Each new year should begin with a review of your organization’s current and desired security posture. If the current processes and systems are not robust enough to withstand the demands of the organization, it is a mistake to simply add horsepower to the flawed structure. A necessary starting point is assessing the people, processes and technologies within your organization and determining where changes need to be made to ensure an effective future security strategy.
The most important steps companies can take to improve and build their cybersecurity practices include an analysis of three critical elements:
Roles And Responsibilities For Security Within The Organization
While all three elements are a critical part of the analysis, the first step should always be analyzing roles and responsibilities within the organization. The problems that will quickly derail security and regulatory initiatives typically stem from unclear definitions of who is responsible for what security technology, process and action. Two areas in particular — the overlap of duties and separation of duties — help bring additional clarity to an organization’s current practices when analyzed closely.
• Overlap of duties: Using the RACI (responsible, accountable, consulted, informed) model, each critical security action must have only one accountable entity assigned to it. This means one person or entity is ultimately responsible for the correct and thorough completion of the task. For example, moving an application to production must have only one accountable entity. Having multiple groups with the ability to move an application to production could result in downtime or worse — it could open security vulnerabilities to the internet. The overlap of duties can also result in confusion in priorities, misunderstanding of whether or not a task is complete and complications surrounding who should approve a particular change.
• Segregation of duties: This is not a new concept. Looking back to the days of paper checks, the person who wrote the checks was not the same person who signed the checks. In today’s world, there are two objectives of segregation of duties. The first objective is prevention. Prevention is when an organization removes the opportunity for intentional or unintentional damage to its reputation or assets. The second objective is detection. It is not always possible to implement preventative controls. In those cases, another set of controls is required to detect any type of circumvention, which may result in a breach or information theft. When reviewing your company’s current duties and responsibilities, you should be able to answer one simple question: Do the current definitions of roles and duties give one single person all the access necessary to breach your company’s security and steal or export sensitive information? If the answer is “yes,” then the role in question must be redefined.
Technology Controls To Detect Issues
Today, technology controls can support these critical security efforts. While it is only a third of the people-process-technology triad, many of the high-volume processes used by businesses today require a technology focus. For instance, in the areas of unauthorized disclosure of information, data leakage prevention (DLP) systems can inspect outbound mail to ensure the messages or the attachments don’t contain sensitive information. Other systems that monitor and report attempts to access information to which a user is not authorized are valuable to identify potential trouble areas or associates. These systems are particularly valuable in regulated businesses such as financial services and health care.
Current And Developing Standards And Regulations
Two of the most common standards and regulations today are HIPAA and PCI. HIPAA (the Health Insurance Portability and Accountability Act) is a law that provides access and security provisions for safeguarding healthcare information. Passed in 1996, it is under constant review and revision to ensure the requirements keep up with advancements in health care.
The payment card industry (PCI) standards were instituted 2006 by American Express, Discover, JCB International, MasterCard and Visa. The PCI standards require merchants and financial institutions to implement standards for policies, technologies and processes to protect cardholder data from breach or theft. The breach or theft of financial or health care information affects us all. If the public loses personal information and subsequent trust in health care providers or financial institutions, there can be tremendous fallout. When service providers and financial institutions suffer a breach, they can be subject to numerous fines, lawsuits and other financial liabilities.
Keeping these three elements in mind should help lay the groundwork for your company’s cybersecurity strategy. Always remember to look at and fix the process itself first, as technology alone is never the answer. Do not fall into the trap of simply adding headcount or technology to your organization without first analyzing the people and process issues within the current structure, as they are the foundational elements of your security strategy. Simply adding more people or technology to a flawed process already making bad products will only allow you to make bad products faster. This is a concept that will continue to ring true even in today’s technology-centric world.