CHAPTER 6: CYBER COMPLIANCE
Compliance – noun
“the act or process of complying to a desire, demand, proposal, or regimen […]”
Merriam-Webster Dictionary
Overview and introduction
In the context of cyber we are seeking to comply with our organisation’s policies, procedures and processes as well as with legislation. Compliance should not be an annual tick-box exercise, but an opportunity to ensure that controls continue to operate effectively and that the risks of financial penalties and loss of reputation are minimised. It provides assurance that the organisation is taking cyber threats seriously and has controls in place that are designed, implemented and operating effectively. Cyber GRC is not a one-off project, to be completed and then forgotten about. It needs to be embedded as the organisation’s usual operations – and a good compliance framework can provide this assurance and identify any areas for continuing improvement, even where there have been changes to requirements, controls or the systems they cover. A good compliance framework should have processes, people and tools that enable a consistent approach over time even where there are other changes.
Compliance also provides assurance to the board, insurers and regulators that proper governance is in place and that cyber controls are working effectively. Having decided what needs to be complied with, a methodology is required to ensure that evidence of compliance can be obtained and provided as required. As it may be the same people responsible or accountable for compliance, regardless of requirement, an approach is needed that can reduce duplication and ensure there are no compliance gaps. There is nothing more frustrating or distracting from the normal day job than to have a series of reviewers/testers asking the same questions. Compliance therefore needs to be a co-ordinated approach to:
1.Identify any major changes;
2.Ensure that controls are still implemented;
3.Ensure that controls are operating as designed and effectively; and
4.Provide evidence.
In this chapter, we will consider the compliance requirements for cyber and provide a framework for achieving cyber compliance.
Cyber compliance requirements
There is no single requirement for cyber compliance. However, there are several existing regulations that do have relevance as shown in Table 3.
Table 3: Cyber Compliance Requirements
These are intended for guidance only, as each organisation needs to assess its cyber compliance requirements. Also be aware that this is a very dynamic area, so the requirements and the locations of operation are changing over time. Even where there is no obligation to comply, the principles of these requirements may be applied to provide greater assurance to organisations that they have sound cyber security defences. Next is a brief summary of each requirement, its applicability and key features.
IT (or information) security policy
All organisations should have an IT security policy to identify their requirements to users, vendors and other interested stakeholders, and to set the agreed parameters for cyber security. Often these will be aligned with international standards such as ISO 27001. Such alignment can assist when comparing policies for different organisations (e.g. following the acquisition of a company, reviewing the alignment of the policies for the two entities). The use of ISO 27001 referencing can greatly assist with this process. The policy should be reviewed, updated and communicated on a regular basis. It may also be supported by other Standards such as acceptable use of IT.
The policy should clearly identify those requirements that are mandatory (‘must’) and those that are preferred (‘should’). It may indicate where special attention needs to be applied, e.g. for systems processing ‘Most Confidential’ (i.e. restricted access – for example, relating to potential mergers and acquisitions), or personal data.
Policy content may vary but generally will include cyber security requirements for:
•Compliance requirements;
•System development and change;
•Access and authorisation;
•Network security;
•Third parties;
•Anti-malware;
•IT and security operations;
•Business continuity; and
•Wireless security.
It is also useful to map each of the policy statements under the preceding headings to the other compliance requirements as identified in the introduction. This eases the complaints process and helps confirm the policy’s completeness and breadth of coverage.
Some policies also include suggested controls. In checking compliance needs to ensure compliance with the actual policy statement, any described controls should be illustrative only and not a specific compliance requirement. If the requirement is fully met, and the approach clearly defined, this should be sufficient.
ISO 27001
ISO (International Organization for Standardization) provides globally recognised and adopted standards. These are written, reviewed and approved under tight controls. The ISO/IEC 27000 group of standards focuses on the security of information assets. The main standard in this group for cyber security is ISO 27001, which provides “requirements for establishing, implementing, maintaining and continually improving an information security management system [ISMS].”8
An ISMS is a system of people, processes and IT systems, with a risk assessment at its core, and is applicable regardless of organisation size. Each organisation should apply the Standard based on its needs and objectives, security requirements, the organisational processes used, and its size and structure. The Standard uses CIA introduced earlier in this book. The adoption of the Standard provides assurance that a risk management process has been applied and that IT security risks (including cyber) are managed effectively. It can also be used as a basis for reviewing compliance with the organisation’s own requirements (e.g. as stated in the IT security policy).
There are several services available to implement ISO 27001 or to provide an independent audit of compliance.
General Data Protection Regulation (GDPR)
The protection of personal data and how it is used has been regulated since 1982. The latest legislation is the GDPR, which includes several rights for EU residents (data subjects) to ensure that their data is used safely and as intended. These rights could be considered responsibilities for organisations processing personal data and hence areas where they need to ensure that they comply with GDPR. Data subjects must:
•Be informed if their personal data is being used; and
•Be able to:
Enquire as to the use or storage of their personal data;
Have data errors corrected;
Challenge data accuracy;
Request deletion of data;
Limit the way an organisation uses their personal data;
Get their personal data from an organisation in a way that is accessible; and
Object to the use of their data under some circumstances.
Data subjects also have rights relating to decisions made based on automated processing.
These rights are far reaching, and personal data breaches can lead to substantial fines for the organisation. For cyber compliance, organisations need to:
•Map and locate personal data they hold;
•Ensure data is held securely (even if it is in the Cloud or with third parties);
•Conduct a data protection impact assessment (DPIA) for any planned major changes or developments;
•Have processes in place to respond effectively to data subject requests and enquiries;
•Ensure they comply with the above principles; and
•Have processes in place to notify the ICO (within 72 hours) if a breach occurs.
Network and Information Systems (NIS) requirements
The EU’s Directive on security of network and information systems (NIS Directive), adopted in 2016, and enacted in UK law as The Network and Information Systems Regulations (NIS Regulations) in May 2018,9 seeks to ensure that security, including cyber security, for infrastructure of national importance and criticality is resilient to any attacks. There are three parts:
1.National capabilities – EU member states must have national cyber security capabilities (in the UK, the National Centre for Cyber Security (NCSC)).
2.Cross-border collaboration – encourages cross-border collaboration and information sharing to reduce the risk of attack and improve responsiveness.
3.National supervision of critical sectors – covers areas such as energy, transport, water, health and the finance sector.
There are no specific compliance requirements, but the sharing of information can provide a useful source of checks to be included in compliance. Within the UK, the NCSC has set specific objectives and principles with mandatory security outcomes for those organisations providing critical services:
a)Managing security risk – governance, risk management, asset management and supply chain.
b)Protecting against cyber attack – policies and process, identity and access control, data security, system security, resilience of networks and systems, staff awareness and training.
c)Detecting cyber security events – security monitoring, anomaly detection.
d)Minimising the impact of cyber security incidents – response and recovery planning, lessons learned.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for the secure processing of card details, and applies to any organisation that accepts, processes, transmits or stores card details. Compliance levels are determined by individual payment brands or acquiring banks, based on individual payment brands. Compliance is based on specified controls and on a three-step process:
1.Assessing – knowing what cardholder data is held, listing payment card processing IT assets and business processes, and assessing for vulnerabilities. Assessments are performed by Qualified Security Assessors – individuals who work for companies qualified by the PCI Security Standards Council to perform these assessments.
2.Remediating these vulnerabilities and ensuring cardholder data is only stored if absolutely necessary.
3.Reporting – submitting required reports to the appropriate acquiring bank/card brand.
Sarbanes-Oxley Act
The US Sarbanes-Oxley Act was introduced in 2002 in response to a loss of faith in financial reporting for US registered companies (e.g. Enron).10 For cyber compliance there are two elements:
1.Cyber security reporting of risk management and incidents throughout the year.
2.General IT controls that include cyber elements – e.g. access controls, incident management.
Controls are designed, implemented and operated by the organisation where the risk would impact the accuracy of financial reporting. Organisations listed in the US should ensure compliance and the controls are subject to annual audit by external auditors. Failure to comply or be audited can result in civil and criminal actions, including against directors.
Third-party compliance
The responsibility for operating cyber controls can be partly delegated to a service provider, but still needs to be controlled. Accountability, including the need for legal compliance, cannot be delegated. A customer organisation therefore still needs to ensure compliance. The compliance requirements should be detailed in the initial contract – otherwise additional costs or risks may be incurred. Compliance should include:
1.Ensuring key performance and management indicators for security services and processes are received and reviewed on a regular basis;
2.Updating the provider on any changes impacting the service;
3.Notifying the customer promptly of any changes to controls at the provider, or any known breaches or incidents; and
4.Ensuring independent auditors’ reports are received and reviewed for relevance and the right to audit is exercised if required.
Where the organisation is a service provider, the converse of the above will apply.
Cyber insurance policy clauses
Organisations should review their level of cover and need for cyber insurance. These policies can reduce the impact and cost of an attack, including third-party claims. This allows for the use of technical and other support. However, like all insurance policies, they may include exclusion clauses. It is therefore important for organisations to ensure compliance with these requirements in order not to lose cover. In addition to the normal information required for any type of policy, organisations may be required to provide details of data types and volumes; employment of IT, information and cyber security specialists; existing security arrangements; and history of any cyber incidents.
The policies can be highly tailored, and exclusions and conditions can vary significantly between providers. To ensure compliance, the insured organisation needs to:
1.Ensure that the information provided on the application is up to date and still accurate;
2.Ensure correct claim processes, including timing of notification and by whom, are adhered to; and
3.Obtain prior consent from the insurer before incurring costs as a result of the incident and ensure that the professionals selected meet the criteria of the insurer.
Summary
To be cyber compliant, organisations need effective and up-to-date IT security policies and related procedures. These should be implemented and communicated so that compliance can be monitored and reviewed to identify areas of potential weakness and attack. In addition, there may be specific compliance requirements, based on the sector of operations and range of activities.
8 www.iso.org/isoiec-27001-information-security.html.
9 www.itgovernancepublishing.co.uk/product/network-and-information-systems-nis-regulations-a-pocket-guide-for-operators-of-essential-services.
10 https://corporatefinanceinstitute.com/resources/knowledge/other/enron-scandal/.