Last year, tens of billions of records were breached and tens of thousands of businesses suffered ransomware attacks. Every company operating in this dangerous environment should have a cybersecurity plan for keeping company and customer data safe—especially data within the scope of information security regulations and standards.  

A cybersecurity plan outlines the policies and procedures a business considers essential to maintaining security and regulatory compliance. It is a written document that results from a comprehensive survey of the company’s risks and the actions it intends to take to mitigate them. 

For example, a business that relies on third-party software tools and libraries may be at risk from code vulnerabilities if they allow software to become outdated. One component of a cybersecurity and security compliance plan would outline how the business intends to mitigate that risk with patch management or update procedures. 

 In this article, we’ll detail the 5 most important questions you should ask when developing a cybersecurity and compliance plan so you can make sure your business is prepared to face today’s threats confidently.  

1. Which Data and Infrastructure Assets Does the Plan Cover?

A cybersecurity plan can only be effective if it accounts for all the business’s security risks. But a business can’t understand those risks unless it knows which data it stores, how sensitive it is, how it is stored and processed, and potential breach scenarios. 

Information gathering is often one of the most challenging steps of preparing for a cybersecurity plan. Many businesses do not have complete insight into data storage and processing, especially if it has previously been managed on an unplanned ad-hoc basis. IT professionals often find it helpful to follow a templated discovery procedure like the Data Protection Impact Assessment created by GDPR.

2. Do We Need a Professional Security Risk Assessment?

One of the first questions you should ask before creating a cybersecurity plan is: Do we have adequate internal security and compliance expertise? If the answer is no, you may want to consider hiring an expert third party to carry out a comprehensive information security  risk assessment

A professional risk assessor examines your IT environment and practices to identify potential risks. A risk assessment is typically conducted under the guidance of a recognized framework like the NIST Special Publication 800-30. It results in a report with the information you need to create an effective cybersecurity plan.  To receive guidance on the effectiveness of your business’ risk assessment, upload your risk assessment here  to receive a free analysis of your risk assessment by a KirkpatrickPrice risk expert. 

3. What Are the Relevant Information Security Laws, Regulations, and Standards?

Many businesses that handle sensitive data are required to comply with regulatory frameworks and may choose to comply with information security standards. These regulations and standards should shape their cybersecurity plans. 

Regulatory frameworks may include:

  • PCI DSS for businesses handling credit card data
  • HIPAA for businesses handling sensitive healthcare data
  • GDPR for businesses that operate in the EU
  • FERPA for educational information and records
  • FISMA for businesses interacting with government information and assets

Information security  standards may include:

  • SOC 1 and SOC 2
  • ISO 27001
  • Cloud security standards

Businesses should also consider a compliance audit to ensure they comply with relevant frameworks and standards. 

4. Who Is Responsible for Implementation, Monitoring and Incident Response?

Assigning security responsibilities is a crucial aspect of developing a cybersecurity plan. Security policies must be implemented as procedures and processes that are the responsibility of managers and employees. If no one is responsible, then a cybersecurity plan is a worthless piece of paper. 

For a plan to be implemented, it must have executive support from the company’s leadership. In larger companies, that often takes the form of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). They ensure that plans and policies are turned into procedures and controls overseen by competent managers and employees throughout the business. 

5. Do Employees Have the Knowledge They Need to Comply?

A cybersecurity plan is a great starting point, but information security is more than policies and procedures. People play a critical role—over 85% of security incidents involve a human element. To successfully implement a security plan, you must ensure employees have the information and the security awareness training they need to do the right thing. 

Check out our recent article on building a positive security culture for your business to learn more about how you can set your employees up for cybersecurity success. 

KirkpatrickPrice Helps Businesses to Create and Audit Their Cybersecurity Plan

KirkpatrickPrice’s team of cybersecurity and risk experts can help your business to achieve its security and compliance goals. We offer a comprehensive range of security services that include:

Contact an information security specialist today to learn more about how we can help you. 

Security compliance is a primary concern for data-driven, technology-empowered businesses. On the one hand, they face internal and external security threats ranging from ransomware and phishing attacks to malicious insiders and human error. On the other hand, regulatory frameworks such as HIPAA and the GDPR impose stringent security and privacy standards with legal and financial penalties for non-compliance. 

A security compliance program helps a business to own its compliance risks. However, there are numerous challenges along the path to a security compliance program that supports long-term compliance goals. This article explores security compliance programs and suggests strategies to help businesses manage security compliance risks.

What Is a Security Compliance Management Program?

A security compliance program is the policies, procedures, and processes an organization creates to maintain security standards, typically based on regulatory frameworks such as HIPAA or recognized industry standards such as SOC 2. 

Security compliance programs also encompass the mechanisms by which the organization reviews and assesses information management practices. Without ongoing monitoring and auditing, it’s impossible to verify the organization is complying with its own policies.

Perhaps most important, security compliance programs are people-focused; they aim to create a management framework with resources and incentives that encourage employees to follow security best practices. 

An organization without a security compliance program may follow security best practices in an ad-hoc manner, but then again, they may not. Information security and privacy concerns are often deprioritized relative to other business goals. A security management program supported by an organization’s leadership helps align business practices with security compliance objectives. 

A security compliance management program enables organizations to:

  • Comply with regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCI DSS), among many others. 
  • Protect data assets and reduce the legal, financial, and reputational risk of regulatory compliance failures. 
  • Design policies and implement processes that allow executives to exercise control over the organization’s security posture.
  • Monitor and verify security compliance 

Those interested in building a security compliance program may find it instructive to read the U.S. Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs. Although broader in scope than information security, it explains the factors that prosecutors look for when evaluating compliance.  These include the presence of risk assessments and risk management processes, well-designed and comprehensive policies, risk-based training, properly scoped investigations by qualified personnel, internal and external audits, and more. 

The Components of Effective Security Compliance Management 

A security compliance management plan is tailored to the business’s needs and the environment in which it operates, but effective security compliance programs are built on the following components. 

Security Compliance Policies

Policies are the key documents in a security compliance management program. Security compliance policies describe the minimum security standards with which the organization intends to comply. Policies should be informed by a variety of factors, including:

  • The organization’s business objectives,
  • The regulatory environment in which the business operates, and
  • The specific risks the organization faces. 

Policies are long-lasting, high-level documents, but they are not permanent. A company must be prepared to evolve policies in response to changes in the organization, its operating environment, and the technology on which it relies. 

Structures to Implement Security Compliance Policies

Policies are only useful insofar as they are implemented, but this is often the biggest challenge. Security compliance impacts almost all aspects of modern business: data is a key asset, and information technology is ubiquitous. 

There are two possible approaches. The first is to “bolt” security compliance onto existing business processes. However, as Gartner’s research makes clear, this is unsustainable and unscalable. It makes security a potential hindrance to normal operations, creating the risk that compliance processes are bypassed as managers and employees prioritize efficiency. 

The second approach is to make security compliance an integral part of business processes. As workflows are designed, compliance is “baked in,” informing organizational structures, processes, relationships with business partners, and technology choices. 

Learn more about building compliant business processes in Auditor Insights: Compliance from the Start.

Whichever approach is chosen, security compliance management requires leadership and clear communication with stakeholders throughout the organization. A typical security compliance management structure includes:

  • A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. 
  • Participation from relevant stakeholders within the organization. This might include stakeholders from IT, information security, sales, finance, and other business units. The IT department plays a critical role in security compliance. Still, other stakeholders should also be involved to reduce the risk of security compliance procedures failing to align with broader business objectives. 
  • A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business. For example, the compliance manager may work with IT to implement encryption policies for sensitive data. The compliance manager also gathers evidence to assess compliance efforts’ effectiveness and inform future policy and process changes. 

Additionally, it is usually necessary to offer information security training. Any employee who has access to potentially sensitive data should receive security awareness training that prepares them to comply with information security policies. 

Security Compliance Evaluation and Auditing

Compliance monitoring and internal audits are essential. Security compliance is a continuous process of implementation and evaluation. Policies evolve as regulatory standards change, and procedures and outcomes must be re-evaluated to ensure they meet security compliance objectives. Internal monitoring and evaluation should be augmented by external audits conducted by experienced auditors with information security expertise

Implementing a Security Compliance Management Program for Your Business

There is no universally applicable template for building a compliance management program. Every company is different, and so are its compliance requirements. However, most businesses benefit from a plan which follows these steps. 

  • Conduct a risk assessment to establish which risks the company faces, including compliance risks. 
  • Develop policies and standards to mitigate those risks. 
  • Appoint a compliance leader to oversee implementation and communication with stakeholders. 
  • Implement processes, procedures, and tools that support compliance policies. 
  • Train and educate employees to understand your compliance objectives and the role they play in achieving them. 
  • Monitor compliance and conduct internal and external audits to measure how effective your compliance efforts are. 
  • Act to correct risks and compliance failings identified by monitoring and audits. 

As we mentioned earlier, security compliance management is an ongoing process. The steps outlined above should be thought of as a cycle rather than a linear process that will be complete at a point in the future. 

To learn more about how audits can help your business achieve its security compliance objectives, visit KirkpatrickPrice’s Compliance Audit Services or contact a security and compliance expert today.