The CyberSecurity Framework can be leveraged to better understand how to start the cybersecurity component of compliance. This article will focus on two more compliance standards, SOX and NERC, and relate them to parts 1 and 2 of this book. The point of this article is that the underlying security issues for different kinds of data and IT resources are largely the same although the data and assets of concern are different.
Sarbanes Oxley Section 404 - SOX
You can get a copy of the law here:
http://www.sec.gov/about/laws/soa2002.pdf
You can get more guidance from the SEC about SOX Section 404 for small businesses here: http://www.sec.gov/info/smallbus/404guide/sources.shtml
SOX Section 404 requires adequacy of internal controls over financial reporting.
Auditors may check whether the data entered into the accounting system is true by performing an audit. If the company is depreciating assets, the auditor should check that the assets actually exist. If records show that 5,000 widgets were sold and delivered to Widgets R Us, then the auditor can check that 5,000 widgets were actually delivered to Widgets R Us. Auditors can check that the numbers being entered are real.
While auditors can ensure the entry of truthful data, the cybersecurity team can ensure the integrity of financial data by ensuring that the right people are entering the data and no data is being altered without the knowledge of the organization’s rightful authorities. So the cybersecurity measures boil down to safeguarding the integrity of financial data. You must also be able to present evidence that the security measures are working.
North American Electric Reliability Corporation - Critical Infrastructure Protection
You can get a copy of the Critical Infrastructure Protection [CIP] standard here:
http://www.nerc.com/page.php?cid=2%7C20
This standard concerns itself with safeguarding the availability of the assets that support the “Bulk Electric System.” The assets to consider are listed in Standard CIP-002-10 Cyber Security – Critical Cyber Asset Identification R1, http://www.nerc.com/files/CIP-002-1.pdf .
CIP includes the following sections:
- Sabotage Reporting
- Critical Cyber Asset Identification
- Security Management Controls
- Personnel and Training
- Electronic Security Perimeter(s)
- Physical Security of Critical Cyber Assets
- Systems Security Management
- Incident Reporting and Response Planning
- Recovery Plans for Critical Cyber Assets
The approach presented in part 2 of this book to safeguard the availability of assets can help you get a more concrete vision of the security measures you will implement.
Conclusion
You are probably now discovering that the underlying security issues for compliance standards, even ones not mentioned in this book, are similar. They boil down to safeguarding the availability, integrity, or confidentiality of your data or IT assets. Security measures that address the underlying issues can be similar although the specific data and IT assets of concern are different.
You must take measures to address security issues surrounding external and internal users. You must address security issues in the physical and logical spaces. You should have methods of continuously monitoring for potential security breaches and have some kind of reaction plan in store. Giving right people the right level of access control to critical/sensitive data and assets is always an issue.
Parts 1 and 2 of this book cover these common security issues and provide examples of security measures that address these issues. When the specifics of a compliance requirement are unclear, understanding the requirements in the context of the CyberSecurity Framework will help you better judge what security measures are appropriate, build an effective security program, and avoid taking each compliance requirement as boxes to check off a laundry list.
Next Article:
Final Words on CyberSecurity
Go to: Table of Contents
0 comments:
Post a Comment