First Point: It’s Everyone’s Problem
Ultimately responsible for the operational viability of the firm. The COO must support the CIO and CTO. They must hold every employee to a high standard of protecting the firm’s interests through careful attention and vigilance in upholding the employee code of conduct as it relates to IT Controls. There should be consequences for any lapses. This is a serious matter. The COO is responsible for working with the CFO to get appropriate funding for IT Controls solutions. The COO should also work with legal firms and insurance companies with expertise in IT Security to better understand the impacts to an exposure event.
Responsible for identifying the information needs and identifying critical data required to support decision making within the firm. Also responsible for identifying PII (Personally Identifiable Information) and confidential information which could expose the firm and brand and result in public media, personnel, and regulatory compliance consequences. These consequences could be so grave as to cause the company to cease being viable. Not properly identifying this information and not taking direct and appropriate action to mitigate risks is unacceptable given the current cybercrime landscape and could even be considered criminally negligent.
Responsible for protecting the critical information identified by the CIO through IT security controls implementation and related training. Every effort should be made to automate controls, but training will also be necessary to decrease vulnerability from social engineering attacks.
Employees and Vendors (includes Consultants)
Responsible for following the Employee Code of Conduct as it relates to IT Controls and Security Training. Employee and vendor breaches must be tracked and failure to comply with controls (whether intentional or otherwise) should result in appropriate discipline including termination or legal action. One crack in the foundation is all it takes.
Start with a Plan
Assemble a team that is responsible for creating and maintaining a plan to identify business priorities (aka critical business functions), identify threats to those priorities and document the impacts of those threats, and develop controls to mitigate those threats. There is a cost to mitigation, so that’s why it is very important to understand your specific priorities and their impacts. More money should be applied to the more critical and valuable business functions. Priorities should be re-evaluated on an annual basis and when there is a disrupting event in the economy or industry.
The plan should be supported by the C-team and will be the direct responsibility of the COO, CIO, and CTO (or equivalents) of the organization. Use of an Internal Auditor (in-house or outsourced) is a great way to kick off this process. Use of outsourced full-service IT firms with specialization in cybersecurity implementation and training are also critical to a successful outcome. That said, it is not easy to find the right resources, but they are out there.
Develop a Code of Conduct (Your IT Controls Responsibilities)
Every employee and vendor should be held to a written set of responsibilities and be required to attest to their understanding and acceptance when they are first hired, annually, and for any consequential updates. Acceptable behavior and unacceptable behavior should be laid out in clear language with behavior, impact and consequences clearly related. Impact and consequences are extremely important to enable the reader to fully internalize the importance and necessity of each concept.
It should not be assumed that an employee or vendor will read and completely understand all of the concepts in the Code of Conduct, even if they agree to the terms. Verification through additional training and testing are required to re-enforce these concepts.
Not every employee and vendor will be responsible for EVERY control. Some controls are only relevant to the specific role that the employee or vendor plays in the organization, so there may be a specific section for each role. For example, someone who does not deal with Compliance for Federal Grants on a daily basis would not need to sign off on that particular section; however, IT Security Control areas like “Credentials Use,” “Internet Use,” “Email Use,” “Corporate Owned Devices Use,” etc. would be relevant to all, up to and including the CEO.
In the case of repeated unsatisfactory testing results or a breach of conduct, the event should be recorded and tracked, and the employee and vendor should be provided with remedial education to try to prevent future occurrences. Continuous lack of attention to vigilance will eventually lead to a permanent disposition for that employee or vendor. Limiting the career path or bonus may not be a viable resolution since the employee may become more hostile and become an insider risk to the organization.
Close the Holes (Your Control Break Process)
Top companies are always looking for risks to their organizations’ operations. When they find one, they track it to a satisfactory conclusion as a break in controls; and they take it VERY seriously. Managers are responsible and held accountable for closing all control breaks. All risks are triaged and assigned hard deadlines. There are consequences for managers who do not close control breaks by their deadlines. Since control breaks can indicate a vulnerability, control breaks are held in strict confidence and treated on a need-to-know basis for the resolution team only.
Controls can be technical or non-technical. Here is an example to illustrate how a Control Break Process might work for a technical requirement.
Shari Diamond, CIA