How Do Regulations, Frameworks, and Standards Impact Cybersecurity and Audit Practices?
In this chapter, our authors review strategies and techniques to assess and address the seemingly infinite number of regulations and standards that impact cybersecurity practices and the ensuing audits used to validate security controls. Each of our authors touch upon some of the more prevalent regulations we face as CISOs including regulations that impact sectors such as healthcare and financial services as well as critical infrastructure. Our authors collectively emphasize the importance of taking a collaborative approach to regulatory compliance…working with other stakeholders within our respective organizations to understand what is required of the security programs we oversee. Key actors in these processes include the organization’s legal counsel, its chief risk officer, and other C-level executives that have a fiduciary responsibility to oversee the governance of the organization.
Bill Bonney begins this chapter with the basic premise that regulations and compliance requirements mandate “minimum standards of due care.” Bill’s experience working with publicly-traded organizations that are subject to both Sarbanes-Oxley compliance and regulatory audits offers great advice on how to approach an audit as a CISO and how to work with colleagues throughout the organization to prepare for this level of oversight. Bill’s guidance also notes how important it is as the CISO to evaluate the organization’s contractual obligations. These may be especially impactful for organizations in healthcare that are subject to HIPAA-HITECH.
Matt Stamper continues with an assessment of the regulations that mandate specific security practices and suggests that we’ve entered an era where security can no longer be ignored by boards of directors and our colleagues in the C-suite. The CISO is effectively charged with advocating legally-defensible security practices. Matt also highlights the special role that the Federal Trade Commission (FTC) has had in establishing minimum security practices with its enforcement of Section 5 of the Federal Trade Commission Act (FCTA), which addresses “unfair and deceptive trade practices.”
Gary Hayslip emphasizes how critical it is for the CISO to “meet and greet” fellow executives and stakeholders. This informal discovery leads to actionable guidance related to regulatory compliance and the required controls. Gary’s analysis also suggests that the regulatory requirements should inform the type of controls and techniques deployed. Gary warns CISOs not to make controls, processes, and techniques overly complex as this will typically overwhelm the organization and have the opposite of their desired effect. Despite Gary’s background with the Navy, the Department of Defense, and municipal government, he brings a refreshing “business perspective” to dealing with regulations and compliance.
The authors would like to pose some important questions to think about as you read this chapter:
Copyright © 2016 CISO DRG JV – All Rights Reserved.