Creating a cyber and information security program can appear to be a daunting task. Maybe you need to build one from scratch, or you already have some components in place and need to update your program so that it aligns with your organization and any regulatory requirements. Following a risk-based approach is a prudent method and widely accepted roadmap to implement your cyber and information security program, and provides a measurable, repeatable and defensible process for ongoing program management. The common denominator across regulatory requirements and industry guidance is a risk-based approach which, in a nutshell, begins with performing a risk assessment and then building your cyber and information security program based on the risk assessment.
Following are some of the major regulations and agency guidance that promote a risk-based approach:
- FFIEC (NCUA Reg 748, FDIC Reg 364, FRB, OCC, CFPB)
- FTC Safeguards Rule (16 CFR Part 314)
- SEC Office of Compliance Inspections and Examinations (OCIE)
- New York DFS 23 NYCRR 500
- NAIC Insurance Data Security Model Law and state adopted variants
- HIPAA Security Rule
This Risk-Based Approach process can be broken down into five distinct steps:
- Perform a Risk Assessment
The goal of a risk assessment is to identify the risks to your data and systems, define the controls to manage those risks based on the size and complexity of your organization and define regulatory requirements which you must meet. While the above regulatory sources are not prescriptive in how to perform a risk assessment, there are a few established frameworks that provide a solid foundation. NIST SP 800-30, Guide for Performing Risk Assessments is very useful and can be applied to virtually any industry. It provides a method to calculate risk for each threat: Likelihood X Impact Rating = Resulting Risk Rating. Assigning a risk rating to each threat allows you to prioritize your remediation and cybersecurity program efforts. Healthcare covered entities and business associates will benefit from also referencing NIST 800-66 An Introductory Guide to Implementing the HIPAA Security Rule.
- Document Controls
The results of the risk assessment should flow into your policies, procedures and employee use guidelines to reflect the controls needed for your cyber and information security program. Revise or re-write your documentation to include the technical, administrative and physical safeguards identified and how they are used. Your policies are broader statements suitable for an executive committee or Board. Procedures are more granular details of how a policy is executed. Employee use guidelines detail how employees access and use information and information systems.
- Implement Controls
Now it’s time to actually deploy the controls identified in your risk assessment that are commensurate with your organization’s size and complexity. Some examples, courtesy of the Center for Internet Security Critical Security Controls, include an inventory of hardware and software assets, email and web browser protections, secure device configuration, access control, and penetration testing among others. In addition to the CIS CSC mentioned above, other control frameworks available include NIST 800-53, NIST CSF, ISO 27001/27002, PCI DSS, COBIT, and HITRUST CSF. Each is a useful tool as a control catalog that should be included in your risk management planning process beginning with step 1.
- Assess and Report
Now that controls have been implemented, it is time to test and evaluate your cybersecurity and information protection program. The types of tests and frequency should be defined in your risk assessment to identify, reduce and manage threats and vulnerabilities, and in doing so, these tests become controls. Testing may include vulnerability assessments, application assessments, penetration testing, incident response plan testing, control reviews/tests, and gap analyses against your chosen cybersecurity frameworks or regulatory requirements. Compliance does not equal security, so if you build a robust security program first, compliance usually follows more easily behind. Report your findings and progress to key stakeholders, executive committees, the Board and regulatory bodies as required.
Throughout your testing process, you will find threats and vulnerabilities that need to be addressed. For example, one annual external and the internal scan is not enough to keep pace with new vulnerabilities. Reference your risk assessment risk ratings to prioritize your remediation efforts and work through the process of eliminating, reducing and managing threats and vulnerabilities.
Rinse and repeat! How often you ask? The consensus regulatory standard and industry best practice is an annual risk assessment. By going through this process on an annual basis, you help ensure that your cyber and information security program addresses new threats, removes or replaces ineffective controls, accounts for new controls and maintains alignment with changes to your organization and environment.
Contact SCA Today at 727-571-1141 to Learn More About Risk-Based Approach to Cyber and Information Security.