In today’s world, a CISO or a compliance officer has to comply with the increasing amount of regulations and standards every day. Number of ransomware attacks and data breaches have also been increasing at a considerable rate in the last few years. This makes it even more crucial to build your defences well and plan controls to strengthen the cyber posture of the organization.
Key to building cyber resilience is good and strong governance. A very effective model that we have been practicing within our organization for the last 4-5 years is the “3C Governance Model” – Achieve Continuous Improvement through Continuous Monitoring & Continuous Auditing.
Here is a brief on how to apply the model –
A. Setup the compliance program – This involves the complete design and implementation of compliance program including business & strategic objectives to be met, controls that need to be set up, policies and processes that need to be developed, skillset required etc. Key point to be kept in mind here is that any controls that are or would be implemented should be based on the results of the risk assessment.
Thorough cost-benefit-analysis should be done before implementation of a new control and any control which does not address or mitigate any risk, should not be implemented.
B. Plan for Continuous Monitoring – Once the compliance program has been set up, controls need to be monitored on a continuous basis for their effectiveness. There are many ways to do this, some of them could be – function reviews, KPIs/metrics review, compliance self-assessments (manual through excel or automated though any GRC), review of incidents logged, review of weaknesses in the system, monitoring the compliance posture of the organization. In this manner, a control is monitored continuously, and any defects found can be addressed in a timely manner rather than waiting for them to be identified during external audits as non-compliances.
C. Develop an Audit Program – Just implementing the controls and monitoring them is not enough, these controls also need to be tested for their design and effectiveness of implementation. Best way to achieve this is through a continuous auditing program.
This practice ensures that the controls are tested on a continuous basis throughout the year and no surprises are there at the time of external audits. Also, doing so helps to address the weaknesses within the system on time.
D. Continuous Improvement – Results of risk assessment, continuous monitoring and continuous auditing help the organizations to understand their areas of improvement. This enables the CISOs/compliance officer/designated individual to plan for the action points to bring about necessary improvements within the operating environment.
Doing so helps organizations improve their overall governance program in a continuous manner and information security no longer becomes just a tick in the box, rather, ingests within the DNA of the organization.
In a nutshell, focus should be to build up a strong governance program, design & implement controls which are a result of risk assessment, keep monitoring the compliance posture of the organization, identify threats & vulnerabilities and keep improving upon them before they are exploited by any external resources. Idea is to build up & strengthen defenses to remain cyber resilient.
This content was originally posted here.