Do members of corporate boards in your experience understand the IT security risks their companies face?
Based on my experience, members of corporate boards of directors are largely aware of the risks that cybersecurity presents. However, security is still regarded as a cost center, and not as one that increases revenue or has a clear return on investment.
Unfortunately, many C-level executives view security as a hindrance to commerce. According to a recent CISCO survey, 71% of C-level executives interviewed listed security as the primary cause for blocking their ability to increase commerce on the internet and expanding markets. They understand the risk primarily due to related regulatory compliance and enforcement - especially in financial services and health care. But due to misinformation, a full understanding of security risk to data and to business life cycles does not exist.
Which current regulations are impacting the majority of corporations and what new regulations do you see on the horizon?
Each industry has specific regulations that have recently been more relevant than others. In the case of financial services, the Sarbanes-Oxley Act, the Dodd–Frank Act, and the Bank Security Act and its Anti-Money Laundering rules have to be considered. For health care it is the Health Information Portability and Accountability Act as well as state regulations, Meaningful Use, and ICD 10, which stands for the 10th revision of the International Statistical Classification of Diseases and Related Health Problems. As for the energy sector, there are for instance the reliability standards set forth by NERC, which stands for North American Energy Reliability Corporation. For any industry that sells to the U.S. government, the Federal Risk and Authorization Management Program, or FedRAMP, is a factor. For retail, the Payment Card Industry Data Security Standard plays an important role.
You also asked about regulations on the horizon. There are a number of state specific regulations in the U.S., and new ones are likely in the works. Additionally, the European data privacy / Basel III regulations will become more stringent, and the encryption laws in the Asia Pacific region will become more standardized. Ongoing change is the common denominator around the globe.
How does this affect IT security and day-to-day IT operations?
Today, IT security is focused on data lifecycle and thus overall business. Any time sensitive data is present, the company has a security component. Security is focused on confidentiality, integrity, and the availability of information. In order to meet the existing regulations IT needs to:
· Inventory applications with sensitive data
· Apply access controls to applications
· Deploy secure communication protocols
· Develop encryptions protocols for data in motion and at rest
· Understand how the environment will be patched
· Develop and deploy change control
· Grow strong disaster recovery processes
· Understand overall disposal
· Review physical security.
· Review code for vulnerabilities
· Manage and remediate vulnerabilities
· Conduct scans
· Develop incident management and response programs
This extensive list of tasks certainly keeps IT personnel busy.
Does outsourcing the IT function generally increase or decrease a company’s efforts in the area of governance risk and compliance?
Outsourcing IT will increase the efforts in the area of governance risk and compliance. This increase typically causes companies to do the following:
· Understand and review the SSAE-16 SOC2 report
· Manage the controls for regulatory requirements with the outsourcing entity
· Review IT processes to meet internal policies
· Review SLA and make sure that it meets all compliance and reporting metrics
· Manage notification in the event of breach and coordinate with government requirements
· Review and manage business continuity and coordinate with outsourcing entity
· Conduct penetration tests and manage remediation of vulnerabilities that requires approval a contractual reviews
· Manage and coordinate external audits
· Review and take action on logs and threats
· Document all approvals for changes taking place in the environment
· Input regulatory changes with the Outsourcing entity
· Manage internal training and awareness requirements as documented in regulations with external entity
What should companies do in the area of training when it comes to governance risk and compliance?
There are a number of trainings that should be conducted as part of regular IT operations and regulatory compliance. The following are at the top of my list:
· Information security training
· Policies framework training
· Business continuity training
· Incident response training
· Tabletop exercises for disaster recovery
· Cyber security training
· Anti-phishing training and response
· Health Information Portability and Accountability Act training
· Sarbanes-Oxley Act training
It is important to help your IT staff with continued industry certification such as CISSP, CISA, CISM, CRISC, CEH, CCFP, and GAIC. Each of these requires annual CPEs to keep up the certification and stay sharp in terms of industry knowledge and experience. In addition, technology training for IT and security staff is crucial.