For businesses that serve government entities and departments, the National Institute of Standards of Technology (NIST) implemented sweeping changes to standards on data security compliance at the end of 2017. But very few companies are in compliance, and when the government enforces these standards it may be too late to catch up.
Data security is a critical priority for any business that deals with sensitive client or financial data (which is pretty much any business). Government contractors and the financial services industry may be hit first with stringent compliance standards, but it’s only a matter of time before all companies experience this necessary response to increasing cyber crime and data breaches.
One way to begin improvements in data security controls is through either an internal, annual audit or through vulnerability analysis by an objective and experienced third party. By testing for vulnerability in data sharing and security, you can begin to take steps toward cost-effective management of sensitive data — protecting your clients and your business opportunities through documented and practiced compliance measures.
Here are some of the first steps to take when evaluating the risk in your current cybersecurity policies and procedures:
- Review all organizational cybersecurity policies, procedures, guides and standards;
- Conduct interviews with key stakeholders to confirm activities that are actually taking place to satisfy cybersecurity controls;
- Determine if personnel roles and responsibilities for cybersecurity are defined and properly assigned to those who have the skills and authority to maintain these controls;
- Use the organization’s cybersecurity objectives and documented security policies and procedures to establish cybersecurity control audit testing procedures
- Review all controls that have a manual component (e.g. user email account management, regular application updates) as well as system controls (e.g. firewalls, antivirus, data encryption); and
- Based on vulnerability analysis and established testing, create a plan to regularly test and update the cybersecurity controls so they can evolve with business needs as well as required industry compliance standards.
There are, of course, other items to consider when evaluating your company’s internal controls and operational risks. Take time for some spring cleaning. Discuss how your financial and tech team can collaborate more on data security risk controls, then contact Anglin Reichmann Armstrong for additional guidance on IT Advisory, Audit and Assurance services or Government Contractor compliance.
Read more about Anglin’s IT Solutions and NIST Advisory