27 Dec Control and Accountability: The New Watchwords for Regulatory Compliance
Control and Accountability: The New Watchwords for Regulatory Compliance
Welcome to the Allari blog! As owners of Allari, Ravi & I look forward to using this medium to share current information about IT Operations, Cybersecurity, Software products & IT Management with our readers to help remove some of the complexity. We’ll report, analyze, and provide perspective & recommendations from some of the industry’s leading minds as well as from our direct experiences. We will strive to provide blogs that impart important information. These are the types of blogs that our team members prefer to read, and that’s exactly what we plan to provide.
John Mathieu, Founder
* Allari provides IT Operations & Cybersecurity services to organizations using IBM, Microsoft, Oracle & SAP Products. We provide a True IT as a Service delivery model with Offices in US, Ecuador, Brazil & India. Customers located in 56 countries.
#goallari #allari #ITaaS #ITService #ITasaService #ITSM #ITOperations #ITMaintenance #CyberSecurity
The regulatory environment is evolving rapidly as national and international regulatory bodies attempt to keep pace with changing business models, technology infrastructure and continuously escalating cyberthreats.
The past 18 months have seen a slew of new legislation and guidance come into effect across the globe as regulators aim to protect individuals, organizations and economies from the effects of disruption, data loss and theft.
There’s no doubt that new ways of doing business, managing financial and corporate systems and recording individuals’ personal information require new governance principles, but the volume and complexity of regulations is creating significant challenges for the businesses that must comply.
The issue is further complicated by the fact that new regulations have been designed with today’s interconnected digital ecosystems in mind; businesses are not just responsible for their own security and risk management, but that of their partners and suppliers as well.
And the clock is ticking. As the first penalties for infringements of the General Data Protection Regulation (GDPR) are proposed by the Information Commissioner’s Office (ICO) - at levels showing the regulator’s willingness to exercise its full powers - businesses can have no illusions that compliance risk management has to be top of the board agenda.
Common Drivers and Themes for Regulation – Accountability and Control
The latest raft of regulations and guidelines are, understandably, driven by some of the mass breaches and disruptions that have taken place over recent years.
Incidents such as the SingHealth breach in the Asia Pacific region, which saw hackers steal personal data of 1.5 million patients, and the Landmark White case in Australia, where the third party property valuation service used by several major banks was compromised, have directly resulted in regulators issuing recommendations to try and prevent a recurrence.
At the same time the financial sector, in particular, has identified the risks introduced when financial market institutions outsource critical infrastructure to third parties, such as cloud service providers.The European Banking Authority (EBA) outsourcing guidelines apply from September 30th 2019 and will require that financial institutions achieve robust assurance that third parties are compliant with security objectives.Their aim is to allow financial institutions to benefit from the advantages of outsourcing, while maintaining control of risk.
This brings us to the two common themes of the vast majority of regulations that have recently been enacted which, taken together, allow companies around the world, and in whatever industry, to get a workable perspective on the landscape.
First, businesses are instructed to establish senior level accountability for the strategic management of security and cyber risk.
This means Boards must show they are conversant and comfortable with the issues impacting cyber risk in the organisation.
They need to establish reporting lines that give them the information to make informed decisions about their corporate risk strategy.Ignorance of the relevant issues is a compliance failure in itself. This shift in perspective around cyber risk in particular was underlined by one of seven priority recommendations that resulted from the SingHealth breach, that “cybersecurity must be seen as a risk management issue and not a technical issue.”
Second, organizations need to demonstrate that they have effective and appropriate risk management frameworks in place to monitor and control not only their own security and compliance performance, but that of their suppliers and third party partners.
This presents a particular compliance challenge due to the dynamic nature of security threats and this reinforces a principle that regulators have been trying to drive home for years: compliance cannot be a point-in-time, tick-box exercise.
If Boards are going to be accountable for the security and compliance performance of their company, they need to know that the company’s posture hasn’t altered in the weeks since the last board meeting.A supplier that is assessed only at the point of engagement could become a security risk if something in its own extended ecosystem changes.
A more sophisticated approach is needed so organizations can achieve the watchwords of senior accountability and risk management control that new regulations require.This means better communications between organizations and their suppliers and a partnership approach to risk management.
Further, automated tools and technology that continuously monitor the security postures of supplier in real-time are needed to overcome the security gap created by point-in-time only evaluations.
Meeting the compliance requirements of new regulations is a complex – and costly – activity that requires organizations to change the way they think about security reporting, accountability, and the ongoing management of cyber security risk at the highest levels.
BitSight examines the current global regulatory landscape and how organizations can develop a risk management approach that is fit for the future in its latest white paper: Understanding cyber security and compliance risk in a complex regulatory world. Download it here.
Source: Jake Olcott
Other Related Articles:
All delivered as IT-As-A-Service (ITaaS) via the Go.Allari Platform for daily support and projects related to ERP, Database, Helpdesk, Security, and Vulnerability Management. Its breadth of Platform Coverage is extensive, covering all Major Platforms including JD Edwards EnterpriseOne, Oracle Database, MS SQL, Microsoft BI, Qualys IT Security and many more.
Allari supports its customers from locations around the Globe 24/7. To learn more visit: https://www.go.allari.com/