An important goal of the proposed Cybersecurity Enhancement Act of 2009 is to foster improved collaboration between federal agencies and the private sector. This is a critical working relationship, given the private sector owns the vast majority of the country’s critical infrastructure.
But the proposed legislation also calls for developing a trained and certified cyberworkforce, promoting cybersecurity education and funding research for emerging security technologies. This bill clearly represents the dawning of a new era in cybersecurity programs and compliance.
While compliance officers are hardly facing extinction in this new era, they will have to rethink the role they play in managing their organizations’ cybersecurity programs. In doing so, they may discover they need to re-engineer a few core compliance initiatives in order to better support key cybersecurity programs.
One of those initiatives is technical auditing. Just about every cybersecurity program needs to be audited for its effectiveness in using technology to deter, detect and prevent cyberattacks. Compliance officers need to ensure that their audit processes incorporate skills, tools and technologies that can effectively assess an organization’s cybersecurity measures.
Another important initiative typically involves end-user training. Many compliance officers worry about backdoor attacks, but that is wasted worry if the front door is wide open. We may fear cyberattacks more, but data breaches or data destruction caused by insiders are just as harmful. Compliance officers should ensure that their security awareness programs continue to operate.
A third initiative has to do with continuous monitoring. This is where compliance officers need to take firm control. With new technical tools emerging for infrastructure monitoring from developers such as ArcSight Inc., Foglight and Guardium Inc., compliance officers need to understand the events and alerts these tools generate, along with their relationship to their internal controls.
While compliance officers are hardly facing extinction in this new era, they will have to rethink the role they play in managing an organization’s cybesecurity programs.
Many of these technology vendors provide reporting capabilities that map these alerts to a set of controls such as the NIST 800-53, enabling compliance officers to broaden their continuous monitoring horizons.
Lastly, an important initiative compliance officers need to think about involves system security plans (SSPs). In the public sector, SSPs are viewed more as compliance tools rather than cybersecurity tools because these documents can be tedious to manage and rarely reflect the reality of what security measures are implemented.
But it is unfortunate to think that an organization could launch a cybersecurity plan without appropriately documenting and reviewing it first. So why not make these SSPs real, usable and in sync with cybersecurity strategies and technologies?
There are many other areas of compliance that could be improved to better support an organization’s cybersecurity initiatives. The two need to live in harmony because at the end of the day, when the cybersecurity bill is passed, compliance officers will be responsible for complying with it.
Meenu Gupta, CISA, CISM, CISSP, CIPP is president of Mittal Technologies Inc. and specializes in IT solutions engineering and IT security architecture development. Gupta consults with the U.S. government and teaches at the University of Maryland University College.