Independent reviews of your cybersecurity program are intended to provide an unbiased assessment of your organization’s cybersecurity program. Independent reviews highlight control effectiveness, identify control gaps and present opportunities for program improvement. These types of reviews look at your program through a different lens, without assumptions that are frequently made by internal personnel. These internal assumptions can lead to cybersecurity or compliance gaps that result in unnecessary risks if assumptions about controls, or how effectively they are operating, are not correct.
Your organization can maximize the value of control assessments by ensuring that assessments are performed by independent assessors. Assessor independence provides a degree of impartiality to the control monitoring process. Your organization’s approach to managing your cybersecurity program should be independently reviewed at planned intervals that comply with applicable requirements (e.g., at least annually). It is also recommended to perform independent reviews after significant changes are made to your program or technology environment that supports operations. This helps to ensure changes to your adopted controls or technology environment are addressed in a current assessment report.
Independent reviews should include an assessment of how well requirements for all defined control families are being addressed. Reviews should determine whether the validation methods used internally to verify control compliance can validate the effectiveness of cybersecurity controls to an external entity, such as an auditor, examiner, or assessor.
Leverage a web-based compliance assessment portal that supports real-time updates being made to control statuses. This helps to ensure your organization is always prepared for any review. It also provides an opportunity to support reviews and assessments over the course of a year instead of within a two to three-week period.
Independent reviews should be performed by individuals who have an appropriate knowledge of the cybersecurity controls that have been adopted by your organization. You need to ensure that the person or people performing independent reviews have the skill set needed to properly assess your internal controls. If reviews are performed by internal personnel, they should be executed by personnel who do not participate in any of the operations or functions of the area being reviewed. A preferred option may be to have the reviews completed by an external service provider to ensure independence is maintained.
Reviews, including cybersecurity control testing, should be scheduled and performed carefully to minimize the potential impact on normal business operations. Factors such as risk to the confidentiality, integrity, and availability of information systems should be accounted for to limit operational impact. Reasonable steps should be taken to help ensure any scheduled or ongoing assessments do not impact daily business operations for your organization.
The results of independent reviews of your cybersecurity program should be documented and communicated to appropriate stakeholders within your organization. Assessment results should be retained for a defined period (e.g., at least three years) or by your organization’s record retention schedule. This will provide the ability to compare the results of current reviews with the results of previous reviews.
Establishing a cybersecurity program and implementing control requirements is not a “once and done” exercise. Continuous monitoring is necessary to avoid the potential risk of having an effective program in place today, but ignoring ongoing requirements until the next assessment, audit, or exam occurs. This is neither an effective way to reduce risk for your organization, nor achieve and maintain continuous compliance with required controls. Continuous monitoring processes should be implemented to change the perception of the cybersecurity program from a box-checking exercise to a commitment to implement policies, procedures, controls, and accountability, to improve the overall cybersecurity posture in perpetuity.
Continuous monitoring facilitates ongoing awareness of your organization’s cybersecurity and privacy posture to support risk management decisions. The objective of continuous monitoring is to determine if the complete set of planned, required, and deployed cybersecurity controls continue to be effective over time based on the inevitable changes that occur. Continuous monitoring allows your organization to maintain the authorizations of systems and controls in dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Continuous monitoring can also be used to verify that appropriate evidence is being maintained for controls. This evidence may include audit logs, vulnerability scan reports, firewall reviews, etc. that can be leveraged to assist your organization in the next assessment, exam, or audit.
Schedule individual internal assessments for small groups of controls each month throughout the year versus a review of all controls simultaneously. This will provide control owners with a plan of when the control needs to be reviewed as well as when to have updated artifacts or evidence prepared.
Many organizations have found great success in dividing the continuous monitoring of controls into manageable segments. For example, if your cybersecurity program contains 150 controls, addressing 12 to 13 controls each month is much easier to manage than addressing all 150 controls in a single two to four-week period. An increase in the number of controls in place for your organization will increase the number of monthly tasks, but it will remain manageable and preclude the need for heroic efforts to perform continuous monitoring activities.
Organization-defined metrics should be identified and developed to support continuous monitoring. These metrics should be used to facilitate strategic decision-making and identify potential funding requirements for areas in need. Metrics can also be used to ensure personnel are held accountable for the controls that have been assigned to them.
Continuous monitoring programs facilitate ongoing awareness of cyber threats and vulnerabilities to support organizational risk management decisions. Different types of controls may require different monitoring frequencies. Assessments and analysis of cybersecurity controls and cyber-related risks should be performed at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs should be leveraged to generate appropriate risk response actions by your organization. Providing access to cybersecurity information continuously through reports or dashboards gives leadership the ability to make effective and timely risk management decisions.
Stale or outdated documentation needs to be avoided to ensure the continued success of your cybersecurity program. This includes ensuring that all policies, plans, and procedures are reviewed, and appropriate updates are made, at a defined frequency (e.g., at least annually). Assessors, be they internal or external, need to see evidence that your organization is attentive to maintaining documentation that supports an effective cybersecurity program.
All cybersecurity program documentation and supporting artifacts or evidentiary files required by the controls adopted by your organization should be appropriately managed. Controls should be in place to ensure that documentation is available for use, when and where it is needed. Your organization should control the distribution, access, retrieval, use, storage, modification, and preservation of documentation. At a minimum, documentation should be protected from loss of confidentiality, loss of availability, improper use, and loss of integrity.
Consider using a web-based portal solution to keep all documentation and supporting evidentiary files protected. This will help ensure that documentation is secure and always available to appropriate personnel whenever it is needed.
Documentation used by your organization that was developed externally, but has been deemed to be necessary for your cybersecurity program should also be appropriately controlled. Examples of external documentation may include regulatory guidance, standards, special publications, bulletins, alerts, or other outside information that drives or otherwise supports your cybersecurity program.
Vistrada helps clients create a sound Cybersecurity program framework. Reach out if you need help in creating or improving an existing cybersecurity program, our vCISO and Cybersecurity experts can help.