How Auditors Can Make Compliance Programs More Effective
When conducting an audit of your cybersecurity plans, it’s important to reassess risk and evaluate whether established policies and procedures are both effective and actionable. To aid in cyber compliance, CSO Online said the updated compliance guidelines issued by the Department of Justice, “has particular relevance to the cybersecurity practices of organizations when it comes to, for example, data breach and other security-related lawsuits.” Essentially, the document outlines how to assess, “whether a particular compliance program works in practice.” Toward that end, the guidelines pose three questions that every compliance auditor should be asking as part of its compliance process.
Is the Compliance Program Well Designed?
Having clearly defined plans, policies and procedures that inform the organization on how to detect and protect against internal and external vulnerabilities is the first step in a well-designed compliance program.
But, to use a coronavirus analogy, taking a person’s temperature to determine whether they have the coronavirus is tantamount to doing only a document-based review of your cybersecurity plans. Having plans is critical, but what are those plans actually evaluating?
If these reviews are ongoing, they should–theoretically–inform whether the program is well designed and inclusive of the best methods of identifying risk. A comprehensive compliance program must do more, though. For example, without additional penetration testing and reassessing risk, a compliance audit won’t reveal new threats.
Each time a potential new threat is introduced, whether through human error, a vulnerability within your own organization, or through a third party, an organization can slip out of compliance. Taking a person’s temperature–or performing a document-based review–doesn’t reveal these blindspots. To truly assess risk, organizations must do more than periodic reviews that only assess a moment in time.
Is the Program Being Applied in Good Faith?
Organizations that are required to perform compliance audits must do so to protect critical systems, sensitive data or even national security, which is why the DOJ asserts that, “A well-designed compliance program should apply risk-based due diligence to its third party relationship.”
Thermal imaging goes beyond measuring a temperature and will give more insight into the asymptomatic, pre-symptomatic or those who suffer only mild symptoms, especially when that data is compiled together with other contact tracing intelligence. Applying a compliance program in good faith means having the ability to do thermal imaging across all of your suppliers and partners, but it also requires additional intelligence.
If organization’s can’t identify their patient zero, there will inevitably be more contagion because malware is stealthy and not easily identified. Often, adversaries are looking to get into an organization and become authorized so that they appear legitimate. When they succeed at this, technology can rarely detect that the activity is malicious unless they have insight into internal and external communications.
Does the Company’s Compliance Program Work?
Evidence of a compromise does not mean that a compliance program is flawed. In fact, it’s quite the opposite. A well designed compliance program that works and is applied in good faith requires that organizations have visibility into every nodule of data across their networks and those of their suppliers and vendors. It should detect threats so that they can be mitigated.
Ultimately, every compliance audit should go beyond filling out documents and performing vulnerability assessments. Organizations need visibility into their own environments as well as those of their partners and suppliers. Knowing which vendor has potentially been compromised allows you to proceed with caution.
But an organization’s internal compliance auditors aren’t the only ones who should have that level of visibility. Evidence of compromise data is equally valuable to external compliance auditors who are vetting third parties and assessing whether those companies are cyber compliant.