For anyone who works in IT or compliance, you will be more than aware that the year 2018, has been seen more than its fair share of new regulations and updates to industry standards. This year alone we have seen the introduction or update of:
- - GDPR (General Data Protection Regulation).
- - NIS (Network and Information Security) directive.
- - Cyber Essentials.
- - The Minimum Cybersecurity Standard.
- - SWIFT.
- - PCI-DSS (Payment Card Industry Data Security Standard).
...to mention just a few.
For those who are unfortunate enough to be in industries or organisations who need to comply with more than one of the above, the effort to satisfy the needs of one without compromising another can be a trickier challenge.
Where this is the case, ISACA (Information Systems Audit and Control Association) recommends that organisations get smart and look for common elements which can be achieved through implementation of a single control.
The term "killing two birds with one stone" comes to mind.
But where to start?
In this blog post, we have compared the GDPR, NIS directive, Cyber Essentials and the Minimum Cybersecurity Standard and found 4 common areas which you can use to begin your integrated compliance journey.
1. Strong Authentication
Each of the four vary on specifics but do agree on one thing; where there is an authentication point, the use of a username and password will not suffice and represents an unjustifiable risk.
We are all used to the idea of multi-factor authentication through the use of the technology in our everyday lives and the commercial banking industry is a great example of this.
To take this one step further, NIST (National Institute of Standards and Technology) recommends that multi-factor authentication should be the norm and not just in the pursuit of compliance or a certification.
2. Boundary Security
Whether your boundary is a network or a specified device, such as a laptop or mobile device, preventing unauthorised access and connections to that device is a cornerstone of cybersecurity, most often optimised by the firewall.
Network boundaries, virtual networks and devices should all have physical/software firewalls, and antivirus software to prevent known attack vectors; this will provide at least a minimum security level required our four comparative regulations/standards.
3. Incident Response
In a sign of a maturing cybersecurity world, our four regulations/standards all include provisions for incident response planning and execution.
An acknowledgement to the IT security mantra is that nothing is guaranteed and a breach is always possible.
In the event of a breach, organisations are now expected to have a rehearsed plan to react in a way which warns the affected, minimises the impact and returns the organisation to an operational state as soon as possible.
4. Continuity Planning
Where things go dramatically wrong, continuity planning should help to return things back to normal with minimal impact.
Why do the regulations and standards care about an organisation's ability to bounce back?
Well, because the IT elements of organisations have become highly relied upon. Particularly in the case of the NIS directive which affects operators of essential services such as utility providers; and digital service providers such as online marketplaces and search engines.
Our reliance on such services have created a position of vulnerability which can be seen when there is an electricity outage for a lengthy period of time.
Continuity planning should include high levels of availability through redundancy, backups and secondary operational sites.