Keeping a watchful eye on your organization’s most serious security risks is a challenge in the best of circumstances. It’s especially difficult when executives are laser-focused on the bottom line and information security staff are stretched thin. And yet vigilant security is required by best business practices and, in most industries, by specific regulatory requirements.
Regulatory Requirements for Addressing Security Risks
Virtually every major industry must adhere to regulations governing the security and privacy of customer information.
In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to safeguard the security and privacy of protected health information and the personally identifiable information of patients. Various provisions of the regulation require security risks to be assessed regularly and resolved in a timely manner to prevent security incidents.
In the financial services industry, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers’ personally identifiable information and other non-public information from foreseeable threats to security and data integrity. The GLBA applies to all businesses, regardless of size, who provide financial products or services to consumers.
In retail merchandising, the Payment Card Industry (PCI) Data Security Standard (DSS) requires merchants who process customer payment card transactions to protect the security and privacy of that information, including customer name, account number, PIN, billing address, contact information, and other personally identifiable data.
In addition, NIST, ISO-IEC, SOC-SSAE, and other well-established security frameworks impose similar security requirements for the protection of customer data.
Foundation: Your Security Risk Assessment
The fundamental step toward meeting security regulations that apply to your organization is the completion of a thorough security risk assessment.
From this foundation come three essential subsequent steps that entail:
- creating and documenting security policies and procedures,
- prioritizing the identified risks by severity or scope of potential impact, and
- mitigating those risks to reduce an organization’s vulnerability to security breaches and other security incidents.
Risk mitigation is the penultimate goal, with a robust cybersecurity posture being the ultimate objective. As is often the case, however, so many security risks of various severities are found during most security risk assessments that not all can be resolved promptly. IT teams are required to address countless other tasks in addition to risk mitigation, and priorities are often murky or overly fluid.
Fortunately, one particular tactical approach has proven to be highly effective in prompt mitigation of the most serious risks. This is the formal monthly reporting of the status of the organization’s top ten security risks.
Focusing on the Top Ten Security Risks
Security risk status reporting is a vital element of effective business management, information security, and regulatory compliance. It is a formal process that provides at least seven benefits for your organization.
- Monthly risk status reporting helps management, the board of directors, information technology and security teams, and other stakeholders to focus on the ten most significant risks or vulnerabilities. It reduces all other risks to background noise for a period of time.
- Risk status reporting provides a roadmap or plan for mitigating a manageable number of security risks. The risks are prioritized by severity, and the ten most severe are monitored at one time.
- When one risk is fully resolved, it is removed from the status report, and another is added so that the report always presents the status of the top ten risks.
- When a risk remains on the security risk status report beyond an agreed period of time, it is flagged in the report for management’s specific attention. Depending on the reason for the delay in mitigation, informed decisions can be made to bring full resources to bear on resolving the risk.
- Monthly risk status reports are useful in providing documentation to support budget allocations to remediate critical security risks.
- Monitored over time, the reports are useful in strategic planning for security programs, staffing, and other resourcing.
- The process and documentation of risk status reporting demonstrate that your organization is actively managing its most significant security risks. This can be an important advantage when dealing with investors, shareholders, regulators, and similar entities.
A complete security risk status report will include actionable notes to help steer mitigation efforts, as well as notes tracking mitigation progress for each risk. It is essential that progress on each risk be carefully monitored.
Security risk status reports should be shared each month according to a predetermined distribution list approved and maintained within your organization. This ensures that all designated parties are informed and able to engage as required. The list should be kept current, with designated recipients added and removed as roles change.
Ensuring Engagement and Action on the Report
Security risk management, cybersecurity threats, privacy gaps, information system safeguards, and similar concerns are likely well-known to your organization’s board of directors and executive team. Charged with overseeing the business at a high level, they are responsible for understanding how effectively the organization is meeting its security obligations and protecting its stakeholders.
While the monthly security risk status report may be distributed electronically, a high-ranking information security manager, such as a chief information security officer, should present the report to the board and executive team.
Why take this extra step? Because a face-to-face presentation of the risk status report helps to engage key individuals and foster understanding. It encourages conversation and decision-making regarding risk mitigation. It is a more effective way to make sure the report is taken seriously, with appropriate follow-up actions.
Presenting the Risk Status Report
When planning your presentation, be prepared to address several additional aspects of your organization’s security risk posture. This will enhance the board and executive team’s understanding of the risk status report in a larger business context.
- Risk Trending. Is the level and degree of cybersecurity risk in your organization, as tracked by the monthly risk status reports, increasing, decreasing, or trending the same month to month? Are there reasons for the trend?
- Risk Investment. Is your cybersecurity budget adequate to mitigate the top ten risks? Does it extend to additional risk levels? Is this acceptable to the organization?
- Risk Acceptability. What level of risk does your organization consider to be acceptable, and how much risk can your organization accept before becoming overly exposed?
- New Business Risk. Does your organization know the degree of risk posed by each new business prospect, vendor, or other new stakeholders? What process is in place to manage these additional risks?
Security risk assessments are required by numerous industry regulations, including healthcare, financial, and payment card services. They are also a best practice supported by universal security frameworks such as NIST and ISO-IEC. Once an assessment is complete and security risks have been identified, they are prioritized by severity and potential impact to help guide mitigation efforts.
Often, organizations can be overwhelmed by the number and gravity of their security risks. As an aid in resolving the most serious, security risk status reporting is useful in monitoring and driving progress on the top ten risks. This is a formal monthly process that delivers excellent benefits and demonstrates your organization is actively managing its most significant security risks.
Security risk status reporting is also available as a service from the 24By7Security VCISO team.