Security Compliance Program – 7 Actionable Tips To Kick It Off
When it comes to security compliance programs, you’ve probably heard all kinds of “shortcuts” or “checklists”.
Or maybe you haven’t heard anything and need to know how to start.
If you’re looking for some practical tips to start your insurance data security compliance program (or any security compliance program), then you’ll love this infographic.
It’s a simple checklist that will improve your security and reduce your odds of a data breach:
Here’s my take on the security compliance tips from the infographic:
1. Perform a risk assessment
It’s step 1. You HAVE to do it.
OCR has repeatedly reprimanded organizations for not performing proper and thorough risk assessments.
While these incidents are related to the HIPAA security rule, they show that a risk assessment is a vital component of a comprehensive security compliance plan.
So I recommend performing a comprehensive security risk assessment at least annually.
You should also perform a risk assessment any time that a significant change is made to the way that data is created, stored, maintained, or transmitted in your organization.
If an organization decides that they want to begin using cloud based file sharing, they should evaluate and documents the risk this involves as well as their mitigation plan.
Makes sense, right?
A risk assessment is basically a process in which an organization or company analyzes the risks that face their organization.
It goes like this:
Identify and prioritize the assets in your organization according to their criticality to the organization’s survival
This includes: Hardware, Software, Data, Data locations, etc.
Identify the threats that each of your businesses processes and assets faces. Things like:
Determine the likelihood of each threat.
Typically the categories used are: high likelihood, medium, and low
Assess the impact the each threat would have on your business process and security.
Would the threat of flood in you server closet have a high or medium impact. This would probably depend on whether all your systems are on site, whether your servers are low to the ground, etc.
You get the point right?
Prioritize the security risks that would have the most impact and recommend controls.
Example: If you live in an area with lots of floods, the high risk of your server closet flooding would a high impact on your critical servers.
What are the controls that are recommended to mitigate this risk?
Maybe getting a taller server rack? Having a cloud failover? You get the point.
So, that is how it is done; that’s a super high level overview of a risk assessment.
2. Set up a security monitoring solution
Timely breach notifications are a key component of any security compliance program.
Adding a security incident and event monitoring solution could drastically decrease the time it takes your team to discover breaches.
So what does this mean?
As part of your security compliance program, you have to stay on top of what’s going on in your network.
If you are a small organization, or on a budget, there are free security tools that you can use.
The bottom line:
Someone is watching your network. Is it you?
3. Start a security training and awareness program
Phishing attacks and other human targeted attacks are rising and becoming more sophisticated.
User training is a critical component in stopping the success of these and other attacks.
Don’t use generic security training; to be effective, make the training relavant to your employees.
Training the users in your organization to spot and prevent attacks is critical to a successful security program.
Nearly every successful attack happens because of humans.
Either someone does something that they should not have, or they don’t do something that they should have.
If you regularly train your employees and discuss security issues often, they will become more aware of the problem.
This is exactly what is wanted. If users are aware of the problem, they are less likely to fall prey to attackers.
In the cybersecurity battle, every step of progress counts!
4. Document your policies and procedures
Documentation and auditing are perhaps the most important part of your security compliance plan.
Because when the enforcers come looking for proof that you are in compliance, your documentation will be your proof.
Not only that, having a documentation and audit plan will help you stay on top of your security compliance.
Knowing you have to record that you did something, motivates you to do it!
Why is documentation important?
Frankly, it’s the only way you have to prove that you are taking the proper steps to ensure compliance.
For many compliance laws, if you are questioned regarding your program, investigators will have questions about items that happened years ago.
Will you be able to remember a security incident that happened 4 years ago?
We also suggest that you keep a versioned documentation.
It will help a lot in the long run.
If you are asked what was your acceptable use policy on November 10, 2015? You can go straight to the version that correlates to that date.
When it comes to compliance you have to PROVE your compliance, not just acknowledge it.
In short, document everything!
5. Vet the security posture of third party vendors
Risk caused by third party vendors is rising.
During a recent study, participating organizations revealed that 56% of data breaches were caused by third parties.
Working with third parties constantly introduces risk. Proper mitigation of these risks is vital to your security compliance program.
While this is not at all a complete list, here are a few questions that you can ask your vendors to vet their security posture:
- What is the last time your company conducted security awareness training?
- When is the last time your company performed a security risk assessment?
- Which risk analysis methodology did you use?
- Do you have insurance for cybersecurity incidents?
- What is your encryption policy?
- Have you had any security breaches in the last 3 years? If so, what remediation steps have been taken?
You have to start thinking about the security posture of your third party vendors and business partners.
Why does their security matter to be? It’s none of my business, right?
Remember the Target breach several years ago?
Do you remember how the attackers got in?
By uploading a malicious file to the portal that Target shared with their A/C supplier.
Better think twice about ignoring third parties.
Some cybersecurity laws mandate that you vet third parties.
By asking just a few questions, you can get a pretty good idea how they handle security.
Cyber criminals are patient, and will take one hop at a time to get to their end target.
Don’t become one of those hops.
6. Get management buy-in and enforcement backing
A security conscientious attitude starts at the top.
The “C-level” personnel have the clearest overall view of the company’s strategic position.
They should lead the security compliance program by example.
Upper management shouldn’t get exceptions to the security program.
They shouldn’t get any access or privileges simply because of their position.
They should be the most cautious and conscientious of security threats.
I’ve seen it may times:
When management doesn’t take security seriously, it creates the idea among everyone else that security is not really important.
What can management do to make the point?
Here are a few tips:
- Have the CEO release a statement regarding the importance of security and his/her backing of training and consequences for repeat offenders.
- Management should follow the same protocols as everyone else. When employees see this, it fosters the idea that security really is important.
- Make security a part of the business plan and strategy. Bring it up in the weekly management meetings.
7. Implement security best practices
Because many organizations’ security practices lack, simply implementing security best practices will help.
An attacker is more likely to give up on your system and move on to an easier target.
Unless you work in a high-target industry, attackers go for the easy prey.
After a few unsuccessful attempts, they move on.
There is no one-size-fits all approach to security.
Neither is there any one thing you can do to secure your systems.
Security is a “multi-pronged” attack that requires layers.
Here are a few prongs of the attack that will help drastically:
1) Use strong passwords: Depending on the access control system you are using, there may be ways to force the use of strong passwords among your organization. Do it! Also, educate your users as to why.
2) Change Passwords Regularly: Figure out a schedule that you are comfortable with for rotating passwords. Typically, no longer than 90 days is suggested.
3) Use encryption extensively: Encrypt computers, mobile devices, emails, confidential files. If it has confidential info and it can be encrypted, do it.
4) Use EXTREME caution with links: Links and attachments are probably some of the greatest failures that often lead to bigger problems. Always check a links destination before clicking.
5) Have a proper backup solution: Most of the times, a $10/month cloud backup solution is not what you want. Not that there’s anything wrong with it, but you likely want a more robust backup system – especially for critical items.
6) Use a commercial firewall and security device: Home-grade firewalls and routers simply don’t work in commercial environments. While commercial equipment does cost more and require more configuration, the payback is far more.