Keeping a watchful eye on your organization’s most serious security risks is a challenge in the best of circumstances. It’s especially difficult when executives are laser-focused on the bottom line and information security staff are stretched thin. And yet vigilant security is required by best business practices and, in most industries, by specific regulatory requirements.
Virtually every major industry must adhere to regulations governing the security and privacy of customer information.
In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to safeguard the security and privacy of protected health information and the personally identifiable information of patients. Various provisions of the regulation require security risks to be assessed regularly and resolved in a timely manner to prevent security incidents.
In the financial services industry, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers’ personally identifiable information and other non-public information from foreseeable threats to security and data integrity. The GLBA applies to all businesses, regardless of size, who provide financial products or services to consumers.
In retail merchandising, the Payment Card Industry (PCI) Data Security Standard (DSS) requires merchants who process customer payment card transactions to protect the security and privacy of that information, including customer name, account number, PIN, billing address, contact information, and other personally identifiable data.
In addition, NIST, ISO-IEC, SOC-SSAE, and other well-established security frameworks impose similar security requirements for the protection of customer data.
The fundamental step toward meeting security regulations that apply to your organization is the completion of a thorough security risk assessment.
From this foundation come three essential subsequent steps that entail:
Risk mitigation is the penultimate goal, with a robust cybersecurity posture being the ultimate objective. As is often the case, however, so many security risks of various severities are found during most security risk assessments that not all can be resolved promptly. IT teams are required to address countless other tasks in addition to risk mitigation, and priorities are often murky or overly fluid.
Fortunately, one particular tactical approach has proven to be highly effective in prompt mitigation of the most serious risks. This is the formal monthly reporting of the status of the organization’s top ten security risks.
Security risk status reporting is a vital element of effective business management, information security, and regulatory compliance. It is a formal process that provides at least seven benefits for your organization.
Security risk status reports should be shared each month according to a predetermined distribution list approved and maintained within your organization. This ensures that all designated parties are informed and able to engage as required. The list should be kept current, with designated recipients added and removed as roles change.
Security risk management, cybersecurity threats, privacy gaps, information system safeguards, and similar concerns are likely well-known to your organization’s board of directors and executive team. Charged with overseeing the business at a high level, they are responsible for understanding how effectively the organization is meeting its security obligations and protecting its stakeholders.
While the monthly security risk status report may be distributed electronically, a high-ranking information security manager, such as a chief information security officer, should present the report to the board and executive team.
Why take this extra step? Because a face-to-face presentation of the risk status report helps to engage key individuals and foster understanding. It encourages conversation and decision-making regarding risk mitigation. It is a more effective way to make sure the report is taken seriously, with appropriate follow-up actions.
When planning your presentation, be prepared to address several additional aspects of your organization’s security risk posture. This will enhance the board and executive team’s understanding of the risk status report in a larger business context.
Security risk assessments are required by numerous industry regulations, including healthcare, financial, and payment card services. They are also a best practice supported by universal security frameworks such as NIST and ISO-IEC. Once an assessment is complete and security risks have been identified, they are prioritized by severity and potential impact to help guide mitigation efforts.
Often, organizations can be overwhelmed by the number and gravity of their security risks. As an aid in resolving the most serious, security risk status reporting is useful in monitoring and driving progress on the top ten risks. This is a formal monthly process that delivers excellent benefits and demonstrates your organization is actively managing its most significant security risks.
Security risk status reporting is also available as a service from the 24By7Security VCISO team.