Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Applying the Three Lines to Cyber-Security

Jose Tabuena | April 28, 2015

New and innovative practices of exchanging data at ever-increasing speeds are resulting in the collection of personal information that may expose companies to novel types of risk. Information from customers and employees that businesses took for granted just a few years ago is collectively becoming the foundation for consumer privacy complaints, data breaches, and penalties from government agencies.

In other words, more data means more privacy concerns and the potential for a major data breach.

The challenge is for organizations to overcome the different sources for security breaches and to install the right defenses to address areas of vulnerability. One positive byproduct from recent high-profile security breaches is the increased awareness of the threat, and the need to do something about it. Still, a resignation seems to hang in the air that it is only a matter of when, not if, you will experience a breach—if one hasn’t already happened.

While it may help to assume that the enemy is already inside when developing safeguards, companies don’t need to wave the white flag before putting up a good fight. It is more productive to have a positive perspective and to take the initiative to examine the nature of cyber-threats, and then find strong strategies to thwart them. Compliance and internal audit have complementary approaches that can collaborate with IT security expertise to come up with effective preventive and detective plans. 

Of course internal audit should periodically test the effectiveness of the company’s information security and privacy program. And compliance needs to understand and monitor privacy risks to help ensure controls are in place appropriate to managing those risks. Leveraging the distinct activities of the privacy office, with the work and findings from internal audit, can lead to an active defense. But companies still struggle to break away from a check-the-box approach to cyber-security concerns. How can they achieve that?

Lines of Defense

As put forward in previous columns, the Three Lines of Defense model can provide a helpful framework for determining who oversees various aspects of information security risks and how those are to be governed within the organization. Clearly business operations and others on the front line who directly access, use, and disclose sensitive data, must be made aware of the risks, since they serve as the first line of defense.

Implementing comprehensive data security protocols is genuinely hard, demands distinct domain expertise, and, with the ceaseless advancement of technology, is a job that is never done.

For business units to have effective processes they can follow there in the first line, privacy compliance needs to do its job in the second line by defining and establishing what those processes are. This can include the core features found in “compliance programs” such as privacy and security policies that are communicated and trained to the workforce. Various privacy laws require the establishment of written policies to address protection of sensitive data, including notification procedures if a breach should occur. IT security (along with the IT function itself) also has a role in the second line, especially with respect to technical controls that should be implemented.

The Privacy Impact Assessment

The privacy office (often, but not always, part of the compliance department) is responsible for ensuring that the organization uses personal data ethically and in a manner consistent with the company’s privacy policy. A “privacy impact assessment (PIA)” is the vehicle for evaluating an organization’s awareness of how it handles consumer and employee information.

In Britain, the Information Commissioner’s Office published “Conducting privacy impact assessments: code of practice,” which describes the benefits of conducting PIAs:

Privacy impact assessments is a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy-by-design approach.

An essential component of the PIA is identifying what personal data the company collects, why it has been collected, and how it will be used, shared, accessed, stored, and retained. Necessarily this involves developing a perpetual inventory to understand what data is collected and where it is stored; mapping how the data flows through business processes and relevant systems; and allow for updating key policy documents (for example, internal privacy policies and guidelines and external privacy notices).

Likewise, a critical task for internal audit before testing of security controls can take place is identifying and inventorying the company’s most important data—that is, exactly what the privacy office undertakes during a privacy impact assessment. Neither internal audit nor privacy compliance know about all the key documents nor where all data resides. Clearly this requires a multidisciplinary approach involving key areas across the organization. Knowing where essential information resides shouldn’t be a foreign exercise though for public companies, as it’s already an inherent task for Sarbanes-Oxley compliance purposes.

It’s the Process, Stupid

Internal audit’s role is seemingly straightforward serving in the third line, testing the security procedures and controls (as in other significant risk areas), as the last line of defense.

Security experts have increasingly recognized that technology solutions, while essential to solving the problem, are not enough. Process should be king with IT security professionals seeking multilayered solutions to minimize vulnerability gaps that don’t require different point solutions for specific threats.

Adoption of a process-oriented approach involves an increased level of security awareness by adhering to data governance policies and other steps focused on identifying and reducing human risks. Some of the cleverest breaches occurred as a result of social engineering where psychological tactics were used to gain users’ confidence to persuade them to divulge usernames and password. Technology is unlikely to prevent such tactics—but awareness and process controls can.

Although cyber-security does have technical nuances, with terms like firewalls, domains, vulnerability testing, and segmented networks, internal auditors and privacy specialists can be crucial in assessing a company’s vulnerability to a cyber-breach and the readiness to address one when it occurs. Internal audit departments possess many of the skills and tools to perform the assessment and evaluation, especially if they have already implemented the new COSO framework for internal control over financial reporting.

Companies using the recent National Institute of Standards and Technology cyber-security framework will find cyber-risk assessments to be a top-down exercise, which internal audit knows intimately. The first goal is to understand the business, the strategy, and objectives; what type of information the company produces; and what the company wants to protect. Those are core concepts that don’t require a deep technical skill set.

Companies that focus on the process of how information is governed, rather than the tools used to protect it, can make big strides toward security protection. Technical tools are still vital as part of a comprehensive cyber-security defense. Still, the basic threat exploits human and process weaknesses, and the next technological breakthrough won’t resolve those.

Eat Your Own Dog Food

As technology continues to advance so must cyber-security measures. A company must learn constant vigilance in this information age.

In my view this requires a paradigm shift in “active practices” beyond the awareness that hackers and other attackers are continually becoming smarter and more agile. Recent breaches, including at Sony with intrusion by a foreign government, did not involve a highly sophisticated method of attack. More could have been done from both process and technology perspectives.

Cyber-security is an area where an individual’s calculus about tradeoffs of convenience and security diverges from decisions that are defensible at the enterprise level. On a personal level, many of us are inclined to trade security for convenience. This is a byproduct of new technology. Dropbox and similar services, for example, are popular because they make certain tasks easier. Taking away “easier” is not easy.

For corporations, however, that calculus is far more difficult. Every sizeable organization faces the problematic tradeoffs, competing considerations, and unintended consequences of trying to contain the flow of sensitive information. Implementing comprehensive data security protocols is genuinely hard, demands distinct domain expertise, and, with the ceaseless advancement of technology, is a job that is never done.