Cyber Security and Its Regulations
By Kim Mobley, CPA, CISA Partner, & Collin Varner, Manager
In the information technology world, there are few buzzwords as popular as “cyber security,” which Google defines as, “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” While Chief Information Security Officers (CISO) and VPs evaluate the current state of their network environment, assign oversight responsibility, and identify who is to report on such matters to the Board, one question remains: what regulations do you need to comply with?
Multiple entities released their version of the baseline for a Cyber Security Program, including:
-AICPA Cyber Security SOC
-NAIC Insurance Data Security Model Law draft
-New York Department of Financial Services Cyber Security regulation (23 NYCRR 500)
-NIST Cyber Security Framework
What’s an organization to do? The first step is to evaluate common themes across the applicable cyber security frameworks and identify potential security gaps. Organizations must develop a cyber security program that uses a risk-based approach to effectively leverage its people, processes and technology to protect against cyber security threats.
Security begins with the tone at the top. Cyber security program leadership must be knowledgeable, and at an appropriate level within the organization, to design, implement, oversee, and enforce program requirements. The program leader is generally the CISO or equivalent and must objectively assess and report on the program effectiveness, materiality of risks, and controls in place. The CISO is forward thinking and consistently adapts to security trends. The IT department should consist of qualified personnel who are also trained to ensure they can detect and respond to cyber security events and restore normal operations. End users, including employees and third parties, should receive appropriate and timely training to ensure they understand the implications of a potential threat, recognize security risks, and know the prevention and reporting protocols.
Risk assessments serve as the basis for cyber security policies and procedures, and should be performed by personnel with appropriate competence and experience. To ensure security activities are operating as intended, an organization should have defined, repeatable processes that are documented and communicated to employees and third party service providers with access to sensitive data. The policies and procedures should be monitored and regularly challenged to ensure they are responsive to ever-changing security risks. Penetration testing and vulnerability scans are commonly performed by skilled professionals to identify potential threats. Security awareness education and scenario testing should be conducted at least annually for the benefit of end-users and, arguably more important, those responding to such incidents.
Application of technology to secure the organization’s assets and implement the security policies is based on risk thresholds, technical architecture and compliance requirements. Tools must be implemented to identify, protect, detect, respond and recover from cyber security threats. The selection of these tools is based on the scale and complexity of your organization. Technology must be appropriately configured, regularly assessed, and monitored to identify and detect threats. Further, these tools must be maintained and updated to adapt to security threats and environmental changes.
Cyber events will happen. This is not a matter of preventing an attack, but how you will respond when the attack occurs. Negligence is not an option. Ensure you have knowledgeable leadership in place, with tested processes and supporting tools to limit the impact of a cyber security incident.
Return to July eInterpreter