Here’s good news for security leaders: If you’ve established sound policies, enforce them rigorously, and thoroughly monitor and report security effectiveness, you’re well on your way to protecting your company from today’s growing swarm of increasingly potent threats. Now here’s the bad news: More and more auditors, regulators, partners, and customers are demanding defensible proof of that fact. The consequences for disappointing auditors and regulators can be rather harsh. Failure to comply can result in fines and penalties, outraged customers, loss of sensitive data, increased scrutiny from regulators, and costly damage to your organization’s brand and reputation.
Enable access while protecting information
Embracing a comprehensive approach to identity and access management, combined with an intense focus on sensitive data and relevant reporting and metrics is an important balance. Policies should specify granular data access privileges based on where employees are located, what network they’re on, and which device they’re using, with additional controls commensurate with risk. For example, access should be further scrutinized when utilizing a personal smartphone over a public network, than when using a company-owned laptop at the office. Role-specific training and automated role-based access control will ensure employees understand your policies and follow them.
Control sensitive data
Most security mandates apply to personally identifiable information, healthcare records, payment transactions, and other classified data. To comply with mandates, you must first identify sensitive data by creating a classification model for the various kinds of information your company creates, transmits, and stores. Next, make data classification assignments and prioritizations. To ensure the right data ends up in the right categories, involve stakeholders in this process, including representatives from your business groups, legal department, and operational functions.
Now you’re ready to implement policies and enforcement mechanisms for securing data based on how sensitive it is, where it’s stored, and where it’s being accessed. For example, you might choose to control public data minimally regardless of user, network, and device, but limit access to confidential information on “bring your own” and consumer hardware. Always apply your strictest controls to your most sensitive data. Once again, security solutions can help you enforce classification-based policies automatically.
Audit, measure, and demonstrate compliance
Comprehensive security reporting is always important, but especially critical when it comes to compliance. Satisfying those demands takes systematic logging, reporting, and auditing processes thorough enough to track when specific users access specific apps and data, and flexible enough to address new regulations and standards as they emerge. Create a reporting dashboard as well where authorized managers can see the latest compliance goals and results. Should an audit uncover gaps in your compliance measures, take a cradle-to-grave approach to resolving them by centrally tracking issues from detection to closure. Treat the people who found those issues as colleagues rather than adversaries. Internal auditors can help you eliminate risks and justify additional security investments. External auditors can provide valuable, unbiased feedback on your compliance regime.
Consulting with peers is often similarly helpful. Executives in your field may be reluctant to speak freely, but security leaders in other industries are often willing to exchange useful insights if everyone commits to nondisclosure agreements in advance. Meeting today’s constantly shifting compliance requirements is an excellent way to test your defenses regularly and keep them aligned with the business need for security.