Manage Compliance Risks and Implement Controls

Learning Objectives

After completing this unit, you’ll be able to:

• Describe a cybersecurity compliance analyst’s role in mitigating, accepting, and transferring compliance risks.
  
• Identify how to document and implement cybersecurity compliance controls.
  

Mitigate, Accept, and Transfer Cybersecurity Compliance Risks

Let’s look at three main tasks in managing cybersecurity compliance risks: mitigate, accept, and transfer. 

Maddy is a cybersecurity compliance analyst at a cloud computing provider that services nonprofits, foundations, financial corporations, education institutions, healthcare organizations, and religious organizations. Part of her job is to document and track cybersecurity compliance risks and nonconformities associated with her company’s software as inputs to the organization’s overall risk management program. She then communicates these cybersecurity compliance issues to internal and external stakeholders in a consistent and repeatable way. For each risk she identifies, she helps inform the decision of whether to mitigate, accept, or transfer it. Let’s take a look.

Risk Mitigation

Risk mitigation involves reducing risk by applying security controls. Maddy starts by pinpointing potential weaknesses in her company’s software and helps the organization take proactive measures to minimize them. Some examples of ways she mitigates cybersecurity risks and remains compliant with applicable regulations, standards, and policies include keeping software up to date, installing anti-virus protection software, and backing up critical data.

Maddy is reviewing the compliance posture of the cloud computing software her company provides to a corporation in the financial services industry. She knows that the company is required by the Payment Card Industry Data Security Standard (PCI DSS) to implement multi-factor authentication (MFA) for remote logins to the cardholder data environment. If the company doesn’t implement this control, there’s increased risk that a malicious actor can compromise a legitimate user’s username and password, and gain unauthorized access to payment card data. To mitigate this risk, Maddy works with the identity and access management team to ensure the software requires users to log in remotely by accepting an authentication request received on their mobile device, in addition to supplying their username and password. She has now mitigated this compliance risk and made the technology more secure in the process. 

As illustrated in this example, a key part of Maddy’s job as a cybersecurity compliance analyst is to improve cybersecurity compliance by recommending security control solutions to remediate identified gaps. When she identifies gaps, she documents the gap as a finding, and collaborates with a responsible party, or finds an owner, within the security team to monitor and report on the status of remediation of any gaps. Additionally, she works with vendors and business units to improve their cybersecurity posture according to her organization’s standards. 

Maddy also formalizes mitigations by creating or reviewing policies to document compliance activities and controls. These documents serve as the foundation for any internal or external audits. She works with system owners to create, review, and validate a plan of action for each noncompliant control to detail a course of remediation and track the issue to closure. Ensuring proper documentation of control deficiencies, as well as documenting waivers and exceptions to any controls, helps ensure all parties explicitly understand decisions made around cybersecurity compliance risks.  

Risk Acceptance

Risk acceptance indicates that the organization is willing to accept the level of risk associated with a given activity or process. Generally, but not always, this means that the outcome of the risk assessment is within the limits of tolerance the organization has established. There may be times when the risk level is deemed high, but the organization will still choose to accept the risk because all other alternatives are unacceptable. This may be because the organization does not have the resources or time to resolve the risk, or the cost of the control exceeds the impact of the risk actually occurring. 

Let’s revisit our example of PCI requiring MFA for employee remote login to the cardholder data environment. Maddy knows that a small subset of employees work in a call center location where the authenticator app does not work because there is no cell service. In this case, the organization decides to make an exception to allow these users to authenticate using just a username and password. In the meantime, Maddy works with the call center’s information technology (IT) department to investigate alternative MFA solutions and to propose a recommended mitigation to be implemented at a set time in the future. The organization has accepted the risk for now, with justifications as to why, but documented the steps to mitigate the risk at a specific date in the future. 

Maddy knows that exceptions should always be brought to the attention of management and authorized by either the executive management or the board of directors. She documents this decision process and provides assurances to internal and external stakeholders about how the risk has been accepted and how it may be mitigated down the road. 

Risk Transference 

This involves transferring the risk to another entity, such as by buying insurance, or outsourcing a function to a third-party vendor. In our example, Maddy recommends that the financial institution buy some cybersecurity insurance to protect itself against loss in the case that the call center employees who are currently noncompliant with PCI login procedures for remote access have their credentials compromised, resulting in a breach that incurs financial penalties for the bank. 

Implement Cybersecurity Compliance Controls

As mentioned, in order to mitigate risks, Maddy assists the organization in developing a comprehensive set of security controls to support the implementation of a cybersecurity compliance program. A security control is a safeguard or countermeasure designed to protect the confidentiality, integrity, and availability (CIA) of an information asset or system and to meet a set of defined security requirements. They include:

• Management security controls, such as verifying that cybersecurity policies are documented and disseminated.
  
• Operational security controls, such as change management procedures for firewall rules.
  
• Physical security controls, such as requiring an identification badge for access to a facility or system.
  

As a cybersecurity compliance analyst, Maddy can help the organization think through which controls are necessary for compliance and which make business sense to prioritize. She reviews, tests, analyzes, and reports on the effectiveness and state of controls. She also educates and informs the IT team about how new and existing regulations can affect the business. Maddy knows that when the compliance and IT departments work together cohesively, the result is a robust cybersecurity ecosystem that thoroughly protects sensitive data.

Knowledge Check

Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work! In the next unit, you learn more about how cybersecurity compliance analysts detect changes in their organization’s cybersecurity compliance posture.

Resources

• PDF: Payment Card Industry (PCI) Security Standards Council: Data Security Standard
  
• PDF: National Institute of Standards and Technology (NIST): Managing Information Security Risk 
  
• External Site: CSI Web: Practice Cyber Hygiene with 6 Basic CIS Controls 
  
• External Site: SANS: Realistic Risk Management Using the CIS 20 Security Controls