentless barrage of attacks, phishing, and the general inundation of spam and scams, it is a wonder something wasn’t done sooner. And yet, businesses still trudge forward with solutions that resolve one immediate need (or reaction to a problem), until the next one surfaces, and the process of finding another solution begins again.
This all results in business “protection” established without a plan. It is only when the US military had enough of losing intellectual property and attacks on our critical infrastructure threatening our way of life, that this new standard in safeguards became the answer.
Today, we see meeting regulatory compliance as not only a requirement, but as a more secure approach to conducting business, to protect both systems and brand reputation.
We will be launching the Compliance Survival Guide very soon, and it will be a helpful part of your compliance process.
This article is a prequel to that Survival Guide – things you can put in place now to prepare for compliance to get started along the path to better cybersecurity practices.
Compliance is the minimum condition to meet an outside requirement. So, it is possible to have more requirements above that minimum to improve your organization’s unique best practices.
Regardless of any regulatory compliance, I offer these 5 components that every organization should implement.
- Everyone should have an inventory of assets for their organization. This seems simple enough, but it is surprising how many organizations have a limited knowledge of the assets they have, where they are, who is using them, and what maintenance / services have been completed or yet to be completed. Software applications, including cloud-based services, should also be kept as part of this inventory.
- Keep a current network diagram. It is hard to know what’s happening in a system or to relate that information to others without a network diagram. With the post-COVID workforce, we not only have on premise components, but also remote user and cloud components. Speaking to these is more productive when everyone can visualize the systems and how they interact.
- Security Policies provide the organization with rules. Insider threats, outside attacks, misuse of devices, and outright theft are all reasons for creating and enforcing policies. With signed policies, we have legal recourse when violations occur. We also have an understanding with both executives and staff of what the rules are and what the expectations are, in both using the system and helping to protect the business.
- System Monitoring should be implemented and tested periodically. It should also monitor communication between devices, networks, and users. Monitoring should be able to detect user access attempts (success and failures), session information, communication in and out of the boundaries, and unrecognized devices and traffic patterns. Monitoring is a first line of defense in recognizing a potential incident and how quickly you can respond to it.
- Security Assessments should be conducted more often than just annually. There are several kinds of assessments, and they can be completed internally or through a qualified third party. Also, you need to know what each assessment will provide you. Risk assessments, for example, should tell the organization what threats are likely to impact the system and to what extent. It is not a vulnerability assessment that tells you what the weaknesses are on the hosts and services within the system. Security Control assessments can tell you if your enforcement controls are working and if they are meeting your security policies. All of these should be tested regularly to ensure an effective use of protective equipment and controls.
If we can help you with any of these five elements, please don’t hesitate to be in touch.