Cyber security compliance assessment
There is no difference between a gap assessment and a compliance assessment. In both cases, the objective is to pinpoint gaps within your security controls. The identified gaps may not necessarily insinuate the existence of a tangible cyber security risk, however the compliance assessment will determine whether your organisation is operating in accordance with legislative requirements. There may well be a number of concurrent compliance requirements for the organisation.
Why should you conduct a cyber security compliance assessment?
The compliance assessment will identify, analyse and evaluate the cyber security controls within your enterprise. Once the process is complete, the management will know whether the existing cyber security measures comply with the standards applicable to your sphere of business activity. If the current processes and procedures are not sufficient, the compliance assessment should provide you areas of focus. Non-compliance is a quantifiable and avoidable risk. Cyber security compliance assessments are increasing becoming a legal requirement for service providers in numerous industries. The whole supply chain for an increasing number of industries is being impacted by legislation that demands companies provide proper focus towards the security of customer data.
Cyber security compliance assessment is not risk assessment
Qualitative and quantitative risk analysis must be performed independently of cyber compliance assessments. Compliance assessments are not risk assessments; compliance assessments do not rate your risks.
Applying a risk-based approach to cyber security is strongly recommended. A comprehensive risk assessment will allow you to reduce your security spend in some areas and may compel you to invest more in others. You don’t have to invest in certain security measures if the threats they are supposed to prevent are not likely to occur. Similarly, if a particular risk is unlikely to cause any significant impact were it to be realised, then it prudent to prepare to deal with the issue when it occurs, rather than investing in expensive preventive measures.
What is involved?
The compliance assessment will evaluate the objectives and strengths of your cyber security program. The compliance assessment will examine your cyber security policies. It is not uncommon that business policies may no longer be consistent with all requirements. What if an adversarial hacker were able to access your policy statements? They may identify several gaps that they can exploit, through social engineering attack or other means. Therefore, the compliance assessment risk should examine your adherence to policy and procedures. Identifying any lapse, possible conflict between policies, lack of process clarity are good outcomes for your business because you can fix these before you are exposed by a situation that will expose any inadequacies.
The compliance assessment risk will not focus on your technology directly. First, it will look into your security program. Conducting health checks on your security controls is also part of the compliance assessment. How adequate are the safeguards around your Industrial Control Systems? Do your procedures indicate appropriate contingencies plans are in place for when the systems are being targeted by an attacker? What do your systems provide in the way of automated protections and alerts? Will the operations team have a changed reporting responsibility when there is a cyber security event?
There will also be additional assessments on your cloud assets. While your cloud service provider is expected to conduct compliance assessments on their system, you should have a process to verify whether your data is secure in the cloud environment. Similarly, you should conduct a compliance assessment before a system interconnection for any business purpose. Do you have policies that will apply during an acquisition or merger? System compatibility does not equate to security compliance.
The global pandemic has heightened community awareness of how reliant we have become upon production lines that are geared to deliver goods to meet regular demand. The supply chains for items consumed by essential services have been recognized as being of elevated importance for our national security and in many cases components, goods or services are being produced overseas. For the purposes of security compliance assessment, any information exchange, any connections with or dependence upon offshore data need to be provided the same scrutiny as your own operations.
Where do we start?
After you have identified and prioritized your cyber risks, selecting a suitable framework that you can tailor for your specific requirements comes next. You need to gather detailed data about the administrative, technical and physical controls that you expect to play a role in any layer of your cyber security defences. System infrastructure, security infrastructure and employee responsibilities may all fall within scope. Typically, a cyber security compliance assessment is done by an accredited external firm. They will require the freedom to move from one department to another to gather sufficient evidence to provide them the basis for making an assessment of your current situation. Sampling documentation, observing activities, distributing questionnaires and performing interviews are standard information gathering techniques used by an assessor.
Summing up
A cyber security compliance assessment is a very useful tool to identify any apparent gaps in your policies, processes and procedures.
