New regulation (in the form of GDPR) means that your cyber security needs rethinking. You have to do whatever you can to protect people’s data — or face stiff penalties.
And to provide effective protection and privacy for your data, you need to manage your security systems continuously. To do that, you can use the NIST Cybersecurity Framework. Here are the five key stages of the framework, which you can follow to stay secure.
To maintain a secure system, you need to review and refresh your security to mirror a continuously-changing business, legal, regulatory and IT environment. Your security controls must keep pace with the everyday life of your organisation.
This means identifying developments such as: new data types, changes to your IT infrastructure, the emergence of new threats and vulnerabilities etc. Then, to ensure compliance, you have to integrate new or changed elements with your current system.
This stage of the process involves managing, controlling and measuring the efficiency of the tools and procedures you’ve implemented. The operation of security controls requires contribution from the whole of your organisation.
Internal and external IT and security professionals have to work with business departments and the Data Protection Office (legal and compliance) to ensure data, particularly personal data, is appropriately protected.
The real-time analysis and evaluation of unusual changes in typical daily behaviour can prevent or reduce the impact of security incidents. To improve your security controls, you have to investigate and evaluate every possible breach.
This means you need to continuously refresh and review your policies, update your tools, test procedures, evaluate events and improve security controls based on the results. Various technologies are available to manage this. For example, data-loss prevention tools can monitor data, and report or block inappropriate user actions.
When a security breach occurs, you need to be able to respond. And you have to prepare this response in advance — so you can execute communication, reporting and incident management procedures.
When an incident takes place, you have to perform these processes with precision and speed, with every relevant person clear about the steps they have to take and when. You must define and plan channels of internal and external communications so you can share information with all relevant parties in good time. After an event, you also have to perform a post-event assessment to identify any further need to improve your security systems, business processes and/or incident management procedures.
To mitigate the impact of a cyber-security event, and be able to get back to a normal operational level as soon as possible, you need to develop and implement suitable recovery plans.
This allows you to restore any information or resources affected during the incident. There are a number of important actions to carry out at this stage, such as the execution of proper recovery planning and the evaluation of previous events and experiences.
Avoiding data breaches and providing privacy involves more than simply providing effective cyber security. To meet GDPR requirements, you need to show you can monitor your data processes continually — protecting information every step of the way.
Following the NIST Cybersecurity Framework is a great start, but there’s more you need to know.