Page 14 - Cyber Warnings
P. 14
Are My Best Practices Working? Time for Self-Assessment before an Audit
Perform your own security self-assessment against these best practices recommendations I’ve
listed above. Find all of the holes in your information security environment so that you can,
document them and begin a workflow process and plan to harden your network. Network
security is a process, not a product, so to do it right, you need to frequently self-assess against
the best guidelines you can find.
Boards of directors, CEOs, CFOs and CIOs are under extreme compliance pressures today.
Not only are they charged with increasing employee productivity and protecting their networks
against data theft, but they are also being asked to document every aspect of IT compliance.
I recommend, whether or not an outside firm is performing IT compliance audits, that you begin
performing measurable compliance self-assessments. You'll need to review those regulations
which affect your organization. In the United States, these range from GLBA for banks to HIPAA
for healthcare and insurance providers to PCI for e-tail/retail to CFR-21-FDA-11 for pharma to
SOX-404 for public companies.
Some states have their own regulations. In California, for example, if there has been a breach in
confidentiality due to a successful hacker attack, companies are required by law to publish this
information on their Web sites. The California Security Breach Information Act (SB-1386)
requires the company to notify customers if personal information maintained in computerized
data files have been compromised by unauthorized access.
California consumers must be notified when their name is illegitimately obtained from a server
or database with other personal information such as their Social Security number, driver's
license number, account number, credit or debit card number, or security code or password for
accessing their financial account.
If you are a federal government agency, you need to comply with Executive Order 13231, to
ensure protection of information systems for critical infrastructure, including emergency
preparedness communications and the physical assets that support such systems. Also, if you
are a non-profit organization, you are not exempt from the reporting requirements of regulations
in your industry (banking, healthcare, etc.). Please make sure to seek legal counsel if you are
not sure of which regulations you'll need to address.
The easiest thing you can do to prove you are in compliance is to document your steps of
protecting data. You should be able to prove that you have in place all the best policies and
practices as well as the right tools and INFOSEC countermeasures for maintaining
confidentiality, availability and integrity of corporate data. By frequently assessing your
compliance posture, you'll be ready to prove you "didn't leave the keys to the corporate assets
in the open." If your network is ever hijacked and data is stolen, you'll have done your very best
to protect against this event and it will be less of a catastrophe for your organization.
14 Cyber Warnings E-Magazine – April 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
