Business case objectives for data security compliance have never been more compelling. Data security breaches reached historically high levels in 2011 when it was estimated that security breach incidents cost the UK economy a staggering £5 to £10 billion annually1. A recent US report2.noted 535 breaches during 2011, involving 30.4 million sensitive records bringing the total reported records breached in the US since 2005 to an alarming volume of 543 million.
Driving these concerns are compliance regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and Gramm Leach Bliley Act (GLBA) which place a continuous responsibility on organisations to properly protect data that is deemed to be sensitive and increase employees awareness and responsibilities towards security. The volume and high profile nature of data breaches serves to heighten the concerns of government and regulatory bodies to further tighten and enforce data protection legislative procedures.
Because of the heightened risks associated with non compliance, senior executives are under increased scrutiny not only from regulators, but also from customers, clients, stockholders and business partners to ensure security controls exist to address compliance through good governance and regulation. All companies are exposed to data breach at some level and need to consider threats from both internal sources - malicious leaks and accidental data loss, and external sources - cybercrime, hacking and malware intrusion. An integrated approach to implementing a proper regulatory compliance framework must involve developing and auditing policies & procedures, and developing a strong compliance culture.
Breaches result from failings in a combination of people, process and technology highlighting the importance of investing and focusing on all key components. It is now widely accepted that compliance is not solely achieved by spending money on technology and can only be reached through good process, robust policies and effective end-user security awareness.
Though many factors impact on compliance outcomes, organisations need to adapt a broader based philosophy to security practice by developing a compliance culture which helps employees understand the right practices and to motivate and support people to perform these tasks correctly. This also needs to be coupled with an ongoing process of auditing to ensure that critical data assets and procedures are continuously evaluated and protected.
One of the findings of the Verizon3.2010 PCI Compliance Report they state “Organizations are better at planning and doing than checking. If the check phase is broken, they cannot act to maintain the state of security over time”. Most companies have documented data security policies and procedures but lack automated processes of ensuring the policies are effective. In adopting a culture of continuous risk management, the mix needs to incorporate a best practice approach to both people and procedures through:
- Auditing people to ensure that an efficient compliance culture is being adapted
- Auditing data security to measure policies & procedures effectiveness
A recent joint project demonstrated how two different but pragmatic strands of security combined a more collaborative approach to achieving compliance through an understanding of organisational behaviour culture and having clear insight into the nature, location and value of critical data assets through auditing procedures:
Compliance and Governance Culture
Understanding what motivates and incentivises compliance behaviour by learning what employees do and their security practice:
● Assess level of behavioural risk within an organisations culture
● Measure critical employee descriptions of the workplace
● Provide a range of reporting and follow-up solutions
● Roadmap compliance culture improvement across an organisation
● Best practice solutions for future compliance and other change programmes, e.g. data protection initiatives
Understanding the Location and Value of Data
Auditing unstructured data to ensure security policies and procedures are effective and that critical data is not stored unsecured on the network:
● Enterprise visibility to understand and identify data entities that contribute to risk threats and vulnerabilities:
● Manage risk, improve security processes and maintain compliance standards.
● Continuous risk based approach to regulatory compliance through ongoing monitoring
Regular auditing and monitoring is essential to detect possible regulatory compliance violations and ensure that internal controls exist and operate effectively. This also ensures that procedure and policies are effective and being managed reliably. It affirms the existence, continuity and reasonable assurance that compliance and security measures are in effect and being monitored.
This approach leads to a myriad of benefits including improved certification success, increased employee awareness of regulatory compliance requirements, and minimised corporate reputational and financial risks. A strong culture of data security will help to reduce the instances of noncompliance as well as reduce the impact to an organisation should an incident occur. Many regulatory agencies consider businesses overall approach to compliance when assessing monetary fines and penalties and may assess a lower fine if a strong corporate compliance program is in evident.
Developing a more positive compliancy culture compliments the enforcement of automated risk assessment procedures, demonstrating a meaningful coordination of compliance controls through ongoing improvement and evaluation. By helping organisations understand their compliance culture and through identifying unsecured data at risk it raises the corporate discussion on how best to tackle compliance, initiating a more proactive and inclusive approach to security and enabling a more protected environment.
Compliancy is a complex area for business – it’s hard to know what to do, and whether what you’re doing is comprehensive enough. The task of securing critical and sensitive assets while balancing compliancy can be intricate. However by improving cultural performance and identifying unsecure data through ongoing review measures, security risks can be minimised and valuable information protected and managed compliantly. Through adapting different strands of compliance practice, it will identify gaps and irregularities and help organisations to embark upon a more meaningful strategy in achieving and maintaining compliance.
PixAlert provide enterprise data audit solutions which help organisations to discover, classify and protect unsecured, critical data across networks, enabling businesses to manage risk, improve security processes and maintain compliance standards www.pixalert.com
About Blue Provident
Blue Provident provide a series of tools for capturing the insights from employees to empower organisations to improve the workplace and achieve better results through people. Their products and services are based around proven and practical survey-based feedback methods making it simple for organisations to ask employees their point of view and then act constructively on the results www.blueprovident.com
1. PWC: UK Information Security Breaches Survey Results 2012
2. US Privacy Rights Clearinghouse (PRC) Report: Data Breaches a Year in Review
3. Verizon 2010 PCI Compliance Report