So, your CEO has taken you aside and whispered seductively in your ear three little words that set your heart racing: “Cyber security compliance.’
We know that you’re not surprised. Suppose your business wants to be up there playing with the big contracts, or even allowed in the playground. In that case, you need to demonstrate compliance with regulatory frameworks like HIPAA, SOC 2, or SEC.
Getting your business cyber security compliant might just be your life for the next six months, but it’ll be a whole lot easier if you have a cyber security compliance checklist.
Oh, look, here’s one:
Your 3-Point Cyber Security Compliance Checklist
Your checklist aims to ensure that you’ve got compliance covered, which means creating and implementing the controls that protect the integrity, availability, and confidentiality of the IT assets you’re responsible for.
Gobbledegook side note: By IT assets, we mean the information assets that directly impact data security, such as the data itself, as well as the systems, networks, and devices that surround it.
1. Assess and Identify Cybersecurity Threats
This is the first step for a reason. You don’t know how to fix it if you don’t know how (or if) it’s broken. And if you’re aiming to get good’n’compliant with a regulatory framework, you’ll need to check its standards against your system.
It’s always good to establish a process for your cyber security compliance assessment, and it might look something like this:
Identify IT Assets and Their Owners
Here’s where you take almost literal stock of your information assets: your information systems, networks and data. You’re mapping out your digital ecosystem. This will include things like:
- Devices and other endpoints used for business purposes—even if they’re personally-owned
- Servers, storage devices and hard drives
- Your networks and servers
- Licenced software and SaaS apps you use
- Digital files
- Cloud services and data that you access
The asset owner is the person who’s responsible for each asset. You’ll have created a mighty fine asset register by the end of this stage. Well done you!
Assess Threats and Vulnerabilities
Now that you’ve identified your IT assets, it’s time to assess what threats and vulnerabilities they might be open to, and the risk of it happening.
Hacking, malware infestation, or a disgruntled ex-employee seeking evil revenge are threats that will harm your IT assets.
A vulnerability is a weakness or flaw in the asset that has the potential to cause problems. These can be physical, procedural, systematic or cultural. For example, a system bug, a poor offboarding policy, don’t-need-to-know access to personal data, unpatched security, a vital network lacking a backup power generator, or no-one ever, ever, ever locking the server room door behind them. What’s up with them?
At the end of this stage, you’ll have a list of potential threats and vulnerabilities to your assets. You’ll have worked out the chances of badness occurring, and the potential impact of the consequences.
Wrap It All up in a Gap Analysis
In short, welcome to the gap analysis. You know what you should have. You know what you’ve got. And now you’ve got to get your “what you’ve got” standard to your “what you should have” standard. This gives you an indication of what your priorities for action might be.
Buckle up now, because it’s time to protect those assets!
2. Reduce Vulnerabilities
In high-falutin’ terms, you’re remediating your gaps. In low-falutin’ terms, you’re making stuff right. Depending on what you found, the protections you install/create/force your team to do will depend on your gaps.
Protect Your IT Assets
Protections can be technical, procedural, people-based, or an unholy mess of all three. Here are some of the tastier morsels:
- Improving the confidentiality of data by restricting access to it by, for instance, establishing role or permission-based access.
- Improving password management by using Cloud Single Sign On.
- Installing and updating security software such as antivirus software.
- Enforcing passcodes and multifactor authentication.
- Automating until it hurts: e.g. by using zero-touch onboarding; DNS filtering; implementing military grade firewalls; blocking unauthorized apps, networks and websites; and disabling the automatic running of ‘safe’ scripts.
- Training employees to be able to identify and deal with phishing attacks.
- All the policies: e.g. ”Here’s how we onboard and offboard people. We use the principle of least privilege. We always lock the server room door.”
Monitor. Monitor. Monitor.
Don’t grab that muffin yet because it’s not coffee break. You’ve closed some of your gaps, but now you’ve got to keep them closed, which means monitoring, testing and prodding. If you’re going for any compliance certification, you’ll need to be audit-ready anyway, and monitoring is key.
If you have a fleet of devices to worry about, Mobile Device Management (MDM) is your way forward. It’s packed with a ton of security fun such as access control and app blocking, but it’s monitoring on steroids, helping you keep on top of problems before they happen. For instance, if Devi in Product Development runs a prehistoric OS on her laptop, your MDM dashboard will flag it up and give you the power to force an upgrade.
3. Increasing and Improving Your Preparedness
You don’t need to build a bunker (yet) but you need to plan how to respond to bad things happening, such as lost data or operational downtime. How will you mitigate the damage, contain a breach or recover lost data (and your reputation)?
Disaster planning is a vital element of IT governance and audit support, and requires many compliance frameworks. Of course, all of this becomes easier if you partner with the right solution.
Our cyber security compliance checklist isn’t a magic wand, but it is the best way of structuring your activities. Although all three steps are important, what’s vital is that once you’ve got compliant, you need to stay compliant.
Want to get your custom cyber security compliance checklist started with right foot? Give us a call!