A recent article by Boston Consulting Group outlined how organisations should assess cybersecurity risks in order to target spending on the risks most likely to have a significant financial impact. It noted that cybersecurity attacks and cybersecurity spending are on the rise with the latter being driven by real and perceived risk, as well as high profile cases. Concurrently, the 2019 Verizon Data Breach Investigations Report found that internal IT security threats pose a greater risk (incl. likelihood of occurrence) than external threats; however, the short BCG piece does not distinguish between internal or external threats or offer advice on how to measure their differential impact. A comprehensive IT Security Review gives organisations the opportunity to assess both and to meet the accountability principle of data protection compliance.
The CIA Triad + Accountability: Objectives of an IT Security Review
Traditionally, IT Security has focused on what is known as the “CIA Triad” – ensuring the Confidentiality, Integrity Availability and overall resilience of an organisations information systems. In addition, when data protection compliance is considered, the overarching principle of accountability is an important attribute to be able to demonstrate for your information systems – accountability for the appropriate controls that are in place for the risks that have been identified and accountability for the actions performed on the organisations’ information systems.
Components of an IT Security Review
There are a number of components that form an IT Security review. These will involve engaging relevant subject matter experts within your organisation to contribute to the assessment of each of the security objectives.
Know your Data
Establishing a data inventory and applying a classification scheme to that data is the first step in assessing the risks that the organisation carries for the personal data that it processes. Without a concrete understanding of the information assets and the underlying data that they hold, it is not possible to put in place appropriate controls relative to the risk that is posed to those assets.
Understand Threat Sources
Threats to an organisations data can come from numerous sources, both external and internal – from hackers who are motivated by the technical challenge to cyber criminals seeking monetary gains. Often, an organisation may be the target of a specific threat source due to the type of function that they perform to the extent that they may even be a target of terrorist or state actors. Threats may also come from within an organisation – either intentionally or unintentionally.
Assess Governance Mechanisms
A consideration of existing governance structures is a component of an IT Security Review that considers whether appropriate management policies and processes are in place to govern an organisations approach to the security of its network and information systems.
Review Your Supply Chain
A review would also consider whether an organisation uses third-party suppliers of IT systems and determine whether there is sufficient assurance that the technical and organisational measures implemented by their providers are appropriate to ensure the confidentiality, integrity, availability and accountability of the information systems that they supply to the organisation.
Identify Vulnerabilities
Identifying weaknesses or gaps that can be exploited by the identified threats is a key part of an IT Security Review. Understanding the threats and vulnerabilities that an organisations’ information systems are exposed to enables a consideration of the risk associated with those systems and the data that they process. Undertaking vulnerability scanning and penetration testing may also form a component of identifying any existing vulnerabilities of the information systems.
Understand the Risk
With threats and vulnerabilities identified, it is possible to assess the risks to the various attributes of confidentiality, integrity, availability and accountability that are present, assess their likelihood and potential impact, and depending on an organisations approach to risk, determine appropriate risk mitigations.
Determine Appropriate Controls
An IT Security Review would include an assessment of any controls that are currently in place such as anonymisation and encryption, firewalls, identity and access controls and other technical measures utilised by an organisation, including their fitness for purpose. The findings of an IT Security review will often lead to the identification of additional risk mitigation controls.
Output: IT Security Assurance + Support for Data protection compliance
Once the information is recorded, the organisation will have a robust record of the measures that support CIA Triad. The IT Security Review Report can also work in combination with existing policies and procedures (e.g., the Business Continuity Plan) to support compliance with data protection requirements. Specifically, the IT Security Review Report records the technical and organisational measures used by the organisation to protect personal data. As such, it enables organisations to demonstrate compliance and, thus, meet the requirements of the accountability principle. In the event of a breach or an audit, this documentation will form part of a compliance pack to present to investigators to exhibit an organisation’s commitment to regulatory compliance.
Data protection compliance requires the legal, compliance and IT departments to work together to secure digital assets and ensure sufficient measures are in place. The IT Security Review is an opportunity for these organisational entities to work together to consolidate their activities, guide their team members and meet their complementary requirements. As a result of this activity, the organisation will be better protected from internal and external cyber threats and their financial and/or regulatory impacts in the event of a breach.
For more information please visit Trilateral Data Protection Officer page and do not hesitate to get in touch with our data protection advisors.
