Search
  • Needling Worldwide

Don’t find fault; find a remedy

Does your organization have an effective continuous monitoring program?

Regulatory compliance monitoring is a key component of any cybersecurity program to ensure its requirements are met. Continuous monitoring is often driven by industry-specific regulations, general data protection laws; and an examination of the data being protected. This includes how it’s being protected.

With the new presidential cybersecurity executive order*, many government entities and the entire private sector will soon be affected by the order’s approval. Some of its mandates include but aren’t limited to:

  • A zero-trust architectural as a security framework for both public and federal government agencies

  • Ensuring that Multi-Factor Authentication is being used in all cases when verifying employees taking courses for professional development and proving identities to obtain personal information regarding the employee requesting MFA

  • Encryption for all data at rest and in transit, plus ensuring that if companies aren’t meeting this criteria, certain non-compliance deficiencies can result in the organization being fined by the federal government**

  • Data breach transparency between vendors and government entities

Many organizations don’t have the expertise of even knowing where to begin as far as meeting mandates required for zero-trust architectural environments. Although in theory, this requirement is good, many organizations may need to and should reach out to independent security audit companies so that a proper gap analysis can be applied. This is to assess an organization’s overall risk level.

For the private sector and some government agencies, leveraging a proper risk assessment/gap analysis will greatly reduce your organization’s compliance risk and improve the compliance management process. This is achieved by:

  • Reducing long-term cost

  • Providing a real gap analysis to determine where the organization accurately stands today

  • Preparing for future assessments

  • Improving organizational knowledge

  • Avoiding application downtimes and data loss

Those companies that are ill-equipped and, frankly, lacking proper expertise would do well to hire an independent auditor. The auditing company can help an organization by creating a compliance monitoring plan. This will ensure the organization is always in compliance and can remediate any gaps detected in controls on an as-needed basis, rather than once a year.

Additionally, an independent auditing company can use its expertise to assist an organization in documenting any changes needed and the results of ongoing evaluations. This is so the continuous monitoring plan can be used, and future audits ensure proper security posture. Several government agencies are now effectively revamping their processes to meet the requirements of this executive order and many public companies will soon be required to meet its stipulations. As a result, such companies will have to confront the question: are you prepared? And if not, what actions will you take to ensure necessary compliance?

*Executive Order on Improving the Nation’s Cybersecurity. Dated May 12, 2021 – listed on the White House website: https://www.whitehouse.gov

**It’s expected that fines for non-compliance can range from $5000 - $25000 per month. All public organizations and private sector companies must comply with SOX (Sarbanes-Oxley) based on the financial and IT aspects. With the approval of the Biden executive order, it will be essential for organizations to perform a cybersecurity audit. This is to evaluate an organization’s current security government structure, any compliance issues as well as identify any risky business activities. Another purpose this serves is to understand any current monetary efforts.

3 views0 comments