Governance and Regulation
Policies and frameworks vital for regulating cyber in an organisation.
Terminology
Governance: managing and directing an organisation or system to achieve its objectives and ensure compliance within laws, regulations and standards.
Regulation: a rule or law enforced by a governing body to ensure compliance and protect against harm.
Compliance: the state of adhering to laws, regulations and standards that apply to an organisation or system.
Information Security Governance
This is an organisation's established structure, policies, method and guidelines designed to ensure privacy, reliability and accessibility of information assets. This falls under the purview of top-tier management and includes the following processes:
Strategy: development and implementation of a comprehensive security strategy that aligns with the business's objectives.
Policies and Procedures: preparing policies & procedures which govern the use and protection of information assets and implement risk mitigation measures.
Risk Management: conducting risk assessments to identify potential threats to the organisation's information assets and implement risk mitigation measures.
Performance Measurement: establishing metrics and KPIs (Key Performance Indicators) to measure effectiveness of the governance.
Compliance: ensuring compliance with relevant regulations and industry best practices.
Information Security Regulation
Regulation refers to legal and regulatory frameworks which govern the use and protection of information assets. Compliance with regulations is typically mandatory and enforced by the government or other regulatory bodies. Examples of information security regulations are GDPR, PCI DSS, Personal Information Protection and Electronic Documents Act (PIPEDA) and more. The benefits of implementing proper governance and regulation are as follows:
More Robust Security Posture: help reduce the risk of security breaches and protect sensitive information from unauthorised access, theft and misuse.
Increased Stakeholder Confidence: enhance stakeholder trust by demonstrating that an organisation takes cyber security seriously.
Regulatory Compliance: can help avoid legal and financial penalties and reputational damage resulting from non-compliance.
Alignment with Business Objectives: ensure security measures are cost effective and contribute to the organisation's success.
Competitive Advantage: can provide an advantage by demonstrating trust and commitment to protecting sensitive data.
Relevant Laws and Regulations
General Data Protection Regulation
Data Privacy & Protection
Propagated by EU and sets strict requirements for how organisations handle, protect and secure the personal data of EU members.
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare
US based official law to maintain security of health info.
Payment Card Industry Data Security Standard (PCI-DSS)
Financial
Technical and operational requirements to ensure secure handling, storage, processing and transmission of cardholder data.
Gramm-Leach-Bliley Act (GLBA)
Financial
Sensitivity to customers' non-public personal info (NPI) by providing privacy notices and disclosing information sharing practices.
Information Security Frameworks
A security framework provides a comprehensive set of documents which outline the organisation's approach to information security. This includes:
Policies: formal statement outline an organisation's goals, principles, and guidelines for achieving specific objectives.
Standards: a document establishing specific requirements or specifications for a particular process, product or service.
Guidelines: document providing recommendations and best practices for achieving goals or objectives.
Procedures: set of steps for undertaking a particular task or process.
Baselines: minimum security standards or requirements that an organisation or system must meet.
Some general steps used to develop policies, standards, guidelines etc. are:
Identify Scope & Purpose: determine what the document will cover and why it is needed.
Research & Review: research relevant laws, industry standards, regulations and best practices to ensure your document is comprehensive.
Draft Document: develop an outline and draft the document, following best practices. Ensure the document is specific, actionable and aligned with the organisations goals and values.
Review & Approval: have document reviewed by stakeholders like subject matter experts, legal & compliance teams, and senior management. Take their feedback and ensure the document aligns with organisational goals and values.
Implementation & Communication: communicate document to relevant employees and stakeholders, develop training and awareness programs to ensure the document is understood.
Review & Update: periodically review and update the document to ensure it is relevant and practical.
Governance Risk and Compliance (GRC)
A GRC framework focuses on steering the organisation's overall governance, enterprise risk management, and compliance in an integrated manner. A GRC framework has the following components:
Governance Component: involves guiding an organisation by setting security strategy, policy, standards, baselines, frameworks etc. as well as establishing appropriate monitoring methods.
Risk Management Component: identify, assess, and prioritise risks to the organisation and implementing controls and mitigations to manage those risks. Includes monitoring and reporting on risks and continuous evaluation.
Compliance Component: ensuring the organisation meets legal, regulatory and industry obligations. This includes developing and implementing compliance programs, conducing regular audits and reporting compliance issues to stakeholders.
Some generic guidelines for developing a GRC are:
Define Scope & Objectives: determine scope of GRC program and define its goals. For example, an objective might be to reduce cyber risks to 50% in the next 12 months and maintain customer trust.
Conduct a Risk Assessment: identify and assess cyber risks, risks should be prioritised and a strategy developed.
Develop Policies & Procedures: implement logging, monitoring or password policies.
Establish Governance Processes: ensure the GRC is effectively managed and controlled, potentially establish a steering committee to review.
Implement Controls: technical and non-technical controls are implemented to mitigate risks. For example, implementation of firewalls, IPS, IDS, and SIEM (Security Information Even Management).
Monitor and Measure Performance: organisation should track metrics and compliance with security policies. This can be used to identify areas for improvement.
Continuously Improve: the GRC program is constantly reviewed and improved based on performance metrics, changing risk profiles and stakeholder feedback.
General Data Protection Regulation (GDPR)
The GDPR is a data protection law implemented by the EU in 2018 with the aim of protecting personal data. Personal data is defined as "any data associated with an individual that can be utilised to identify them either directly or indirectly".
Key points in GDPR are:
Prior approval must be obtained before collecting any personal data.
Personal data should only be collected when necessary.
Adequate measures should be adopted to protect stored personal data.
This law applies to all businesses which operate in the EU and collection/store/process the personal data of EU residents. GDPR also includes penalties for non-compliance:
Tier 1: severe violations like unintended data collection or non-consensual data sharing incur a penalty of 4% of the organisations revenue or 20 million euros (whichever is higher).
Tier 2: less severe violations like data breach notifications or cyber policies incur a penalty of 2% of the organisations revenue or 10 million euros (whichever is higher).
Payment Card Industry Data Security Standard (PCI DSS)
Focusses on maintaining secure card transactions and theft/fraud prevention. Established by major credit card brands and requires strict access control to cardholder information.
NIST 800-53
Titled "Security and Privacy Controls for Information Systems and Organisations", this provides a catalogue of controls to protect the CIA triad of information systems. This serves as a framework for organisations to assess and enhance their security to help comply with laws, regulations and policies.
Audit and Accountability (AU)
Access Control (AC)
Personnel Security (PS)
Planning (PLS)
Awareness and Training (AT)
Identification and Authentication (IA)
Physical and Environment Protection (PE)
Configuration Management (CM)
System and Communications Protection (SC)
Media Protection (MP)
Contingency Planning (CP)
System and Information Integrity (SI)
Incident Response (IR)
System and Services Acquisition (SA)
Program Management (PM)
System and Services Development (SD)
Risk Assessment (RA)
Security Assessment and Authorisation (CA)
Compliance Best Practices
A discovery process must first be conducted to catalogue data assets, information systems and associated threats. This includes data flows, system dependencies, and potential vulnerabilities. The control families must then be mapped against the identified threats and hazards.
A governance structure should be created to allocate duties and outline precise controls, implementations and maintenance procedures. Measures should be regularly monitored to ensure compliance.
NIST 800-63B
Guidelines to help organisations establish effective digital identity practices. Focusses on authenticating and verifying individuals who access digital services, systems and networks.
ISO/IEC 27001
Internationally recognised standard for requirements to plan, develop, run and update an organisations Information Security Management System (ISMS). The core components of ISO/IEC are:
Scope: covers the ISMS's boundaries, including covered assets and processes.
Information Security Policy: high-level document defining the organisations information security approach.
Risk Assessment: involves identifying the risks to the CIA triad.
Risk Treatment: involves selecting and implementing controls to reduce identified risks to an acceptable level.
Statement of Applicability (SoA): document specifies which controls are applicable.
Internal Audit: periodic audits of ISMS to ensure effective operation.
Management Review: regular reviews of ISMS performance.
An ISMS built around the ISO 27001 standard requires careful design and execution. It requires an extensive evaluation of an organisations security procedures, detecting gaps and conducting a thorough risk assessment. Access control, incident response etc. are a few examples of areas where clear rules must be aligned with ISO 27001 requirements. Regular monitoring, measurement and continual development are crucial.
Service Organisation Control 2 (SOC 2)
Developed by the American Institute of Certified Public Accountants (AICPA) as a compliance & auditing framework. Assesses security based on the CIA triad, helps to reassure customers, stakeholders and business partners that effective controls are in place to safeguard its system and data. Important information about SOC 2:
Evaluates usefulness of an organisation's controls related to the CIA triad and privacy.
Conducted by independent auditors.
Provide valuable information to customers, stakeholders and regulators about an organisations practices.
SOC 2 report will assess the controls in place and can be shared with customers and stakeholders.
Steps to be taken when planning and undergoing an SOC 2 audit:
Determine the Scope: include specific systems, processes or locations relevant to security and privacy.
Choose a Suitable Auditor: select a qualified auditor with experience conducting SOC 2 audits for financial companies.
Plan the Audit: work with the auditor to plan the audit, including the timeline, scope and criteria.
Conduct the Audit: auditor will review controls and test their effectiveness, may include interviews, documentation and control tests.
Receive the Audit Report: auditor will provide a report detailing results including recommendations for improvement.
Last updated