A guide to measuring and improving your cyber security program
Is compliance a burden for your organisation or a by-product of the way you do business? This guide (and the associated series) is intended to help you align your cyber security program with your business needs and simplify compliance.
Collecting the same or very similar data repeatedly in order to demonstrate compliance provides a distraction from your core business. Yet, collecting valuable metrics regularly is necessary to manage an effective cyber security program. Measurement allows you to know whether you’re investing too much or too little in your security program. It’s also better that you’re doing the measuring (and presumably a level of improvement) rather than your customers, suppliers or attackers (that may or may not let you know the result in a hurry). If you can collect the necessary data once and then translate it into the formats required by different stakeholders, you’ll save a lot of time and be able to focus on core business.
Some example of compliance requirements that may be relevant to your business include privacy legislation (such as the Privacy Act in Australia, and the General Data Protection Regulation –GDPR—where the data of European citizens is handled). Also, sometimes industry standards such as ISO 27001 are embedded into contracts with customers. If you handle Australian Government official information, then the Australian Government Information Security (ISM) is relevant. If you handle Victorian Government public sector information, then the Victorian Protective Data Security Standards (VPDSS) may be relevant (links to each below). Obviously, if you’re a government body then the relevant regulations apply. However, often government requirements are also passed onto commercial service providers (providing services to government bodies).
We at Arcord Cyber Security (link below) provide security consulting services to perform assessments against industry and government standards. We’ve also developed our TrustyGate software platform (link below) to make this process as simple as possible for small to medium sized organisations. Our TrustyGate software (link below), can be used as a basic repository for your compliance requirements. Compliance requirements can be linked to particular systems and third parties identified as a part of your Information Asset Register. Also, compliance requirements can be referenced in documents (policies and standards) as explained in the previous article (link below). These references allow you to highlight the importance of particular statements and direct statements requiring a higher degree of security to only those systems and assets that require it.
TrustyGate can also be used for performance management. You can set up a schedule of recurring tasks that can be sent to different recipients. Recipients can receive notifications within the application and via email. Recipients are then expected to record the result of the activity so that performance can be assessed and tracked over time. Results can also be managed via an issue management system that records corrective actions that need to be planned and taken. Reports can be prepared for your governance body that identify controls that are operating effectively and those that aren’t and require corrective action.
Performance management is a critical component of the TrustyGate platform and any cyber security program because it completes the loop by helping you to identify when the security program is not operating as well and gives you the opportunity to feed the results back into strategic planning, asset management, risk management, security policies and standards, and future control assessments. We truly believe that we can drastically reduce the time it would otherwise take step through the typical plan, do, check and act cycle.
We plan to develop the compliance and performance management aspects of our TrustyGate platform much further including the specification of more detailed compliance requirements, the recording of compliance assessments and automatic preparation of compliance reports. If you have any questions or feedback, or would like a trial account, please don’t hesitate to visit the webpage or get in touch by emailing us.
Other articles in this series:
- A guide to winning trust and getting the most out of your security program (1 of 5)
- A guide to knowing your assets and avoiding a one size fits all approach to security (2 of 5)
- A guide to managing your security risks now and into the future (3 of 5)
- A guide to building role-based security policies and standards that live and breathe (4 of 5)
For more information: