Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267
0

5 ways to unite security and compliance | #itsecurity | #infosec | #hacking | #aihp


As numerous data compliance laws proliferate across the globe, security professionals have become too focused on checking their requirements boxes when they should be focused on reducing risk. Can the two work harmoniously together?

The answer depends on how effectively IT security leaders can work with their auditors and speak to their boards, say experts. These are their top five recommendations:

1. Focus on data protection

It’s well-known that compliance is about protecting regulated data, while cybersecurity is focused on keeping bad guys out. From a data protection perspective, the key security measure then is to avoid processing or storing regulated data that isn’t needed. If regulated data must be stored, make sure you’re using stronger-than-recommended encryption, says James Morrison, national cybersecurity specialist for Intelisys, the infrastructure support division of payment systems company, ScanSource.

“In my career, I’ve seen small healthcare providers sending patient data in cleartext. So, to create compliant policies, ask how regulated data is handled from cradle to grave,” explains Morrison, formerly a computer scientist with the FBI. “You should be mindful of where your data exists, where it’s stored, how it’s stored, and for how long. That’s the right way to start the conversation around compliance and security.”

2. Make security auditors your friends

As important as learning the perspective of auditors is helping them understand the basics of cybersecurity.  As CISO at a previous company, Morrison held weekly meetings with his auditor to maintain a “two-way” conversation inclusive of compliance and security. By the time the company conducted its ISO 27001 infosec management update, the audit team was able to articulate clearly what they needed from the security team. Then Morrison himself gathered the information the auditors requested. “Auditors are more appreciative if you take a team approach like this. And so are the CEO’s and boards of directors,” he adds.

However, teaching cybersecurity basics to auditors is difficult, adds Ian Poynter, a virtual CISO based on the U.S. east coast. This is especially problematic among auditors that come from the big  consulting firms, who he likens to “people with clipboards who ask questions but don’t understand the security and risk context.” In case after case, Poynter describes past experiences in which his clients passed their “clipboard” audits while fundamentally failing at security.

Copyright © 2022 IDG Communications, Inc.

Click Here For The Original Source.


————————————————————————————-

Translate

Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish