Ole Christian Olsen has more than 10 years of experience with IT Security and IT Audit. He has experience in cyber security, compliance and regulations, and is certified in CISA, CRISC, Cobit 5, ISO 27001 implementer, and ITIL. He has worked for important companies in Netherlands and Norway.
It is important for us, to show you the point of view of an expert in topics of compliance and regulations, Ole will answer some questions we have prepared for him, and the interview starts with the question below.
What are regulations and why are they important?
Regulations are rules that are enforced by governmental agencies. They are important because they set the standard for what you can and cannot do in business. They make sure we play by the same rules and protect us as citizens. That for example with new Privacy Regulation in Europe (GDPR): The General Data Protection Regulation protects the individuals by stating the rights the individual has and regulating what businesses can do with privacy information.
Is it important to be compliant with regulations?
It is always important to be compliant with applicable regulations governing your area of business. The degree of compliance is up to each business to decide based on their risk management. Some regulations like for example GDPR state that you need to have security in processing of personal information. But what does that mean? Even the regulatory text explains that you need to ensure security according to the appropriate risk. Therefore, every business that process personal information need to do their own risk analysis.
Depending on the risk involved and the risk acceptance of the business appropriate security measures need to be implemented.
What happens if you don’t comply with applicable regulations?
Not complying with applicable regulations can come with a hefty fine. That is something that the business always needs to consider when doing their risk management. In addition to the fines there is always the potential loss of reputation. Who wants to do business with a company that has been all over the news for failing to comply with applicable regulations?
Where do you start, what is the first and most important thing you do to ensure compliance with laws and regulations?
The first thing you should do is to get an overview of what laws and regulations are applicable for you. Applicable laws and regulations depend on the sector of industry that you are in. Some regulations apply to all industries, while others are industry specific. There are also regulations and requirements that apply if you are listed on a stock exchange that would not otherwise apply. Once you have an overview of applicable laws and regulations you can start doing your risk assessments. The outcome of the risk assessments will affect your governing documents like policies and processes. It is through your policies, processes and controls that you later can demonstrate and document compliance with the regulations.
How important is information security these days in relation to regulations.
As our society depends more and more on information and information systems, many regulations these days have requirement for information security. Losing credit card information or health data can be serious for both the company and people involved. You should however not do information security just to comply with regulation, but to protect your assets. Data and information are today worth more on a global scale than oil, and when most of your assets is information, it only makes good business sense to protect is accordingly.
A regulatory requirement is maybe to have an information security awareness program. If you once a year send out a memo and get employees to sign a document, you can check the compliance box. If you see phishing and social engineering as a threat to your assets, you will do a whole lot more to make sure your employees are aware of and understand IT security risks.
How would you start protecting your information assets?
You first need to become aware of what information assets you have; their value, criticality and where they are located. This can be categorized into Confidentiality, Integrity and Availability (CIA) and criticality of low, medium and high. When you have performed the valuation of the information assets and you have an overview of which information assets are critical, you can start to spend your money protecting that information which is most critical. You don’t want to spend a lot of money protecting public information while confidential information lies open on an unprotected server somewhere.
Finding and categorizing all information assets sounds like a great job, is it possible to get a full overview?
It is potentially a great job. Structured information in databases is relatively manageable as you know what the database contains, you know where it is located, and you know which systems the information flows between. Unstructured information in the form of documents, files, spreadsheets etc. is another story. Unless you already have a good system set up for categorizing the documents upon creation you have a great task ahead of you. Just getting users to understand what confidentiality means and when documents are public, restricted or confidential can be a problem. A meeting of minutes document can be public or confidential depending on the content. There are however tools and methods today that can help you get control.
Any last word of advice?
Become aware of any requirements, perform your risk analysis, know your information value and protect accordingly. Using software such as Kriptos, which classifies the information automatically using Artificial Intelligence and Machine Learning, and analyze the content and context of each document, lets the information security department know the levels of sensibility, location and critical users and areas of the company, which leads to a better allocation of budgets and tools will help you save time and money.