How to engage continuous oversight in the cloud
New and emerging
technologies, such as AI, edge computing and IoT devices are all linked in some
ways to cloud computing services. The rise of cloud computing has created new
challenges for information assurance professionals. With third-party outsourced
services, often through cloud connections, being increasingly leveraged and the
expanding use of employee-owned computing devices (BYOD), this also creates
potentially significant, new risks to organizations. These are all in addition
to the longstanding information security threats and vulnerabilities that have
existed for many years, and some for many decades.
The breach landscape is
not any prettier. To date, according to breach level
index,
records lost or stolen since 2013 are almost at 15 billion – the equivalent of
71 lost or stolen records per second.
Even once the initial goal of establishing information security, privacy
controls and processes are met, along with meeting all applicable legal
requirements for security and privacy compliance, information assurance
professionals cannot simply stop and pat themselves on their backs. There is a
crucial next step that is often overlooked — the continuing need to maintain
those levels on an ongoing basis.
Invisibility: the risk and
compliance struggle
Organizations
must identify all invisible risks stemming from poorly managed applications,
weak network security, unpatched web components, and much more. Additionally,
the invisible processes that define policies and procedures, implementations
steps, enable performance measurements and management of change must be brought
to light. Finally, organizations must recognize the existence of an invisible
budget that keeps the governance, risk management and compliance heart ticking.
Continuous
oversight is a must
Continuous oversight activities provide visibility into the
real-time metrics and the current status of security and privacy levels, at any
point in time, to facilitate the most effective maintenance of ongoing
management. These oversight activities, applicable to all types and sizes of
organizations, include: continuous in-house assurance, continuous external
cloud assurance, continuous improvement and continuous supply chain management.
Where
to start?
How can those tasked with enterprise information security, privacy
program management and associated risk management responsibilities be most
effective at staying on top of new threats? In addition, how can these agents identify
new vulnerabilities, ensuring all legal requirements for data protection and
privacy are addressed?
To
start, companies must define, identify and categorize systems, applications,
and data according to confidentiality, availability and integrity (CIA). Next,
they must research and identify legal requirements for compliance; this is
critical to ensure that continuous compliance encompasses all laws,
regulations, contracts and required privacy and security notices – to name a
few. Finally and most importantly, organizations must identify and plan for
addressing risks on an ongoing basis. This can be done by performing risk
assessments, assigning findings, mitigating responsibilities and implementing
continuous improvement.
How
to implement?
A common oversight in many organizations is failing to formally
assign responsibilities for continuous oversight of information security,
privacy and compliance requirements and risks. Key responsibilities need to be
identified and documented to be effective. For continuous oversight, management
and improvement, these responsibilities fall under four primary activities:
- Who is the person, or what
is the role, that will ultimately be accountable for developing and
implementing an organization-wide strategy for continuously monitoring control
effectiveness? - Who are the key
stakeholders involved with continuous oversight, monitoring, assurance, supply
chain management and improvement? - Define the organization’s
continuous assurance and oversight strategy. - Key stakeholders are
needed to identify and support those with responsibilities for the activities
necessary for continuous oversight, monitoring, assurance, supply chain
management and improvement.
Supply
chain risks
A large portion of security incidents and privacy breaches are
caused by contracted vendors and business partners. The frequency by which the
full list of vendors, suppliers, contractors, and other third parties are
reviewed is imperative in mitigating cloud risks. Organizations must begin
asking themselves which third parties are critical to the business environment,
and of those, which have access to any kind of personal or sensitive data.
Bridging the gaps in the cloud
Due diligence is needed to have an effective hold on the many
threat vectors posed from the cloud. Information assurance professionals can
more effectively mitigate the risks created by new and emerging technologies
and practices through the use of continuous monitoring activities. Security
controls must be embedded in all our daily procedures as security postures for
on-premise, off-premise or cloud infrastructure do not change.
All organizations throughout the world, of all sizes,
currently face significant new types of information security, privacy and
compliance challenges. Many of these challenges come through the use of cloud
services and involve new and emerging technologies and practices, whether in supply
chain services or products where those associated risks must also be mitigated.
Information assurance professionals can more effectively
mitigate the risks through the use of continuous monitoring activities. Put on
your security professional hat and obtain visible support of executive
leadership, implement the continuous monitoring and oversight capabilities,
ensure that compliance with all legal requirements is the norm and, most of
all, keep an eye on all your vendor and supply chain. Stay ahead of hackers and
ahead of auditors as your core businesses model morphs into the unavoidable
cloud.
Gloss