Client: Bruce Hettema
This article was originally published on two IDG sites simultaneously, Network World and CSO.
By Ryan Francis, CSO
Knowing the Regs
Whether you work for an organization controlled by compliance standards or you are an independent IT firm looking to build your enterprise business, understanding industry regulations is crucial as it pertains to cybersecurity. Michael Hall, CISO, DriveSavers, provides a few best practices for businesses operating in or with regulated industries.
Conduct a Risk Analysis
Also known as “gap analysis” or “security risk assessment,” risk analysis is the first step towards developing a data security policy. Security risk assessments should be conducted annually, biannually or any time something changes, such as the purchase of new equipment or expansion of company services.
Review Access and Authorization
As part of conducting a risk analysis, there are a number of areas and methods to review for proper security, including physical areas. Access should be physically unavailable to anyone who is not authorized.
Create a Data Security Policy
Every employee needs to understand their obligation to protect company data. In order to do so, it’s important to create a data security policy that is easily accessible and understood by employees, and is also enforceable. This document should outline practices that help safeguard any data touched by the company, including third-party business data and sensitive information.
Use the Right Tools
As part of a risk analysis, companies sometimes identify tools that can be used to minimize risks, such as security cameras, firewalls or security software. These should be documented as part of your company’s security policy, used and maintained as part of implementation.
Verify Staff and Third-party Providers
Conduct background checks of all employees. Third-party providers should also be vetted to make sure they follow documented security protocols identical to or more robust than those in place within your company.
The best way to prove that your company is compliant with industry regulations is to have a third-party cybersecurity company validate your company’s security protocols, procedures and the implementation. It can be pricey, time-consuming and intrusive, but if you’re concerned about cybersecurity or looking to build your enterprise business, it’s worth exploring.
Educate and Enforce
Hold mandatory security training and awareness programs, making sure to require signatures on mandatory reading materials. Enforce security policies and procedures through use of penalties. Education should always be part of both implementation and enforcement. This is absolutely the most important part of your company security and must be offered continuously.
Read more at Network World:
Read more at CSO: