|If prevention is better than cure, then good compliance is better than cleaning up after a breach, at any time. The first step is to collect, analyze and store data about how your organization operates. Undertaking a threat risk assessment (TRA) will establish the data to collect and monitor in order to protect your organization and information assets. The questions to ask to define these data are:
• What information assets go to the core value of your organisation?
• What is potentially at risk of cyber attack (from outside or within)?
• What are the likely impacts if such an attack is successful?
When collecting and retaining records of electronic activities, keep in mind that the onus of proof will be on you in the event of an adversarial claim. Should you not have complete, evidentiary records; your ability to respond effectively will be limited. Good record‐keeping may sound like just good housekeeping, but in the event of an incident, it’s irreplaceable.
Equally important is the risk of data breaches by employees. Reports suggest that employees, especially disgruntled ones seeking to ‘get even’, are responsible for close to 70% of all data leakage, theft or misuse (McAfee, E‐Crime Congress, London, and March 2009). Those with high level access or familiarity with your IT and cyber security systems pose a serious risk; they have passed Access Control and know how to access your IT systems with impunity.
The operational and financial impact of a compliance breach can be profound, which makes preventative efforts crucial. Once the key organizational risks are identified, a few simple steps can be taken to effect compliance management and safeguard your assets:
• Develop scalable monitoring and control processes and systems;
• Use compliance frameworks to establish and enforce policies for systems usage;
• Deploy competent technology to simplify the process and maximise control;
• Ensure that all IT activities are logged and retained in full;
• Audit IT and security systems for measurable information; and
• Report and remediate any non‐compliant information access or use.
Automated technology will lighten the burden of collecting and analyzing huge amounts of information, but don’t be fooled: compliance is not ‘set and forget’. Compliance testing should be ongoing in your organization with regular internal audits. If Zurich UK had done that, the exposure may have been obvious long before the breach occurred. More recently, the Sony Play station hack exposed 77 million customer details, which weren’t even encrypted. It was only after the event that Sony decided to appoint a CSIO (Sony must learn from PlayStation Network attacks: Sophos, Norton Computerworld, 27 May, 2011)
Verizon’s annual survey found that 96% of breaches were avoidable through simple or intermediate controls, so clearly compliance isn’t hard to do. The same survey found an astonishing ‘89% of organizations suffering payment card breaches had not been compliant with PCI DSS at the time of the breach.’ (Verizon 2011 Data Breach Investigations Report).
The take‐away here is that having security systems, processes and policies in place isn’t enough, and collecting event logs of your electronic transactions isn’t either: you need to monitor the effectiveness of your security systems, examine your event logs on a regular basis, and validate your compliance with your industry’s regulations frequently. Put another way, you can’t stay fit by standing still.