A company trying to navigate the minefield of info-security compliance may think of it as a daunting task. On one side is PCI DSS and Data Protection while on other looms ISO 27001 / 5. In the distance is the new GDPR and for some, the UK Gambling Commission Security Audit must be considered. Rather than seeing these standards as the minefield, however, think again. The minefield is actually the vast info-security landscape populated with potential pitfalls and dangers, some of which will be expensive to your business in terms of both money and reputation. The standards and audits are your way of navigating successfully. They are the safe ground.
To plot your path to the safe ground you need a clear roadmap. The key is to think long term so it is best to think big. The first step is to maintain an Asset Register so that you know what data you have, where it is and how long you are going to keep it. Also, devise a strategy to ensure that all sensitive data is process in a standardised way, that it is accurately detailed and that it does not contain any ‘fluffy’ words which might lead to inconsistent interpretation.
Keeping with the minefield analogy, you need to know what you are trying to avoid. Know your threat profile and exert maximum effort in these areas. Consider these questions:
- Where do you store / process / transmit sensitive data?
- How valuable is that data to you / to a hacker?
- Is this data still required for business purposes?
- Who has access to the data?
One way of doing this is to think about re-creating a security breach and considering how you might do this. Look at the audit log data; can you tell who has access to what and when? Ensure penetration testing has adequate coverage and check the scope of vulnerability assessments. A risk assessment will help make sure that everything is documented and help you to devise an effective strategy. Within your strategy identify which tasks need to be performed on a regular basis and set up a ‘Security Diary’ to schedule them. Remember, a security audit is only a snapshot of an environment at a given time. To keep it effective, ensure that tasks are assigned and performed as required throughout the year.
In certain circumstances, System Hardening profiles can be automated so that new servers or devices can be deployed quickly and securely. Regular maintenance and patching can provide a more stable environment with less risk of failure and greater security. Without this regular upkeep you may only be one ill- conceived change control request away from non-compliance.
How will all this help? Effective info-security can improve working practices and add value to a business. Staff with a better understanding of data security are likely to be able to identify problems more effectively and before they become service-affecting. Diarising what some term as ‘audit tasks’ throughout the year ensures stability and identifies issues in a more timely manner, rather than just at a specific audit time.
Navigating the minefield is made easier by taking it in measured steps rather than running at it once a year. The key here is to know your battlespace, afterall only by having an awareness of where the threats are coming from can you hope to avoid them.