AI is revolutionizing audit, risk, and compliance by streamlining processes through automation. Tasks like data collection, control testing, and risk assessments, which were once time-consuming, are now being done faster and with more precision. This allows teams to focus on more critical strategic decisions.
In auditing, AI identifies anomalies and uncovers patterns in real-time, enhancing both the depth and accuracy of audits. AI’s ability to process large datasets also helps maintain compliance with evolving regulations like the EU’s AI Act, while mitigating human error.
Beyond audits, AI supports risk management by providing dynamic insights that adapt to changing threat landscapes. This enables continuous risk monitoring rather than periodic reviews, making organizations more responsive to emerging risks, including cybersecurity threats.
AI also plays a crucial role in bridging the gap between cybersecurity, compliance, and ESG (Environmental, Social, Governance) goals. It integrates these areas into a single strategy, allowing businesses to track and manage risks while aligning with sustainability initiatives and regulatory requirements.
Maintaining a list of assets, their business criticality, and who/where they are is the first step to establishing control over your environment. To do this, start with these steps:
Identify the systems, data, and people assets that you need to protect.
Identify the threats to those assets, and prioritize them.
Identify what you want to do to protect your priority assets from their most significant threats.
2. Identify the activities you need to complete
It is important to establish a list of security activities and the cadence on which they will need to happen in order to meet your compliance requirements. Some activities only need to be done once a year, while others might need done quarterly or even monthly. For example, you may only need to do an annual penetration test, but how often do you need to perform pen testing, internal vulnerability scans? Establishing the list of compliance management activities you need to complete and when they need to be completed will be a great starting point for your 2024 compliance program.
DISC llc provides you with a full list of Information Security activities (GRC) required to achieve a successful data security program. This list includes activities such as:
Review policies and procedures (including Acceptable Use Policy)
Complete a risk assessment – this should be done annually
Review security training – to ensure new employees, as well as current employees, are up to date on all their training
Test and update your Business Continuity Plan – this should be done on an annual basis to account for any new situations that may occur
Review regulatory and legal compliance requirements – especially important for organizations that need to consider regulations such as ISO 27001:2022, SOC2, GDPR, CPRA, etc.
Conduct an inventory of your data assets – data assets change over the year so it is important this document is updated regularly.
3. Assign the right people and resources(RACI Matrix)
It is important to ensure you have the right team members in place. This means not only people qualified to be a part of the team but also team members from all departments. You will also need to select the compliance management tools that you will use to support your planning. Selecting a tool that includes risk management as well as data security will help protect your company as you grow.
4. Schedule all your meetings and tasks for the year(Audit/ Assessment planning)
It might seem a little early to schedule a meeting in July but by planning ahead of time all your key team members will have the time blocked on their calendars and available for your meetings. It will also allow you to run different assessments at different times of the year to avoid inconvenient times for other departments, such as the accounting department.
If it is not documented then it didn’t happen. Make sure you have policies and procedures in place to document all your business actions. If you are not sure how to write appropriate policies and procedures, seek expert advice. Make sure all the required policies are approved and reviewed on regular basis.   Â
6. Plan ahead to future-proof your security program
Identify the frameworks you may want to tackle down the road and use a helpful platform that will crosswalk to get it done. This will save you time in the future when you wish to consider multiple frameworks for your organization. If you are unsure where to start, speak to a security expert for advice on the frameworks that best suit your industry and your needs. DISC llc performs Security Risk Assessments based on diverse standards and regulations, aligning them with the standard of your preference.
To learn more about compliance management you should seek expert advice from serious security professionals like the DISC Professional Services team.Â
Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That we’ll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we don’t comply, really believe those rituals make us safer. And yet, we check the box every flight because a government agency said we can’t fly unless we do so...
I’m starting to wonder if the obsession with checking boxes in cybersecurity might be akin to securing our tray tables before take-off. We do as we’re told, check all the boxes, pat ourselves on the back, and in the process, distract ourselves from our ultimate goal: stopping the bad actors and protecting our data.
I started to think about this somewhat disconcerting cybersecurity community reality when scanning the titles of some of the attendees at a recent regional cybersecurity conference. I was surprised by the frequency of titles that combined security with compliance. To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager – IT Security & Compliance (among others). To add to this: countless “auditor” titles – roles designed specifically to assure fealty to various standards requirements.
Nearly all enterprise breaches originate in one of three ways, and all cybersecurity professionals know this:
An unpatched vulnerability
Credential theft
Installation of malicious software (typically via phishing)
So, let’s try an experiment. Ask a CISO or experienced cybersecurity expert how they would defend their organization against these three breach types if:
1. They could completely ignore standards and compliance, and they’d be given no credit for any level of compliance (and there would be no ramifications for non-compliance)
2. They could re-deploy every dollar of budget allotted to standards compliance and auditing any way they liked
3. Their single objective was to win the game (stop the bad actors, and minimize their organization’s risk of a compromise)
How many would determine that the best use of their resources would be to attain or retain compliance with a cybersecurity standard? And how many would deploy those compliance and auditing resources to patch more vulnerabilities, invest in additional cybersecurity expertise, tools to identify and reduce their external threat footprint, and myriad other effective measures to genuinely reduce their organization’s cyber risk?
It’s not as if dedication to compliance is any more of a guarantee against a breach than any other technology, strategy or prayer. Here are a few examples of compliant companies that have suffered high profile breaches (thanks to ChatGPT for saving me the hours of research otherwise required to build this list):
Equifax (PCI and NIST CSF)
Target (PCI)
Marriott (PCI)
Anthem (HIPAA)
Premera Blue Cross (HIPAA)
CareFirst BCBS (HIPAA)
SolarWinds (NIST CSF)
This is, of course, not an exhaustive list. Show me a large enterprise that was breached and I’ll show you a large enterprise adhering to multiple compliance standards.
So, why do we continue to be obsessed with cybersecurity compliance, standards, frameworks, etc.? The obvious reason is that organizations can be fined for non-compliance.
And yet, there’s been little effort among cybersecurity experts to challenge regulatory agencies. Indeed, many enthusiastically embrace compliance and congratulate themselves and their teams for achieving it. And, of course, no one loves compliance standards more than vendors, just like every barber in the world would celebrate a new law requiring everyone to get a haircut weekly.
The less obvious reason for our community’s love for compliance is that it covers behinds. “Yes, we were breached, but we did everything we were supposed to do, so don’t blame us.” Coaches in every sport will identify that as a loser’s attitude. Champions know there’s no checkbox formula for winning, and there’s no excuse for losing, especially “we did everything we were supposed to and still lost.” It’s cliche’, but the best teams and athletes “just know how to win.”
Am I suggesting we abandon frameworks and compliance? Not immediately, and not without serious debate and analysis. But there is a case to be made that the compliance-centric philosophy governing cybersecurity decision-making today simply isn’t working, and we in cybersecurity are the living embodiment of (not) Einstein’s definition of insanity: doing the same thing over and over and expecting a different result.
Cybersecurity spending continues to increase and yet breach incidents are increasing as well. It shouldn’t be sacrilegious to propose that we consider changing our foundational philosophy from checking boxes on a compliance audit form to doing whatever makes sense to defend our organizations, and win.
How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?
Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.
I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.
Let me give you an example:
Let’s say your company receives a California Consumer Privacy Act data access request.
First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.
You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).
In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.
To help put this process into perspective, we like to ask six simple questions:
1. Do you know where your data is? 2. Do you know who owns your data? 3. Do you know what regulations govern your data? 4. Do you know what third parties have access to your data? 5. Can you forensically prove data integrity throughout all the processes that use your data? 6. Can you easily and quickly respond to requests for your data?
This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.
The CyberSecurity Framework Ver 1.1 Preso
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/09/NIST-CSF-1.1-preso.pdf” title=”NIST CSF 1.1 preso”]
As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.
The key elements of data mapping
To effectively map your data, you need to understand the information flow, describe it and identify its key elements.
1. Understand the information flow
An information flow is a transfer of information from one location to another, for example:
From inside to outside the European Union; or
From suppliers and sub-suppliers through to customers.
2. Describe the information flow
Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
Make sure the people who will be using the information are consulted on the practical implications.
Consider the potential future uses of the information collected, even if it is not immediately necessary.
3. Identify its key elements
Data items
What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?
Formats
In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?
Transfer method
How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?
Location
What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?
Accountability
Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.
Access
Who has access to the data in question?
The key challenges of data mapping
Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.
Data flow mapping
To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.
Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:
A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
Direction and guidance from expert GDPR practitioners.
Includes two licenses for the GDPR Staff Awareness E-learning Course.
The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.
Who needs to comply with the GDPR?
The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.
Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.
Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.
What do US organizations need to do to comply with the GDPR?
The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.
For US organizations, the most significant change concerns the territorial reach of the GDPR.
The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.
Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.
Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield
August’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.
Following the release late last month of the Base Process Library, the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched
/EIN Presswire/ — Following the release late last month of the Base Process Library (http://www.itgovernance.co.uk/products/3460), the Kick Start Guide – the essential guide for all organisations pursuing TickITplus certification – has been launched. The guide can be purchased here www.itgovernance.co.uk/products/3469 in a PDF format or hard copy.
The guide will provide organisations that need to achieve compliance with the TickITplus scheme with information about identifying and selecting the scope of certification and developing in-house resources. It contains guidance on identifying processes, mapping them to TickITplus processes and establishing the assessment strategy. The TickITplus Kick Start Guide also offers advice on preparing for, participating in and following up an assessment.
TickITplus (www.tickitplus.org) is the successor of TickIT and provides improved process modelling to facilitate more efficient business and quality systems planning and improvement. TickITplus gives entry level access to capability grading for small IT organisations and offers significant cost savings for those already pursuing both ISO9001 and Capability Maturity Measurements.
As an introductory guide, the TickITplus Kick Start Guide concentrates specifically on achieving the Foundation level of the scheme, either through initial entry or transition from the existing TickIT scheme.
Today’s economy is about protecting the information assets which is essential to existence of an organization. After a major incident or a security breach it is unthinkable to say it is not going to affect your bottom line. Most of the organization has to comply with various standards and regulations and a breach in a state of non compliance will be business limiting factor, and the organization may be liable to contractual penalties and loss of potential business from current and future customers.
So Information Security Management System defined as a protection of information from various threats and risks on daily basis. Therefore mitigating information security risks are becoming a critical corporate discipline alongside with other business functions such as HR, IT or accounting.
Mitigating business risks not only improve the business efficiency but also maximize the return on investment and business opportunities.
It is a mistake to assume that information security is solely a technical problem left for IT to solve. These titles below are a non-technical discussion of security information management. It offers a framework that will help business leaders better understand and mitigate risks, prioritize resources and spending, and realize the benefits of security information management.
Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies (Manager’s Guide Series)
A Wall Street Journal/Harris poll revealed that two thirds of investors express doubts in the ability of corporate boards of directors to provide effective oversight. In the shadow of recent global scandals involving businesses such as Parmalat and WorldCom- Manager’s Guide to Compliance: Best Practices and Case Studies is essential reading for you- whether your organization is a major corporation or a small business.
This timely handbook places U.S. and global regulatory information- as well as critical compliance guidance- in an easy-to-access format and helps you make sense of all the complex issues connected with fraud and compliance.
‘Wide perspectives and best practices combined deliver a punch that will knock your “SOX” off! The author has blended together a critical mix necessary for effectively handling the requirements of SOX.’ Rob Nance- Publisher- AccountingWEB- Inc.
‘Robust compliance and corporate governance is an absolute necessity in today’s business environment. This new book by Anthony Tarantino is an authoritative guide to understanding and implementing compliance and regulatory requirements in the United States and around the world. From SOX to COSO to ERM- this book covers them all.’ Martin T. Biegelman- Certified Fraud Examiner- Fellow and Regent Emeritus of the Association of Certified Fraud Examiners- and coauthor of Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance
‘If compliance wasn’t difficult enough- now companies are faced with a barrage of technology vendors claiming to automate compliance as if it were a project. In his new book- Dr. Tarantino paints the reality of the situation: companies need to embrace the broader tenets of governance and use technology to embed governance policies and controls into their daily business processes. Only then can they gain business value from their compliance investments.’ Chris Capdevila- CEO and cofounder- LogicalApps
Arcsight offer $49 entry level logging solution – a monumental change from the SIEM vendors, since they were trouncing their clients at price of 200K and up.
Data security and compliance specialist ArcSight has taken the wraps off a slew of product updates – Enterprise Security Manager 5.0, Identityview 2.0 and Logger 5.0 – with the offer of a $49.00 version of Logger, its universal log management software.
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.
45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.
From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.
Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.
Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:
This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).
will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.
This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.
The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.
Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.
The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.
Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.
Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.
Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.