The following controls mentioned apply to almost every conceivable compliance regime. For example, HIPAA, GDPR, PCI DSS, etc. They are cybersecurity 101 controls and when fully and rigorously implemented will have improved cyber security compliance across your organization. The following security controls are nowhere near as burdensome or expensive as they were even a few short years ago. For example, end point authentication, as discussed below, is a “no-brainer” because almost everyone has a smartphone these days.
Risk Management
This Control encompasses the entirety of an entity’s Risk Management Program (“Program”), including Risk Assessments and implementing additional Security Controls (“Controls”) that reduce risk to levels that are “reasonable and appropriate.” Risk Management is a meta-control. It theoretically could swallow all other Controls, but it is broken out separately to highlight the importance of having a Risk Management Program.
Incident Management
There can be no effective Risk Management Program if security incidents are not tracked. Although most incidents do not rise to the level of a Breach most organizations are incapable of knowing which ones do and which ones don’t, unless all Incidents are tracked. A centralized group must be responsible for tracking incidents (i.e. reporting, processing, documenting and escalating).
Administrative
The Controls listed here encompass a broad array of people and process issues. Certain controls are organized into meta-controls because that facilitates how stakeholders think about, and implement, their respective Programs. Clarity of thought over a laundry list of implementation details is essential (i.e. accountability, law & regulations, training & awareness, documentation, process results, workforce clearance & termination).
Authentication
Authentication is a meta-control. Smartphone’s have to widespread use of two-factor authentication by most large organizations. However, it must be noted that Authentication is a much broader topic than simply the information related to the identification of humans. Systems that access your systems must also be authenticated.
Ensuring that each system is who and what it purports to be. User system with roles, responsibilities, authentication approval, termination, two factor data integrity must be insured.
Breach Notification
Breach notification drives enforcement of HIPAA/GDPR. Large Breaches attract attention. A significant Breach will get you audited. If the rest of your Program is not in order, then you are going to be hit with the largest fines. Further, stakeholders need to be prepared to take advantage of whatever safe harbors may be available under a specific regime (e.g. pursuant to encryption or de-identification).
Disaster Recovery
Disaster Recovery is yet another meta-control that must be implemented. It encompasses much more than data backups. The disaster may have nothing to do with your data and everything to do with your environment. How to get it operational again is essential. One of the principal pieces of documentation required is a current inventory of your most critical applications and how to get them restored quickly after an emergency. That inventory includes data backup plan, emergency access, emergency mode operations plan and application criticality list.
Audits
You can’t manage what you don’t measure; an effective audit program is the only way to measure how well your Risk Management Program is functioning. Measuring against a baseline of a compliance regime’s requirements is the only level of granularity that matters during an audit. You have to compare requirement-by-requirement and give your organization a score, as per that requirement, in order to perform an effective self-assessment.
Technical
This is another meta-control. Why does encryption top the list? Because if you encrypt using widely accepted protocols (e.g. NIST) you can often take advantage of regime safe-harbors. Even if regime safe-harbors are not available, encryption is the best technical method currently available to prevent Breaches. The latter being the one thing that poses the most liability to any organization, besides humans (Encryption, Malicious Software, Network, Email, Browser, Applications, Databases, Patch Management, etc.).
Physical
Locks, cameras, surveillance equipment, etc. are so ubiquitous and inexpensive that we do not pay sufficient attention to these safeguards. Changing the locks to the server room when a disgruntled key employee leaves the organization should be a “no-brainer”, yet too few organizations actually do it. Your facility’s perimeter, analogous to your network’s perimeter, is far too easy to penetrate to leave sub-defenses unattended (e.g. locks and cards). The nuts-and-bolts work of cybersecurity is not always glorifying but it’s always important.
Organizational
These are meta-controls that you apply across your organization in order to transform the organization’s compliance DNA from viewing Risk Management as a necessary evil into something that enhances your value proposition to your customers. For example, implementing an Agile Compliance methodology would be an organization-wide control. Analogously, using the Compliance Stack metaphor to think holistically about compliance across regimes would be another.
Security Objects
Controls are applied to Security Objects. It is imperative that you have a current up-to-date list of your Security Objects in order to manage an effective program. However, in the grand scheme of things, it is much more important to start applying Controls to high-risk Security Objects, sooner rather than later. Both objectives are important. It’s a question of priorities (e.g. devices, applications, processes, workforce).
Summary
Leverage these controls across compliance regimes and therefore increase efficiency, reduce the cost of compliance over time. The key is in changing how your organization approaches compliance; transforming a current isolated approach into thinking that is more holistic.