Do we really need a standard?
When you’re thinking of adopting a standard, it’s essential to consider and evaluate also possible alternatives. For instance: the standard can be compared with best practices or guidelines, or maybe scientific papers. Several Standardisation Bodies exist and organisations must choose which one to follow. The content of a standard can be relevant, but may not be enough for application in the ‘real’ world. Multiple standards, from several Standardisation Bodies, can be applied and they need to be integrated into an ecosystem. A sense of balance is required. Evaluate the benefits carefully and proceed adopting all the Standards that appear appropriate, exploring also benefits to similar operational areas of the company. Sometimes business partners are setting constraints in adopting Standards. Take for instance insurance companies, which are covering cyber risk. They might require that companies follow a specific standard, unless of legal implications.
An issue of trust
Adopting a standard facilitates Trust. There are multiple standardisation bodies. The next question is: What body or authority can I trust completely? If what you are thinking of adopting is not considered a real standard, please be careful in evaluating all the possible implications. It’s not enough to declare, “Hey, it’s a very good practice, well known, adopted by a large community of users, therefore it will be very good for my business,” because there might be legal implications. Again, ISO is a great place to start.
Why are standards important?
“Houston, we’ve had a problem!” – The first question that arises is “what to do now?” Here is where a standard gets in the game.
When dealing with an emergency, for example privacy violation, data breach or an incident, such as an intrusion or online fraud, time is a critical variable.
We need to be reactive and we need to understand the parameters of the emergency. We need to understand what to do, and then we need to timely take action. Standards assist in formulating appropriate action.
There are several other benefits to adopting robust standards. First, simplification. If we have the time to review a process, to identify what was done well, what can be improved, and to develop or fine-tune plan and policies then the process can be simplified. Reducing encumbrance helps streamline an efficient data breach response plan. Dealing with cyber security incidents using a simplified process is of paramount importance as over-engineered processes are never efficient. Using accepted standards thus leads to an improvement in the quality of the process and the products. There will be an overall reduction of cost, reduction of errors both human and procedural. Then of course there will be mitigation of the risk, because of course if you have a standardised process, you can identify risk and maybe you can measure and mitigate it with external actions.
Standards allow for advanced preparation and can reduce reaction time by helping organizations develop standardised operating procedures and convert them into actionable playbooks.
Standards in real world
Now let’s focus on cyber security, and try to understand – what are the 3 main areas where standards might be useful?
First of all, privacy regulations and directives. We know that there are lots of different regulations, for example HIPAA, NIS Directive and the new EU General Data Protection Regulation (GDPR). Those are the three important standards that might help you in standardising how privacy issues are managed by your company.
In the last 36 months, five standards have been issued by ISO in data breach response and forensics, which can be useful for businesses. These standards help us answer 4 questions:
- What data is exposed? This helps us to understand quickly the data which have been breached.
- How can I prioritise my data breach response? The standard will be able to tell me about the important steps I must prioritise to reduce the data breach response time.
- How can I contain the damage? When a breach has occurred, I need to preserve the rest of the resources, our data, identify any assets which were compromised, and so on.
- Share information with other external organisations.
In each of these 4 areas, you can find standards which provide practical support for the decision making process.
Hey, an actionable data breach response plan is what we need
One of the most effective way of building a data breach response plan is using standards which facilitates the identification of the most appropriate and effective course of action, to resolve the breach or incident. Course of actions, while implemented in technological tools evolves into the development of Playbooks. Organisations don’t want to rely on theory alone, as privacy professionals we want to have actionable items that can be converted into a data breach response plan, in other words a set of concrete actions performed by the different operators. For instance, in some countries it’s important to send notification to regulatory bodies after a privacy violation. Before dispatching the information, it is important that somebody in the company gives the green light to proceed with contacting the external party. It’s very important to have practical, actionable information that can be attached to the playbook.