Security Assurance: A Definitive Guide
According to Accenture’s “State of Cybersecurity Resilience 2021” report, security attacks increased 31% from 2020 to 2021. The number of attacks per company increased from 206 to 270 year over year and there is no expectation that this will slow down in 2022. Merely implementing IT security policies and procedures isn’t sufficient to fend off today’s cyberthreats. Unless a strategy to manage and test them appropriately is in place, you cannot be confident of your business’ security. You need a process to ensure your security measures are as robust as possible. The steps you take in this process translate into your security assurance strategy.
What is meant by security assurance?
One of the many definitions published by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce, states security assurance is “the measure of confidence that the security features, practices, procedures and architecture of an information system accurately mediates and enforces the security policy.” Basically, security assurance is an umbrella term for processes implemented to ensure individual system components can adequately protect themselves from attacks.
What is the purpose of security assurance?
Security assurance is used to determine whether a system meets its security requirements and is resilient against security vulnerabilities. The purpose of security assurance is not to guarantee that IT system is risk-free but to provide confidence that the system is secured to the desired point.
As NIST puts it, security assurance denotes that the four security goals — integrity, availability, confidentiality and accountability — are adequately met by a specific implementation (a security policy).
Why is security assurance important?
Security assurance helps businesses protect themselves against cyberattacks and demonstrate compliance with necessary regulations. Without security assurance, a business cannot be confident it will not suffer a security breach. Similarly, the organization would not be able to prove to a compliance auditor it had security controls in place to prevent a breach.
Unplanned downtime, loss of revenue, damage to reputation, hefty fines imposed due to non-compliance and expensive lawsuits are just some of the potential results of a failed compliance audit.
Decision-makers often assume security and compliance are one and the same. However, that couldn’t be further from the truth. Let’s take a look at the differences between the two.
Security assurance vs. compliance
Security refers to a set of technical systems, tools and processes implemented to protect the IT assets of a business. Compliance is an assessment of a business’ security measures at any given point of time, with respect to a specific set of regulatory requirements. Compliance mandates a business to demonstrate they comply with the bare minimum security-related requirements by providing documented evidence.
Many organizations perpetuate the myth that suggests businesses only within regulated industries must worry about cybersecurity, believing data protection is a requirement only for regulatory compliance. On the contrary, any business that receives, stores or handles sensitive consumer or business data needs to protect that information. Hackers never stop looking for the weakest link in a network while employees pose other threats through negligence or bad intention. Every organization needs data protection.
Regularly perform audits (or technical reviews) of your own IT security and privacy programs, systems and software to ensure they are actually providing the protection you think they are. Even if you are doing all the right things, and doing them right, there’s no guaranteed protection against a data breach. That’s why it’s essential to maintain ongoing documentation of compliance efforts to protect yourself by showing “due care” and avoiding accusations of negligence.
To that end, security and compliance should be addressed as two integrated pieces of a business’ IT security and privacy assurance program.
Now, let’s take a look at the requirements of security assurance.
What are security assurance requirements?
Security is a three-legged stool that cannot stand with any single leg missing. The three legs that hold it up are:
- Written IT policies
- Written procedures
- Written evidence of compliance
All these “legs” must be present for a business’ IT security and compliance program to be valid and for it to work.
Written IT policies
Policies are official statements that organizations establish to direct desired behavior or actions. They provide the parameters for decision-making. Policies focus on communicating an organization’s values, culture and philosophy with respect to IT, instead of focusing on the implementation details. . A good policy explains the rules and presents them in a logical framework.
Procedures are a specific set of processes that must be carried out to achieve compliance with the policy. They outline the step-by-step implementation of various tasks. From start to end, procedures will show you what actions to take under specific circumstances. Procedures help you achieve the desired outcome.
Written evidence of compliance
Evidence of compliance proves that a business has followed procedures and observed the policies as directed. This evidence must be documented regularly in the form of compliance reports.
Consider this example: Your business has established a policy to protect your devices against malware. The procedure might list the brand of the antivirus software and firewall that will be used and states that these applications will be installed and updated monthly on all devices. You may also declare that you will regularly back up your data and note where those backups will be stored. These efforts will not matter if you don’t have documentation to prove your policies and procedures are implemented and followed. It’s not enough to simply say you are doing all the right things to secure your business. You need documented proof. This is where many businesses fail.
What does the security assurance process look like?
IT regulations, frameworks and best practices often dictate specific requirements that must be met to attain a desired level of security without specifying how those requirements need to be carried out. There is usually more than one way to accomplish a specific IT requirement. For example, there are many ways to define what a strong password is — several methods of encryption, antivirus and antimalware, firewalls and so on.
While all businesses with computers are at risk of a data breach — both from internal and external bad actors — some organizations have much more at stake than others. Similarly, some businesses may be more risk-averse. While evaluating all the IT requirements (external and internal policies), and after advising key stakeholders of the associated risks, it’s up to the IT professionals serving the business to specify exactly what measures or controls are going to be employed to respond to each requirement.
After establishing these controls, the first step is to produce an up-to-date policies and procedures manual that includes all the IT requirements and controls. Follow it by conducting a baseline technical assessment to confirm all IT controls are in place and working. You’ll want to compile confirming documentation for each working control and store it in an easily accessible place so it can be used as evidence of compliance.
A risk analysis should be performed to understand the impact of any controls discovered to be missing or not working. A risk management plan/plan of action and milestones should be built next to prioritize and schedule the addressing of all compliance gaps. Once the risk remediation has been completed, run a fresh technical assessment — ideally, using automation to validate the information — and potentially bring in other stakeholders to assist with the process.
Following this process regularly and consistently will dramatically reduce the risk of a data breach while significantly reducing the cost and impact of a breach (should it occur).
Regular, audit-ready reporting provides consistent proof of action. The moment you are faced with an audit or data breach is not the time to start putting things together. A business should be able to deliver complied evidence immediately, which is achievable only through regular reporting.
What are the challenges with security assurance?
It probably sounds incredibly daunting, time-consuming, and costly to practice solid information security assurance. Many IT technicians are so busy with their day-to-day work that it’s hard enough for them to just keep up with their existing tasks.
Fortunately, this is a problem that purpose-built solutions address. Software tools available today enable you to select from several popular compliance standards and frameworks and allow you to combine them to identify any overlaps with respective IT requirements. You can even include personalized IT requirements stemming from your own cyber risk policy, business contracts or corporate policies.
All your requirements — and associated controls — are fully cross-referenced to provide a superset of requirements that are easier to manage. As you address each requirement, the system can tick the box for every standard you meet, allowing you to juggle multiple standards just by following a single IT process.
How does GRC software support security assurance?
Governance, risk and compliance (GRC) software is designed to help you manage the three most challenging aspects of maintaining data protection and information security assurance for the network environment(s) you manage:
- Governance: It pertains to the enforcement of your business’ policies. You must be able to document all your policies. If you are in IT, your responsibility may go beyond simply documenting all IT privacy and security policies. You may also be asked to provide a mechanism (usually a secure online portal) where your business can post all its human resources (HR) policies, and where your business’ employees can log in, review the policies and attest to their agreement with the given policies.
The best GRC platforms will have built-in, web-based portals your employees can log in to, view any number of uploaded policies, and then, record their agreement or attestation to each policy. The platform should also be able to generate a management dashboard to keep track of employee acceptance.
Governance can extend beyond your business to your vendors too. A great example of this is the HIPAA regulations that require business associates to meet the same IT privacy and security requirements as the covered entities with whom they work. Several other standards carry similar, trickle-down compliance requirements. In many cases, you must also document that qualifying vendors are compliant with a standard. The best GRC platforms include a vendor risk management portal to take care of the trickle-down factor.
- Risk: This is why we all do what we do, and the goal of any IT privacy and security program is to reduce the risk of data getting into the wrong hands. Managing and reducing risk is at the heart of any GRC software. To reduce risk, you must identify the risks inherent in the network(s) that you manage.
The best GRC platforms incorporate one or more mechanisms and methods for performing a risk assessment. You will ideally want to perform a baseline technical risk assessment to help gauge the initial gap between your IT requirements and what you actually have in place. Your GRC platform should also help perform a comprehensive technical risk assessment to confirm your baseline assessment.
- Compliance: Simply put, it’s the act of doing what you are required (or supposed) to do. In this context, compliance extends to not only doing it, but proving you did it with appropriate documentation. GRC platforms are designed to generate evidence of compliance. The best ones will automatically generate some of the evidence through data gathering software.
For documentation that cannot be automatically generated, you should be able to easily upload any type of files — including logs, reports and attestations — as you verify the given control or requirement is being met. Regardless of how the evidence is gathered, your GRC platform should be able to generate key reports at any time during the compliance management process, making it easy for you to update your systems and generate reports that reflect those changes.
Achieve security assurance with Compliance Manager GRC
Compliance Manager GRC empowers MSPs to help clients reduce IT risk by achieving and maintaining compliance with government or industry standards, custom IT requirements included in any business contract, insurance policy, or their own IT security policies and procedures. It automates data gathering, issue management and all the documentation required to prove due care to any internal or external auditor.
This is all made possible through a simplified and streamlined workflow that makes it easy for IT professionals to manage compliance with all their other IT requirements at the same time, through a web-based portal that’s accessible from anywhere, at any time, from any computer.
Compliance Manager GRC has a growing library of built-in government and industry-standard management templates. It allows you to easily clone them and/or build a template for any standard with which your client wishes to comply.
It is the first and only purpose-built, role-based compliance management platform for MSPs that features:
- Automated data collection
- A huge database of common IT controls and requirements
- A built-in end-user portal
- A dynamic report generator that automatically prepares brandable risk assessments
- Policies and procedures manuals
- Plans of action and milestones
- A variety of useful supporting documentation
Compliance Manager GRC reduces risk by simplifying the complexity of compliance with any desired IT security and privacy requirements. Most importantly, it’s priced to be affordable.
Schedule a demo now to see how your MSP can provide improved IT security and robust compliance to all your clients profitably and with minimal effort.