Compliance officers: Make cybersecurity programs and compliance work


Compliance officers: Make cybersecurity programs and compliance work

An important goal of the proposed Cybersecurity Enhancement Act of 2009 is to foster improved collaboration between federal agencies and the private sector. This is a critical working relationship,

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

given the private sector owns the vast majority of the country’s critical infrastructure.

But the proposed legislation also calls for developing a trained and certified cyberworkforce, promoting cybersecurity education and funding research for emerging security technologies. This bill clearly represents the dawning of a new era in cybersecurity programs and compliance.

While compliance officers are hardly facing extinction in this new era, they will have to rethink the role they play in managing their organizations’ cybersecurity programs. In doing so, they may discover they need to re-engineer a few core compliance initiatives in order to better support key cybersecurity programs.

One of those initiatives is technical auditing. Just about every cybersecurity program needs to be audited for its effectiveness in using technology to deter, detect and prevent cyberattacks. Compliance officers need to ensure that their audit processes incorporate skills, tools and technologies that can effectively assess an organization’s cybersecurity measures.

Another important initiative typically involves end-user training. Many compliance officers worry about backdoor attacks, but that is wasted worry if the front door is wide open. We may fear cyberattacks more, but data breaches or data destruction caused by insiders are just as harmful. Compliance officers should ensure that their security awareness programs continue to operate.

A third initiative has to do with continuous monitoring. This is where compliance officers need to take firm control. With new technical tools emerging for infrastructure monitoring from developers such as ArcSight Inc., Foglight and Guardium Inc., compliance officers need to understand the events and alerts these tools generate, along with their relationship to their internal controls.

While compliance officers are hardly facing extinction in this new era, they will have to rethink the role they play in managing an organization’s cybesecurity programs.

Many of these technology vendors provide reporting capabilities that map these alerts to a set of controls such as the NIST 800-53, enabling compliance officers to broaden their continuous monitoring horizons.

Lastly, an important initiative compliance officers need to think about involves system security plans (SSPs). In the public sector, SSPs are viewed more as compliance tools rather than cybersecurity tools because these documents can be tedious to manage and rarely reflect the reality of what security measures are implemented.

But it is unfortunate to think that an organization could launch a cybersecurity plan without appropriately documenting and reviewing it first. So why not make these SSPs real, usable and in sync with cybersecurity strategies and technologies?

There are many other areas of compliance that could be improved to better support an organization’s cybersecurity initiatives. The two need to live in harmony because at the end of the day, when the cybersecurity bill is passed, compliance officers will be responsible for complying with it.

Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies Inc. and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and teaches at the University of Maryland University College.

This was first published in September 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.