Cybersecurity is arguably the biggest challenge facing most companies today. We are undergoing a change in IT Security where it seems like every company is subjected to endless cyber-attacks. With the increase in Advanced Persistent Threats to traditionally consumer-oriented organizations, the adoption of cyber regulations within private companies is more prevalent than ever. Although compliance does not in itself guarantee security, it’s a good starting point, especially when combined with best practices and guidelines that regulate the industry.
Seeking to avoid having government regulations imposed on them to force IT security, a number of companies are moving towards adopting and complying to a general IT security regulation like the Federal Information Security Management Act of 2002 (FISMA). Their hope is that self-regulation will prevent government mandates.
According to David Lawson, Director, Risk Management and Compliance at Acumen Solutions, "More and more companies are getting requests for FISMA control assessments." FISMA, a regulation built for federal agencies, holds executives at those agencies responsible for the security of their data and accountable for implanting security controls that meet minimum security requirements.
A discussion on the virtues of FISMA couldn’t be more appropriate. It’s clear that businesses need to do more to fight cyber attacks and to better protect their businesses and customers, preventing huge losses in the process. A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail, for example, more than doubled from 2013 to an annual average of $8.6 million in 2014.
The Top Three Things to learn from FISMA
By following general FISMA guidelines, organizations can help bolster the security of their enterprise within the following areas:
Policies and Procedures:
FISMA can help organizations establish the policies and procedures designed to reduce information security risks in a cost-effective manner. This can often include building routines toward assessing cybersecurity that often bolsters an organization’s information security health throughout the year. Part of this proper regulatory planning includes periodic risk assessments that evaluate the potential damage and disruption caused by unauthorized access and procedures for detecting, reporting and responding to security incidents.
Training and Awareness:
Security awareness training for employees is a crucial element of proper enterprise security planning. Such topics covered should include security risks associated with day to day activities, and start with the basics such as the definition of the security roles and responsibilities, and users’ responsibility for complying with policies and procedures.
Testing and Evaluation:
FISMA does a good job at singling-out the need for an organization to perform effective analysis on information security policies, procedures, practices and controls. The frequency of these tests is up to the risk level of the organization, but most commonly are conducted annually.
Another best practice is to use technology for process automation and threat monitoring. Automation and centralized reporting tracking tools can increase the efficiency and quality of an organization's cybersecurity platform, not to mention the compliance efforts. This viewpoint on automation helps eliminate several manual reporting steps and leads to a reduction of redundancy.
Regulations are rapidly becoming an important part of cyber planning for organizations not traditionally impacted by compliancy, but which are very interested in becoming more secure. When used and understood properly, cyber regulations can help an organization new to cybersecurity build the foundation of a sound IT security platform that can help avoid headaches now and in the future.