Compliance monitoring is a key part of any cybersecurity program. It is a continuous process used to ensure staff are following procedures and policies put in place to protect company assets. Regulatory compliance monitoring is key to spotting potential issues in any organisation’s function or operations. However, it is now becoming extremely difficult for companies around the world to meet their regulatory requirements.
Due to the increase in complex industry-specific regulations, extraterritorial laws, and data protection laws, it’s never been as important as it is now to stay on top of compliance monitoring. Lawmakers and regulators won’t hold back when imposing fines on organisations that aren’t able to align their compliance and cybersecurity programs. Therefore, a compliance monitoring plan capable of continuously monitoring and assessing your company’s compliance activities is key to staying on top.
What regulations apply to your business?
A successful compliance monitoring program should be built around the laws and regulations applicable to your organisation and its industry. This step will allow you to build a gap analysis of what your current business processes and compliance controls are, and what additional security controls are needed. This process will outline risk areas and help define your information security policy.
Although a majority of regulations are only relevant to specific industries, some are far and wider-reaching. For example, US President Joe Biden’s Cybersecurity Executive Order is one regulation that spans multiple sectors and industries. The Executive Order calls for the reformation of security programs throughout government entities and the private sector in the United States. It includes:
- Data breach transparency between vendors and government entities
- Multi-factor authentication
- A Zero Trust security framework
- Encryption for all data
- Better supply chain security standards
Let’s take a closer look at some of the other rules and regulations put in place which demonstrate why compliance monitoring should be an integral part of your cybersecurity program:
Payment Card Industry Data Security Standards (PCI DSS)
The PCI DSS is an information security standard for organisations that handle credit cards in the United States. The standard aims to protect cardholder data to reduce credit card fraud. To comply with PCI DSS, organisations must meet twelve requirements:
- Installing and maintaining a firewall configuration to protect data
- Changing vendor-supplied defaults for system passwords and other security parameters
- Protecting stored cardholder data
- Encrypting transmission of cardholder data over open, public networks
- Protecting all systems against malware and performing regular updates of anti-virus software
- Developing and maintaining secure systems and applications
- Restricting access to cardholder data to only authorised personnel
- Identifying and authenticating access to system components
- Restricting physical access to cardholder data
- Tracking and monitoring all access to cardholder data and network resources
- Testing security systems and processes regularly
- Maintaining an information security policy for all personnel
The above-mentioned compliance monitoring requirements are then organised into six control objectives:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
SOX was passed by US Congress in 2002 to protect the general public and shareholders from fraudulent practices and accounting errors, and to improve corporate disclosures. It is also used in Australia.
General Data Protection Regulation (GDPR)
GDPR was passed by the European Union to protect the personally identifiable information (PII) of EU citizens. GDPR is compulsory for any organisation that processes the PII of EU citizens, regardless of where the business is located in the world. Any third-party vendors must also comply.
California Consumer Privacy Act (CCPA)
The CCPA or AB 375 became effective on January 1, 2020, and was designed to enhance consumer privacy rights and protection for residents in California by imposing rules on how companies handle personal information.
Lei Geral de Proteção de Dados Pessoais (LGPD)
The LGDP creates a legal framework for the use of the personal data of Brazilians, regardless of where the data processor is located. It is modelled after the European Union’s GDPR framework.
The SHIELD Act
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) or Senate Bill 5575 was put into force to improve New York’s data breach notification law. The bill requires the running of a vendor risk management process and to conduct due diligence on the data security measures of service providers and third-party vendors.
The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act is a United States federal law which requires financial institutions to explain how they share and protect their customers’ non-public personal information (NPI).
The Florida Information Protection Act (FIPA)
FIPA is an extraterritorial law, which stipulates that any company that acquires, stores, uses or maintains the PII of residents in Florida must comply. Organisations who fail to provide required notices under FIPA violate Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and will be subject to civil penalties.
The Federal Information Security Management Act of 2002 (FISMA)
FISMA defines a comprehensive framework to protect government operations, information, and assets against manmade and natural threats. FISMA was enacted as part of the E-Government Act of 2002.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is the federal privacy legislation for private-sector organisations in Canada.
Its aim is to promote trust and data privacy in the eCommerce space and has since expanded to include industries like broadcasting, banking, and the health sector.
Prudential Standard CPS 234 Information Security (CPS 234)
CPS 234 aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents and cyberattack by maintaining an information security capability commensurate with information security threats and vulnerabilities.
A cybersecurity audit is key
Once you’ve pinpointed exactly what rules and regulations your organisation must follow, the next step is to conduct a cybersecurity audit to assess the company’s overall level of compliance. This will audit your current governance structure, risky business activities or business units, any compliance issues and help your security team to understand your current monitoring efforts.
A cybersecurity risk assessment analyses your business’ IT systems and helps you discover the weak points. When you know the weak points in your system, you can work to patch them up. Patching allows you to prevent a data breach and the financial consequences that come with it.
You should carry out a cybersecurity risk assessment regularly, at least once or twice a year. When reviewing your previous cybersecurity assessment, take a look at the hard data. Did your measures lower the number of cyberattacks that you experienced? Did you suffer a data breach during the previous year? Review any new exploits that have come to light and ensure that you are protected against them, as a part of the compliance monitoring programm.
Configuration management (CM) is a systems engineering process of identifying and documenting hardware components and software and the associated settings. CM will make and document changes to new technology components. It will also look at testing documentation and at control changes. The overall function of configuration management is to ensure systems are working correctly and that they are not at risk.
Cybersecurity risk ratings as a part of compliance monitoring
RiskXchange’s cybersecurity risk ratings work in a similar guise to credit ratings. Just as credit ratings provide insight into the financial stability of an entity, cybersecurity ratings provide insight into organisational cybersecurity health and practices to prevent data and security breaches.
Cybersecurity ratings grade your security performance by how well information is protected within your network. It is extremely important to protect your data and to prevent security breaches with cybersecurity ratings – they are now as important as your organisation’s finances or reputation.
Creating a compliance monitoring plan
Once an audit has been completed, a compliance monitoring plan can be created. Whereas an audit might happen once or twice a year, continuous monitoring is key to this process. Not only will it ensure that your organisation is always in compliance but can help remediate any gaps you find in controls as you go along. Any changes should always be documented and continuously monitored.
A compliance monitoring plan aims to address the risks identified and prioritise them in order of importance. Make sure the tasks are assigned to a qualified member of staff or outsourced to an external cybersecurity expert or firm. It is also advised to combine the process with any risk monitoring activities. The output of any compliance monitoring plan depends on the level and frequency required by your regulatory requirements. It is also important to inform regulators of any issues identified and to invest in those gaps.
Get in touch with RiskXchange to find out more about compliance monitoring as a part of your cybersecurity program. Also check out our free guide – Best Practices for Compliance Monitoring in Vendor Security.