Mastering IT Risk Assessment

The foundation of your organization’s defense against cyber theft is a mastery of IT risk assessment. It is an essential part of any information security program, and in fact, is mandated by regulatory frameworks such as SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA and FISMA.

Compliance with those frameworks means that your organization not only has to complete an IT risk assessment but it must also assess and address the risks by implementing security controls.

In the event of a breach, an effective IT risk management plan—which details exactly what your IT department is going to do and how they’re going to do it—and implementation of the critical security controls that have the potential to save your organization millions of dollars in direct response costs, legal fees, regulatory fines, and costs associated with rebuilding a damaged corporate reputation.

Evaluating the potential compliance, operational and reputational risks to your organization and then ranking their importance and likelihood is not easy. Even more challenging is developing and then implementing the IT risk management plan. If your IT department is undergoing an IT risk assessment now or strengthening its cybersecurity strategy, look to qualified industry professionals and innovative technologies to help you master the process and stay compliant.

Here are six tips to keep in mind:

1. Get professional help. Hire an independent third party auditor and/or attorney. Your IT hosting provider may even provide compliance and auditing services. These consultants can provide a comprehensive risk analysis, audit assistance and privacy and security guidance, including identifying potential risks, exposures and liabilities.

2. Use private cloud technology to protect sensitive data. Moving all or part of your infrastructure to a professionally managed, compliant private cloud offers benefits that drive business value. Your organization’s data and apps are hosted by experts in an environment that is independently audited for the specific regulatory compliance that you need, which is a big help in passing your own audit. Also, your IT department is freed up to focus on strategic projects without bearing the burden of solving compliant hosting complexities, hassling with maintenance and support, managing staff allocations, and providing expensive training.

3. Invest in annual IT risk assessments. Be sure to work with an unbiased, fully independent auditing team, which typically includes certified engineers and compliance experts. Comprehensive risk assessments pinpoint the many risks faced by your organization and address network security vulnerabilities. They are designed to give you the education, expertise, support and protection that you need to plan your security strategy, pass your audits and maintain a continuously-compliant IT environment.

4. Schedule frequent penetration testing and vulnerability scans. These uncover critical IT vulnerabilities and show how well you are protecting your network and data. Ask your auditors, compliance experts or compliant hosting provider to perform monthly or quarterly tests, help you to establish critical processes (such as data encryption and hardened authentication), and develop a clear understanding of how to avoid IT compliance disasters. Get a full report on external, internal and web application testing as well as strategies for remediation.

5. Ensure application security.  A good auditor or compliance team can help secure the design, development and deployment of your web-facing applications by thoroughly assessing any vulnerabilities and addressing design flaws or security gaps that impact compliance. Managing and remediating risks now saves time and money later.

6. Educate employees about security.  Frequent security awareness trainings and daily reminders throughout the workplace will help reduce violations. Your auditor or compliance team should customize a workplace awareness program for your business. Ensure that the training is situational and fully engaging.

Data Protection in the Cloud: Planning for Data Loss and Downtime

As we brace for another season of tornadoes, hurricanes, forest fires, earthquakes and floods, all businesses should be asking, “Is our data protected should disaster strike?” Or more simply, “What happens if we lose our data?”

Sadly, despite the fact that significant portions of the country are at risk for severe weather and other natural disasters, not all businesses are thinking pragmatically about catastrophic data loss and downtime, which can lead to staggering financial losses and impact productivity, reputation, regulatory compliance, and ultimately the bottom line.

According to a global data protection study released in December, enterprises are losing as much as $1.7 trillion annually through data loss and unplanned downtime. Data loss is up 400% since 2012, and two-thirds of the 3,300 organizations surveyed had experienced data loss in the last 12 months. Researchers found that although a high percentage of organizations had disaster recovery plans in place, surprisingly few had implemented data protection practices and fewer than half employed remote, cloud-based data protection. Seventy-one percent of organizations were not fully confident in their ability to recover after a disruption.

If your business is unprepared for a disaster, then act now to improve your resilience and mitigate risk. Plan for natural catastrophes and man-made disasters alike (such as theft, hardware failure, human error, system failure, computer viruses, power failure and accidental deletion).

Disaster preparedness begins with a business continuity plan. This serves as your playbook for staying in business following a disaster and it enables you to restore operations and communications systematically while helping minimize risk. Ask your IT department to incorporate the steps needed to safeguard your IT infrastructure from disaster, including backup and recovery measures.  In today’s highly-regulated environment, having a secure backup and recovery solution that meets the stringent requirements defined by Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, FISMA, PCI, ISO and other regulatory standards is expected.

During this process, develop a clear understanding of where the cloud fits in and how it can help save time, money and resources.

Businesses are increasingly backing up their data and apps in a secure, off-site cloud environment (not in the physical office), because the cloud is faster than other options and typically offers the most protection at the lowest cost. Recovery in the cloud requires no travel and no extra hardware, and it offers extreme levels of reliability. Should disaster occur, a cloud solution allows the continuously backed up systems to be restored as virtual machines. All of the cloud’s benefits speak to why highly regulated businesses protecting sensitive data are finding that virtualization technologies make it simpler to comply with stringent security and compliance regulations governing electronic storage and access to data.

Here are seven steps to help businesses plan for data loss and downtime:

  1. Identify the risks. List and categorize all natural and man-made threats and their impact on various systems. Ask what would it take to knock out our entire network and how much unplanned downtime can our business sustain?
  2. Inventory IT assets. Which are most critical to maintaining business continuity? What’s our tolerance for loss of those assets? The cost of the response should be balanced against your tolerance for system downtime.
  3. Define goals. In a worst case scenario, how long can our business shut down? Does it need to recover off-site? Define goals in terms of RPO (Recovery Point Objective, “How much data can we lose?”) and RTO (Recovery Time Objective, “How long can we be down?”).
  4. Develop a plan. Include “IT Assets Inventory,” data protection procedures and contingency plans, notification/activation schedules, a list of roles and responsibilities, a list of resource requirements, and details about training provisions. Good plans include maintenance and backup/recovery testing schedules.
  5. Understand the cloud’s benefits. Virtualization technologies make backup and disaster recovery vastly faster, cheaper and easier. The combination of the cloud and the right backup and disaster recovery solution allows for continuous data protection (so the backups always run 24/7/365) as well as consistent compliance and security.
  6. Implement the plan. If executives understand clearly the consequences of system disruptions, you will win their support and funding for contingency policies.
  7. Test the plan. Continuous testing and plan updating helps ensure business survival.