Compliance requirements are often the first dip by an organization into the security/privacy ocean. These requirements often provide detailed control requirements to help an organization be more secure. The following template will help you determine, document, and communicate your organization's compliance risks.
This is the first in a series of articles to cover risk areas (e.g., compliance, breach, availability). Although there are many great resources that can help you complete a risk analysis (such as ISO31000 and NIST), there are limited resources on examples on how to put together your risk report. The template below provides a starting point with verbiage for you to edit for your organization's requirements.
- Determine scope - What data and what data owners are handled by your organization. Please note that even if you do not retain the data, you are still subject to the regulations. See 2 sections labelled "Solution Scope" and "Regulatory Scope".
- Review each sub-risk to uncover your vulnerabilities. Consider the threat actors (both organization resources and business partners) See Sub-risks Section for Risk A - Risk D.
- Determine the risk ranking. See Risk Ranking Section.
- Complete the template
Finally, remember to complete risk assessments throughout the year when there is a significant change planned for the technical, physical or administrative environment.
TEMPLATE WITH SAMPLE VERBIAGE
Here is some verbiage you may edit for your risk report.
Exposure to legal penalties, financial forfeiture, and material loss should the organization fail to act in accordance with applicable laws, regulations, and contract agreements.
Unable to take advantage of attractive revenue opportunities until compliance with applicable security requirements can be demonstrated.
- Highlight the most egregious risks found during your analysis
- Provide statistics and illustrations of challenges your organization faced throughout the year. For example, compared to last year there was a 24% increase in inquiries. The type of evidence for compliance was broad and deep.
- Add case studies from other organizations in your space that had compliance issues that caused significant impact. For example: Company Z was fined $2M and must achieve compliance in 90 days.
- Regulators consider robust risk assessments the cornerstone to compliance. For example, The Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) has levied multi-million dollar fines on organizations that perform risk assessments infrequently or poorly; even those organizations where only a small amount of protected data was breached receive significant fines.
- Likelihood - Low, Medium, High. Select one.
- Typically compliance risks vary where some are more likely such as inconsistent use of controls and less likely that there are no policies. Provide examples of different likelhood events.
- Impact - Low, Medium, high. Select one.
The impact varies because there are a variety of probable events. For example, a deficiency uncovered may be easily corrected (low impact event) or the deficiencies uncovered may be significant and need to be corrected before the organization is allowed to continue with a service (high impact event).
- The organization's employees and contractors
- Business partners who support, access or handle data from in-scope systems
The following list defines the different ways your organization may not satisfy its compliance obligations. You can then document specific examples from your analysis to highlight your organization's risk areas. The risk report does not need to be a comprehensive laundry list, the risk log should capture each risk. The intention is to be representative and relatable to executives, leaders and colleagues.
Risk A: Incomplete policies and standards
- Are organized such that it is easy for business and technical owners to understand the security requirements.
- Inventory of compliance requirements. Business contracts are often overlooked and may detail specific security and privacy requirements.
- Indicate the third-party requirements covered (e.g., NIST, GDPR, ISO, HIPAA, NY CYBER, CCPA, etc.)
- Set specific and measurable guidelines such that evidence that the control has been achieved may be collected and reviewed.
- Reviewed at least annually or when new guidance is provided by regulators or new risks are uncovered.
Risk B: Controls not fully Deployed or maintained
- Inventory of assets that are in-scope for controls. Assets include data, technology, processes, roles, facilities, organizations
- Documents how controls are deployed and that in-scope assets from inventory are covered.
- Maintains cross reference to polices, standards and procedures.
Annual reviews are completed or more frequent if new risks.
- Regular upgrades are made if using a tool to satisfy the control.
Risk C: Limited written procedures
Check if procedures:
- Indicate which controls the procedure supports. Describe scope and not in-scope, roles and responsibilities, activities including who performs, when performed, how performed, workflow diagram
- Produced and maintained by the team(s) responsible for carrying out the procedure. Multiple procedures may be required for a control. For example, patching practices may be different by technology.
- Provide sufficient detail that would allow a new employee to carry out the procedure.
- Reviewed at least annually or when there is a change in the environment
Risk D: Inconsistency in operations with limited evidence of control adherence
- Controls are used consistently. For example, patching is carried out at regular intervals as defined in the patching standard.
- Maintain consistent records. For example:
- Training / testing was completed by individual
- System and application changes tested, approved, and deployed
- Access requests/ approvals
The nature of a Risk Assessment Report is to focus on deficiencies. It also helpful to include a "Bright Spots" section to provide recognition of progress. The Bright Spots section lists areas where the organization is mitigating its security risks. Note if some of the capabilities listed require further rollouts, tweaks and continued maintenance to remain strengths.
If the bright spots are minimal per risk topic (compliance, breach, availability, etc.), then you may want to gather together and summarize for all risk topics.
Regulatory Scope: Third Party Regulations and Frameworks
The Health Information Technology for Economic and Clinical Health (HITECH) Act;
National Institute of Technology (NIST) 800-53 Moderate: Provides specific guidance on implementing HIPAA/HITECH. NIST 800-53 Moderate is also intended to be a general framework.
GLBA (Gramm-Leach-Bliley Act) mandates that financial institutions such as commercial banks, brokerages, financial advisors and insurance secure the private information of clients and customers.
FISMA (Federal Information Security Modernization Act of 2014) mandates that all federal agencies develop a method of protecting their information systems.
FedRAMP (Federal Risk and Authorization Management Program) provides requirements for deployment of cloud services including vendors and service providers across the Federal Government.
FERPA (The Family Educational Rights and Privacy Act of 1974); Section 3.1 of the act provides requirements for protecting the education records of post-secondary school students.
COPPA (Children’s Online Privacy Protection Rule) covers the online collection of personal data of any child under 13 years of age under U.S. jurisdiction.
NERC CIP Standards (NERC Critical Infrastructure Protection Standards) provides a set of controls to enhance the security of North America’s power system.
SOC2 sponsored by AICPA (American Institute of Certified Public Accountants) is intended for service providers that process user data. This is often specified in contracts.
ISO 27000 Family / 31000 Family (International Organization for Standardization). The 27000 family of standards provide security requirements and 31000 family focuses on risk management. These broad set of controls may be used by any business to assess and improve its security practices.CIS Controls (Center for Internet Security Controls). A small set of controls based on high-risk attacks. Even if your organization falls under other regulations and frameworks, CIS may help you prioritize which controls to focus on first.