My previous blog posts in the series have led us to this next step: Designing and building your cybersecurity program to achieve both your cyber risk management and compliance goals.
Let’s review the design now.
Program Design Requirements
To make your cybersecurity program most effective and efficient, you need a design that will:
- Allow you to manage your cyber risks though prioritization
- Make cybersecurity a business strength largely through cyber resilience (click here or here for previous posts)
- Allow your organization to practice reasonable cybersecurity largely though great cyber hygiene.
- Meet your customer’s cybersecurity expectations
- While also demonstrating compliance
- And, perhaps most importantly, your program should be easy for your workforce to follow every time, all the time because they are the people who will make the greatest difference in your efforts to manage your cyber risks
A Brief Word About Compliance
Because of the increasing pressure at the executive level to be compliant with information security laws and regulations, the importance of being compliant sometimes overshadows the rest of your program goals.
It’s not a good idea to optimize your cybersecurity toward compliance!
So, you need to figure out how to cost-effectively comply with multiple mandates without compromising on the rest of your program needs.
How NOT to Do It
Don’t tackle each mandate on a stand-alone basis.
That’s too much duplication of effort, which leads to extra expenses, and it’s overwhelming for your staff.
For example, there is a requirement to change default security settings for technology products in several compliance mandates published by many different regulators, including:
- Payment Card Industry Data Security Standard (PCI-DSS)
- Federal Financial Institutions Examination Council (FFIEC)
- National Institute of Standards and Technology (NIST)
- Internal Revenue Service (IRS)
Without a comprehensive approach, your team might need to re-configure certain pieces of IT equipment several times!
And each time could undo some or all of the previous work.
The Smart Way to Proceed
I recommend you adopt a single internal program for your staff to follow where your policies, standards, processes, and procedures are influenced by, and mapped back to, all your mandates.
Let’s look at this idea visually:
Here are the various components of this approach:
- Your corporate Information Security policies are the ultimate authority for your internal program
- Compliance mandates (e.g., HIPAA), as well as your other program goals (e.g., ISO 27001, cyber resilience, customer requirements), are the most important inputs into your security policies
- Once written and approved, your Information Security policies are operationalized by the standards, processes, and procedures that you publish and train your staff to follow
Let’s look at the first bullet above more closely.
By their nature, policies should be written at a high level and approved by your board of directors, so they don’t need to be changed more than once per year.
Also, it’s important to know that:
- Standards contain a level of detail below that of policies and may be changed by management as needed.
- Procedures are a policy and standards-driven series of steps taken by individuals at the “desk-level.”
- To ensure procedures are followed correctly and consistently, you’ll want to go top-down through your management structure to get the direct support of all first level supervisors.
- Finally, processes are procedures that cross two or more interdependent departments, such as the way a customer’s order is fulfilled from start (order entry with Sales) to finish (order fulfillment by Operations).
To manage this risk, I suggest you review your entire program design annually and make updates.
Next week we’ll look at some specific examples, so come back.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.