The importance of assessing the role of standards has become even more urgent, given that five standards aimed at providing practitioners and evaluators with a series of consensus based guidelines that support cyber security operations and data breach response have been published by the ISO within the past 36 months. As one of the Co-Editors of those standards, I thought it might prove useful to provide some insight into how best small, medium and large enterprises can implement those standards. An overview of the available technologies that allow organisations to automate and orchestrate incident management and data breach response plan may also be valuable.
It’s important that data privacy and information security professionals understand exactly what the standards are and the potential advantages of adopting standardisation approaches, ISO is a wonderful example to start from.
The literature describes technical standards as norms or sets of requirements regarding technical systems. Standards are officially proposed by authority, custom or general consent as a virtuous model and are also known as “de jure standard”. In all cases the standard defines engineering requirements, specifications, methods, test criteria, processes, standard operating procedures (SOP), definitions and guidelines. On the other hand, a custom convention, good practice or methodology can be proposed by a Community, to become a different flavour of standard, also known as “de facto standard”, which is growing its strength by adoption.
However, it’s important to note that specific standards should not be seen in isolation from the wider framework they refer to, standards can be related to each other across a wide spectrum. This is extremely evident in the ISO approach. Typically, they create a well-structured hierarchy. When adopting a standard be aware that you’ll have to look around, because there may be implications as far as related standards are concerned.
It takes a community
However important these processes are, the authoritative support of the Standardisation Bodies and the effectiveness of standards lies in the consultative process and the contribution of Communities of Experts (Technical Committees) and end users. It’s this process that makes standards such powerful tools for organisations. The validation of standards and the approval process is under the auspices of subject matter experts (SME) who bring vast, real world experience to the process, ensuring that standards are effective and can be applied in actual operational environments, but it’s the communities that make use of the standards that inform and drive adoption, providing feedbacks through formal processes (e.g. RFC).
The application of standards in the real world is not simply the result of policies that trickle down from a Standardisation Body, at least not in isolation. The usefulness of a set of standards sometimes comes about through a process of adoption by a wider community. For example, the de facto standards are usually originating from procedures, policies, informal processes, practical experience and a series of suggestions from real users; in most of the cases they are proposed and pushed by a big community, becoming a trend – eventually something like a best practice or a guideline. It’s not a process that is driven exclusively by an official Standardisation Body. It can be proposed by the community, leveraging a trend and in some cases this dramatically increases the usefulness and adoption of these standards.
Do we really need a standard?
When you’re thinking of adopting a standard, it’s essential to consider and evaluate also possible alternatives. For instance: the standard can be compared with best practices or guidelines, or maybe scientific papers. Several Standardisation Bodies exist and organisations must choose which one to follow. The content of a standard can be relevant, but may not be enough for application in the ‘real’ world. Multiple standards, from several Standardisation Bodies, can be applied and they need to be integrated into an ecosystem. A sense of balance is required. Evaluate the benefits carefully and proceed adopting all the Standards that appear appropriate, exploring also benefits to similar operational areas of the company. Sometimes business partners are setting constraints in adopting Standards. Take for instance insurance companies, which are covering cyber risk. They might require that companies follow a specific standard, unless of legal implications.
An issue of trust
Adopting a standard facilitates Trust. There are multiple standardisation bodies. The next question is: What body or authority can I trust completely? If what you are thinking of adopting is not considered a real standard, please be careful in evaluating all the possible implications. It’s not enough to declare, “Hey, it’s a very good practice, well known, adopted by a large community of users, therefore it will be very good for my business,” because there might be legal implications. Again, ISO is a great place to start.
Why are standards important?
“Houston, we’ve had a problem!” – The first question that arises is “what to do now?” Here is where a standard gets in the game.
When dealing with an emergency, for example privacy violation, data breach or an incident, such as an intrusion or online fraud, time is a critical variable.
We need to be reactive and we need to understand the parameters of the emergency. We need to understand what to do, and then we need to timely take action. Standards assist in formulating appropriate action.
There are several other benefits to adopting robust standards. First, simplification. If we have the time to review a process, to identify what was done well, what can be improved, and to develop or fine-tune plan and policies then the process can be simplified. Reducing encumbrance helps streamline an efficient data breach response plan. Dealing with cyber security incidents using a simplified process is of paramount importance as over-engineered processes are never efficient. Using accepted standards thus leads to an improvement in the quality of the process and the products. There will be an overall reduction of cost, reduction of errors both human and procedural. Then of course there will be mitigation of the risk, because of course if you have a standardised process, you can identify risk and maybe you can measure and mitigate it with external actions.
Standards allow for advanced preparation and can reduce reaction time by helping organizations develop standardised operating procedures and convert them into actionable playbooks.
Standards in real world
Now let’s focus on cyber security, and try to understand – what are the 3 main areas where standards might be useful?
First of all, privacy regulations and directives. We know that there are lots of different regulations, for example HIPAA, NIS Directive and the new EU General Data Protection Regulation (GDPR). Those are the three important standards that might help you in standardising how privacy issues are managed by your company.
In the last 36 months, five standards have been issued by ISO in data breach response and forensics, which can be useful for businesses. These standards help us answer 4 questions:
- What data is exposed? This helps us to understand quickly the data which have been breached.
- How can I prioritise my data breach response? The standard will be able to tell me about the important steps I must prioritise to reduce the data breach response time.
- How can I contain the damage? When a breach has occurred, I need to preserve the rest of the resources, our data, identify any assets which were compromised, and so on.
- Share information with other external organisations.
In each of these 4 areas, you can find standards which provide practical support for the decision making process.
Hey, an actionable data breach response plan is what we need
One of the most effective way of building a data breach response plan is using standards which facilitates the identification of the most appropriate and effective course of action, to resolve the breach or incident. Course of actions, while implemented in technological tools evolves into the development of Playbooks. Organisations don’t want to rely on theory alone, as privacy professionals we want to have actionable items that can be converted into a data breach response plan, in other words a set of concrete actions performed by the different operators. For instance, in some countries it’s important to send notification to regulatory bodies after a privacy violation. Before dispatching the information, it is important that somebody in the company gives the green light to proceed with contacting the external party. It’s very important to have practical, actionable information that can be attached to the playbook.
Adopting a standard doesn’t mean just methodology understanding, it also implies testing. Every time that you adopt a standard, it helps to identify also documentation on how to test the real-world application of that standard. There are the test procedures, there are the expected outcomes, and there are remediation actions. If you test it, you know exactly what to do if something goes wrong. The simple fact of the matter is that standards need to contribute to an actionable plan – if they don’t they’re useless. Think about these questions “Hey, this is amazing, but what does it mean in reality? Which goals can I achieve with this stuff? How good are these goals? How can I measure the results”. If you are not able to find appropriate answers through the adopted standard, that’s not a successful implementation of a standard. Once again therefore using standards from a reputable body is of paramount importance.
What do organisations need to do?
You need to prepare a plan. You need to ensure that the data breach response plan can be summarised in a specific sequence of actions and reactions to be performed by dedicated teams in order to produce results. If you cannot build a plan then you’re not adopting a standard successfully. It’s important that privacy professionals ensure that they are doing everything possible to make sure that their organisations are prepared for the worst-case scenarios in order to avoid breaches, and of course to preserve and defend corporate assets.
Next, you need to test your data breach response plan! Responding to a breach or privacy violation is a matter of continuous learning in a trial-tune-and-repeat methodology.
Finally, you need also dedicated technology to help you track and execute your plan. Too many times organisations are focused on identifying standards, building auditable processes, fully compliant with regulations and at end of the day they fail in rolling them out to “real life”, which is the business as usual. Adopting a specific incident response platform to foster execution of your action plan is critical to your success. An immense plus is when this platform has been tailored by design on relevant standards in data breach and privacy violation response.
Implement standards for your data breach response plan
Data breaches are growing day by day and even the largest companies, with all the countermeasures fall prey to data breaches. You need to plan, prepare, and test your data breach response plan. Adoption of standards can strongly facilitate achieving effectively all these goals, securing the legal implications.
The real benefit of adopting a standard lies in leveraging the experience of other professionals who have studied and worked in the same area where you are facing issues.
Implementing a standard will help your organization meet its contractual obligations and allow you, and your organisation to emerge from a threat situation as strong, if not stronger than when you went in.
In a sentence “Standards help you react faster, better and compliant with regulations, to protect your privacy and data”.
Last but not least, remember, fighting with breaches there are only two possible answers: to win or….to learn!