What is a cyber security compliance assessment? You’d be right to think that getting a cyber security compliance assessment is like being back in grade school. You’ll have to reach some standards/pass some tests/keep hold of your lunch money, in that order.
Why Is Compliance a Good Thing?
Compliance is a good thing. If you’ve been breached, you’ll know why. Maybe Jules, in accounting, opened that sketchy email, and now everyone’s locked out of their accounts. Maybe a denial-of-service attack knocked out your online sales for a week. And maybe (yikes!) an SQL injection infiltrated your customer accounts database.
Compliance is also cool if you’ve never been breached, since compliance essentially means credibility.
That’s why compliance is the why of strengthen your value proposition. Working towards compliance is a robust business strategy, and gaining compliance is a business asset. Truth.
What Is a Cybersecurity Compliance Assessment and Why Do I Need One?
Promising to be good is not good enough. An assessment is the first step on your way to proving it.
Let’s say you’re going for SOC 2. Or SEC. Or FINRA. Or HIPAA. Each of these has particular and detailed requirements for cybersecurity standards that your organization has to reach, to be deemed compliant and to earn that handstamp of approval.
What Do Cyber Security Compliance Assessments Look Like?
The scope and nature of a cyber security compliance assessment will depend on your business's scale, structure, and activities. Its overall purpose is to identify, calculate and prioritize cybersecurity risks to your people, business systems, and IT assets. The first step is to identify what data and infrastructure you have (your IT assets), and then the value of the IT assets that you’re trying to protect. Then you’ll focus on four things:
1. Threats
Your assessment will identify threats to your business operations or assets. Threats can be obvious, such as hackers and other malicious behavior, or server failure. Some are less obvious, but are threats nonetheless—for instance, natural disasters. If your offices are located in a wildfire or tornado zone, that’s a big threat right there.
2. Vulnerabilities
Vulnerabilities are weak points in your business operations. Not rocket science here. An assessment will hunt down internal and external vulnerabilities of your data and people systems. Vulnerabilities can range from very simple—such as a lockless network cupboard door, poor password management, zero encryption, outdated software, or the existence of a mobile fleet—to more complex, such as stunning choice of attack surfaces caused by network misconfigurations.
3. Likelihood
Now that you’ve assessed the threats and vulnerabilities, what’s the chance of the bad thing happening? If you’re not in a tornado zone, the likelihood of your servers being blown to Zanzibar are pretty slim. But if your CEO is prone to firing people by text for no reason, you could be vulnerable to cyber revenge.
4. Impact
If one of those threats actually happened, what would be the damage? This could be expressed in terms of the loss of sales, the loss of productivity through business downtime or legal implications such as fines.
Putting Your Cybersecurity Assessment in Context
Sometimes there’s nothing better than an overused metaphor, so welcome to
your compliance roadmap. You’ll need a roadmap because you’re going on the Great Compliance Journey, which starts at A (are you compliant? You don’t know yet) and finishes up at B (you’re compliant).
If the compliance process were a person, it would say, “Look, here are the standards, because you need something to measure yourself against. This is what you’re aiming for. Do you do these things currently? If not, why not? What needs to happen for you to comply with these requirements?”
For context, your cyber security compliance assessment is the first of four rest stops on that journey. The other steps look like this:
Gap Analysis
Let’s say you’re going for SOC 2. Here’s where your compliance assessor (you got one, right?) performs a gap analysis. They’ll hold up a list of the SOC 2 controls, and check your existing controls against it. If they find that there are controls that you haven’t implemented, they’ll identify these as the gaps. Your assessor will then hand you over a To-Do list of what you need to gain compliance, here’s what you need to achieve compliance—which serves as your starting point for the next stage, gap remediation.
Gap Remediation
Now that you know what’s wrong, it’s time to put it right. Here’s where you implement those pesky missing controls. No lock on the server basement door? Put a lock on it. Gina in HR keeps opening those phishing emails? Get Gina trained up. Does your remote team keep losing their passwords? Get Cloud SSO for your mobile devices.
Audit
Here’s the big grade-school test. Your systems are now stuffed with All The Right Controls. During the audit stage of the compliance roadmap, an external auditor will examine your systems and practices to assess their effectiveness, and determine if they satisfy the regulatory body’s standards. If they do, well done. You’ve passed.
Don’t get too relaxed, though, because it doesn’t end here.
Governance and Audit Support
Now that you’ve gained compliance, you’ve got to stay compliant. Maintaining compliance is all about monitoring, internal audits, collecting evidence and reporting for external audits.
Compliance: A Note About Who Does What
Never hire a single consultant or compliance services company to take charge of your whole compliance roadmap, because of a little thing called conflict of interest. The person providing the gap analysis should never be the person providing the gap remediation because, if they were evil, they could recommend a whole lot of stuff you don’t need but that you’ll pay them for anyway. And always keep your auditor separate, too!
Here’s our cybersecurity role recommendation for best practice, in the form of 1990s grunge bands:
- Cybersecurity Assessment: Nirvana
- Gap Analysis: Nirvana
- Gap Remediation: Alice in Chains
- Audit: The Gits
- Governance and audit support: Alice in Chains
If you’re almost too excited about starting your compliance journey, we’re the Alice in Chains of the compliance roadmap. This means we’d be almost too excited to chat with you about how we could make the whole damn thing as painless as possible.
What to learn more about what is a cyber security compliance assessment? Give us a call, because we’re happy to help.