It’s no secret that the financial and banking industries are potentially the number one target for cyber attacks. Forbes estimates that a financial services organization is 300 times more likely to be attacked than other businesses. In addition, they claim that while the typical American business is attacked 4 million times per year, the typical American financial services firm is attacked a staggering 1 billion times per year.
Today’s banking and financial service regulations are complex. You may have teams currently focusing on achieving compliance with regulations aimed at baselining policies to reduce risk such as Payment Card Industry Data Security Standard (PCI DSS), Personally Identifiable Information or SEC Cybersecurity Guidance, among others. There is a gap between your security tools and the policy regulations outcomes. The guidance and frameworks are Guidance moving to the realm where these regulations are fineable or with determining outcomes in a court of law, often with significant financial implications.
Protecting Data is Most Important
The process to achieve compliance and security often feels cumbersome. To simplify, always remember that the main objective is to protect your organization’s data. When protected there are some results that will provide substantial revenue and customer growth, including driving better financial stability, gaining customer and investor confidence, and better data integrity.
Steps to Drive Compliance and Financial Growth in 5 Steps
Step 1: The first thing we need to do is look for the objective. By objective we mean what are you looking to do in your environment. This step is as easy as getting out a piece of paper and writing it down. For example, you want to know any time a user comes into my environment or I want to know if my firewall is working.
Step 2: The next step is to draw up a key phrase map. To do this, first look at the statement you created in step 1. Identify key phrases associated with that phrase. Then formulate your key phrases to identify what you need to do to secure your environment. Going back to our example – I want to know when people are in my system. Those key phrases could be something along the lines of firewall, endpoint, east/west traffic, user privileges, etc.
Step 3 – The next thing you need to do is to understand the technology you need to support the data in your environment. A simple way to do that is to do a Google search for the specific regulation to find resources for key phrases and technology. A great first step is FIPS 199.
Step 4 – Understand what you want to see at the end, what would reporting look like. Or what can you see? This happens even before identifying the security controls. Again, simply writing on a piece of paper what that reporting or visualization looks like to show you that it’s actually working.
Step 5 – Time to start building our controls. Often categorized in the governance or risk buckets. By understanding the objective set out in Step 1, you can identify what you are trying to accomplish and make enhancements as you proceed. This will make it evident how to build those controls or enhancements to an existing structure.
This is a great time to leverage BAP’s free OCS (Objectives of Cybersecurity) tool. This great free utility to draws up what those objectives and controls you need and then does the mapping for you.
Step 6 – Validate the control implementation language. If, for example, you need to do see if encryption is working. Have the control, write out what we need to do to ensure encryption working. It might be buying self-encrypting drives. Often this step is easiest to hire a consultant to look at objectives and validate this and give you the key phrases
By validating your steps, you will find a reduction of cost for implantation. You will always want to validate before spinning up controls and identify what impacts around us. This allows a customized environment for your organization, dependent on the regulations required. It also helps identify if there is a need for additional standards or security objectives. In addition, by associating key phrases to align with actionable controls, it prevents it from stopping at the good idea phase.
Step 7 – The next logical step is to continually monitor implementation. This helps you to understand the impact of a compromise. If a firewall is breached, it rarely means it is just the firewall, it may mean all security on an active directory server. Take events that are occurring and mapping to controls, you will be able to identify an event, such as a firewall breach, that show up in logs, whoever or software monitoring should automatically be able to tell you which controls are now at risk.
By following these seven steps you will be able to generate positive security outcomes and achieve both compliance with regulations at the same time as protecting your critical data and keeping cybercriminals at bay.
Contact us to check out BAP OCS.