New and emerging technologies, such as AI, edge computing and IoT devices are all linked in some ways to cloud computing services. The rise of cloud computing has created new challenges for information assurance professionals. With third-party outsourced services, often through cloud connections, being increasingly leveraged and the expanding use of employee-owned computing devices (BYOD), this also creates potentially significant, new risks to organizations. These are all in addition to the longstanding information security threats and vulnerabilities that have existed for many years, and some for many decades.
The breach landscape is not any prettier. To date, according to breach level index, records lost or stolen since 2013 are almost at 15 billion – the equivalent of 71 lost or stolen records per second.
Even once the initial goal of establishing information security, privacy controls and processes are met, along with meeting all applicable legal requirements for security and privacy compliance, information assurance professionals cannot simply stop and pat themselves on their backs. There is a crucial next step that is often overlooked — the continuing need to maintain those levels on an ongoing basis.
Invisibility: the risk and compliance struggle
Organizations must identify all invisible risks stemming from poorly managed applications, weak network security, unpatched web components, and much more. Additionally, the invisible processes that define policies and procedures, implementations steps, enable performance measurements and management of change must be brought to light. Finally, organizations must recognize the existence of an invisible budget that keeps the governance, risk management and compliance heart ticking.
Continuous oversight is a must
Continuous oversight activities provide visibility into the real-time metrics and the current status of security and privacy levels, at any point in time, to facilitate the most effective maintenance of ongoing management. These oversight activities, applicable to all types and sizes of organizations, include: continuous in-house assurance, continuous external cloud assurance, continuous improvement and continuous supply chain management.
Where to start?
How can those tasked with enterprise information security, privacy program management and associated risk management responsibilities be most effective at staying on top of new threats? In addition, how can these agents identify new vulnerabilities, ensuring all legal requirements for data protection and privacy are addressed?
To start, companies must define, identify and categorize systems, applications, and data according to confidentiality, availability and integrity (CIA). Next, they must research and identify legal requirements for compliance; this is critical to ensure that continuous compliance encompasses all laws, regulations, contracts and required privacy and security notices - to name a few. Finally and most importantly, organizations must identify and plan for addressing risks on an ongoing basis. This can be done by performing risk assessments, assigning findings, mitigating responsibilities and implementing continuous improvement.
How to implement?
A common oversight in many organizations is failing to formally assign responsibilities for continuous oversight of information security, privacy and compliance requirements and risks. Key responsibilities need to be identified and documented to be effective. For continuous oversight, management and improvement, these responsibilities fall under four primary activities:
- Who is the person, or what is the role, that will ultimately be accountable for developing and implementing an organization-wide strategy for continuously monitoring control effectiveness?
- Who are the key stakeholders involved with continuous oversight, monitoring, assurance, supply chain management and improvement?
- Define the organization’s continuous assurance and oversight strategy.
- Key stakeholders are needed to identify and support those with responsibilities for the activities necessary for continuous oversight, monitoring, assurance, supply chain management and improvement.
Supply chain risks
A large portion of security incidents and privacy breaches are caused by contracted vendors and business partners. The frequency by which the full list of vendors, suppliers, contractors, and other third parties are reviewed is imperative in mitigating cloud risks. Organizations must begin asking themselves which third parties are critical to the business environment, and of those, which have access to any kind of personal or sensitive data.
Bridging the gaps in the cloud
Due diligence is needed to have an effective hold on the many threat vectors posed from the cloud. Information assurance professionals can more effectively mitigate the risks created by new and emerging technologies and practices through the use of continuous monitoring activities. Security controls must be embedded in all our daily procedures as security postures for on-premise, off-premise or cloud infrastructure do not change.
All organizations throughout the world, of all sizes, currently face significant new types of information security, privacy and compliance challenges. Many of these challenges come through the use of cloud services and involve new and emerging technologies and practices, whether in supply chain services or products where those associated risks must also be mitigated.
Information assurance professionals can more effectively mitigate the risks through the use of continuous monitoring activities. Put on your security professional hat and obtain visible support of executive leadership, implement the continuous monitoring and oversight capabilities, ensure that compliance with all legal requirements is the norm and, most of all, keep an eye on all your vendor and supply chain. Stay ahead of hackers and ahead of auditors as your core businesses model morphs into the unavoidable cloud.