Cyber Risk Management in CRE Balances Risk and Reward
Enterprises Should Be Vigilant Over Data Security
Is it possible for an astrophysicist to be too smart? Or for a sprinter to run too fast? Like a star-gazing mathematician, companies simply can’t have data that’s too secure or impervious to intrusion. While most companies take data security with a proper dollop of both caution and care, the modern environment makes data security much like your high school geometry class -- show your work or it doesn’t count.
As usual, your friends at Embark have a few thoughts on the subject that can help you satisfy even the harshest auditor’s stare. It’s not enough for enterprises to steel themselves against the unsavory rapscallions desperate to grab hold of their customer data or proprietary assets. In such a heavily regulated environment where compliance demands seem to grow by the day, companies must also be able to demonstrate their adherence to the various data security standards imposed on them. Auditors are trained to have an extremely discerning eye so, with a few tips from Embark to lead the way, your enterprise’s data security efforts can be both effective and satisfactory to regulators.
An Audit Trail as Wide as the Interstate
So how exactly does an enterprise protect itself, its data, and assets while demonstrating the thoroughness of its efforts to an auditor and, thus, the regulators? Through a meticulous audit trail that’s wide enough for an 18-wheeler to go barrelling down its lanes, of course. Like that geometry class, your audit trail is proof of your work that satisfies your auditor and keeps you in compliance.
That audit trail needs to be comprehensive and provide total transparency, detailing every action of your staff, particularly those that deal with sensitive customer, financial, or investor data. The monitoring software you implement should track every website, file, screen grab, printed document, application, or anything else involved with information subject to compliance standards.
Likewise, those systems should also continually monitor your systems for intrusion from external entities. Such a comprehensive approach that tracks internal and external forces is a company’s best weapon to bolster data security and provide auditors the verification they need to ensure your compliance.
Communicate Best Practices
Of course, your first line of defense is to communicate sound data practices to your staff. Once you have established adequate policies and procedures to strengthen your data security, you should adopt the proper training and communication channels to continually keep your team abreast of those policies and, just as importantly, changes you implement to keep pace with a dynamic security environment.
We often like to refer our clients to a specific platform that does exactly this. Acadia Performance Platform provides assistance to help you manage policies, procedures, and other job aids. In addition to tracking compliance, Acadia empowers you to easily train your staff by converting procedures into task lists.
Combine those efforts with the necessary controls to ensure compliance. Between the two, you are training your employees on an ongoing basis while creating a transparent framework that establishes the visibility an auditor needs to verify your data security compliance. Furthermore, that two-headed approach that includes training and monitoring can help your enterprise address specific regulatory requirements concerning data security.
Satisfying Compliance Requirements
Speaking of regulatory requirements, a comprehensive system like the one we’ve described will help satisfy some of the various federal mandates regarding data security.
- Gramm-Leach-Bliley Act: The GLBA explicitly requires the active monitoring of your workforce with regards to sensitive, personally identifiable financial information that is not available to the public. As previously stated, software solutions can track the actions of your employees, even use analytics to identify and analyze subtle activity that can spot trends and detect threats before they have a detrimental impact.
- Dodd-Frank: Dodd-Frank might not be as specific as GLBA, but it does mandate processes, policies, and technology be put in place to keep financial data from unauthorized disclosure. The regulation also gives security teams sweeping powers to monitor activity in the case of such a disclosure, placing a formidable microscope on any suspicious activity that can immediately trigger a notification to the proper authorities if even a suspected breach occurs.
- Sarbanes-Oxley: SOX is even less specific than Dodd-Frank but does require an annual internal control report that can encompass user activity to detect fraud and other unscrupulous activities. Utilizing effective monitoring software is a convenient yet impactful way to make sure your enterprise maintains sufficient transparency into user actions to adequately assess the state of controls. Such systems can be instrumental in demonstrating compliance relative to SOX and other regulatory requirements.
Granted, there are several other federal mandates in place to help ensure data integrity, particularly as it relates to sensitive financial information, or personally identifiable information (PII), but Embark is quite sure you get our point by now. Companies need to establish effective data security policies and procedures while also making sure they cover their backs. Technology can be a powerful tool in helping you develop accurate monitoring systems that track user actions and protect against external threats, and we at Embark are experts in identifying the best tools for your environment.
Likewise, Embark can help you check the effectiveness of your controls to provide yet another tool in the battle for data security. Yes, in a perfect world, such measures wouldn’t be necessary. Unfortunately, this isn’t a perfect world, but with help from technology and your friendly experts here at Embark, your enterprise will always rise to the top, no matter how meticulous an auditor might be.