Summary

The Department of Justice (DOJ) recently released a guidance document called The Evaluation of Corporate Compliance Programs intended to provide some key industry clarifications for CIOs. Ideally, and combined with your own organizational ideas, your CIO is likely to take away a great deal of sound and practical direction from the following 10 security essentials to more smoothly perform his or her daily vital tasks.

Advances in technology and accompanying cybercrimes move at a lightning pace these days, making it a constant high-speed footrace for your Chief Information Officer (CIO) to keep up. The never-ending threat of data breaches and other data disasters does nothing to ease a CIO’s day or peace of mind.

If you are concerned that your CIO is feeling the pressure of keeping up with security, compliance, and general industry and organizational expectations, it may help to put together a list of security essentials for them.

The Department of Justice (DOJ) recently released a guidance document called The Evaluation of Corporate Compliance Programs intended to provide some key industry clarifications for CIOs. Ideally, and combined with your own organizational ideas, your CIO is likely to take away a great deal of sound and practical direction from the following 10 security essentials to more smoothly perform his or her daily vital tasks.

10 Security Essentials for your CIO

  1. Compliance Programs Must Have the Appropriate Resources
  2. The Success of Compliance Programs Relies on Building and Fostering a Risk-Aware Culture
  3. Establish and Build Relationships for Success at All Levels of the Organization
  4. Defend the Workplace at All Possible Infiltration Points
  5. Develop and Implement a Security-by-Design Approach
  6. Security Compliance Must Align with Other Functions
  7. CIOs Must Adopt a Risk-Based Approach to Security
  8. Solid Compliance Requires Metrics That Matter
  9. Third-Parties Must Conform to the Organization’s Policies and Procedures
  10. Report, Manage and Respond to Incidents Per Established Protocols

1. Compliance Programs Must Have the Appropriate Resources

The word “resource” appears in the 18-page DOJ document 21 times, meaning that they believe that providing enough resources for your compliance program is extremely important. The prime resources, of course, include adequate staffing and budget. The compliance function requires proper resources to be able to perform audits then document and analyze results before putting a plan into action.

Since the DOJ places such emphasis on resourcing that they demand explanation for any denial of resources, it is important for CIOs remember the importance of explaining the body’s position on resources to your company’s C-Suite and board of directors. They need to know that all resourcing issues will be intensely scrutinized if there were any investigation or prosecution of a data breach or other event.

2. The Success of Compliance Programs Relies on Building and Fostering a Risk-Aware Culture

Everyone in the organization has the power to become a point of infection. Everything staff does, whether it is opening an attachment in a sketchy email or failing to install a security patch, has the potential to cause a negative security event. With these risks in mind, it is crucial that your security enterprise actively includes everyone.

Define risks and goals, educating all users by spreading the word via written, aural and visual means to the point that it becomes culturally ingrained. You want a culture where attention to security concerns is second nature and where careless behaviors toward security are not acceptable. Work to find incentives to create this culture while adopting and implementing tools to track progress.

3. Establish and Build Relationships for Success at All Levels of the Organization

Not only is it a DOJ requirement that CIOs maintain a direct line of communication with the board of directors and audit committee, but it is simply a good idea. Your CIO needs to build and maintain a good rapport with everyone from C-Suite to staff members in no way directly involved with IT or decision-making processes. Positive professional relationships simply make it easier to perform the role effectively in multiple directions.

4. Defend the Workplace at All Possible Infiltration Points

Cybercriminals never stop searching for weaknesses in any given computing system. They will not overlook any connected device, whether a smartphone, laptop or smart refrigerator. Every device in your environment becomes a potential opportunity for malicious attacks. Make sure that centralized management and policy enforcement rule the use of any connected devices. By taking the reins over these devices, your CIO manages chaos while still allowing for reasonable device usage.

5. Develop and Implement a Security-by-Design Approach

Before adding and implementing services for your information systems, it is important to first explore all security considerations. Build security from inception, allowing for regular automated and human-driven tests to track conformance and compliance. This approach builds a better security program and ultimately saves money since the cost of building a security application into a program generally costs far less than trying find a good security fit after build is complete.

6. Security Compliance Must Align with Other Functions

The DOJ makes it clear that compliance must proactively work with other functions, such as procurement, internal audit and third-party vendor management. Also, compliance officers must participate in any merger or acquisition process, including the due diligence phase and the integration process of the new company.

7. CIOs Must Adopt a Risk-Based Approach to Security

Many businesses worry about adopting and implementing a risk-based approach to security because they are concerned that they will miss something and face consequences of accountability. The DOJ reassures CIOs that this is not the case and that a risk-based approach is expected, even if the risk-based program fails to prevent any type of infraction or infiltration in a low-risk area. The DOJ’s guidance report goes on to state that this type of approach helps CIOs avoid devoting a disproportionate amount of time on low-risk areas over high-risk areas.

8. Solid Compliance Requires Metrics That Matter

It is importance that CIOs adopt and implement metrics that are easily monitored, evaluated and acted on to ensure that the security program is running effectively. These metrics must apply to the following:

  • Policies and procedures
  • Investigations
  • Third-party relationships
  • Risk management and risk assessments
  • Training

Here are just a few possible metrics that your CIO might explore:

Operational Metrics.

Measuring the average time it takes to render a screen or a page can help your CIO quickly see if there is a problem with a website, making it a location best to avoid .

IT Performance Metrics.

Measuring internal metrics against your own organization’s standards, as well as against environments with similar populations, industries and demographics provides helpful insights on improving performance.

9. Third-Parties Must Conform to the Organization’s Policies and Procedures

Any company with whom your own organization does business, to the extent that they have access to your data in any capacity, must understand your policies and procedures. Service organizations in particular must align their computing system’s internal controls to your own, and you must perform regularly scheduled SOC audits to ensure compliance.

For all other employees third-parties, it is important to simply make your policies and procedures easy-to-find, whether on the company’s website or via contract terms.

10. Report, Manage and Respond to Incidents Per Established Protocols

While it is vital that everyone on staff stays aware of potential risks and behaves accordingly, letting you know if they suspect that something is amiss, it is simply not enough in the current year to stave off potential hackers and other threats.

It is crucial that your CIO develops a company-wide effort to implement intelligent and cognitive analytics, along with automated response capabilities. Such a system can detect and respond to an infiltration attempt far more quickly than humans can, even at our most alert.

Does Your CIO Need More Support in Dealing with Today’s Security Threats on Multiple Fronts?

If your CIO needs more support in adjusting to the new DOJ Guide or with simply improving daily operations, our team at I.S. Partners, LLC. is here to help. We can help your CIO streamline processes and develop ways to get your team on board quickly and completely with strategies aimed at improving network and data security.

Call us at 215-675-1400. We invite you to experience “Audits without Anxiety!”™ by filling out our online form to request a quote to learn more about the role of the crucial role of your CIO.

Author Picture

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote
[form_name]

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

Sending
I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.