How to evidence your way thru compliance

I’m not usually a fan of nouns being used as verbs.  As Calvin said to Hobbes in Bill Watterson’s wonderful comic strip, “Verbing weirds language”.

I mean, who really ‘dialogues’ with colleagues, or  ‘greenlights’ tasks for them to ‘action’? 

But there’s one denominal verb (yes of course there’s a word for it) which I find myself using, and that is ‘evidencing’. This is a wonderfully concise way of saying “proving that you do the things you say you do”.

Most people responsible for cybersecurity in an organization would like to think, or hope, that in the current climate, they really try to follow cyber secure practices. They feel confident that their IT Security Policy details everything they need to run a secure infrastructure environment.  And they might even think that everyone has read the policy and is of course following it to the letter.

The thing is it’s all very well having a policy in place, but it won’t cut the mustard if it doesn’t detail your specific set up. It also won’t do much for you if you cannot prove or show that the policy is actually being followed. Otherwise, your policy is not much more than a set of aspirations that you may or may not be living up to.

In other words, a cybersecurity policy is certainly not proof that everything is running within your risk comfort zone.

If your organization is even considering some kind of certification, preparing for an audit, or creating new policies, it’s not enough to ask whether each policy rule is relevant. You need to ask yourself how you can prove to a third party that you are properly verifying and logging your security-related activities and the results. 

For instance, in most IT Security policies, there’s a requirement that users lock their screens when they leave their desks.  Needless to say, it’s necessary for ISO 27001 compliance.

Let’s not get into why it’s a sensible policy. The question here is this: how can you ’evidence’ this without installing cameras everywhere? Maybe you could have pressure sensors on seats? Or subcutaneous GPS trackers? It’s a veritable moral and legal minefield!

But how about this: A member of the IT or security team takes a daily walk round the office and notes who has left their screen unlocked. They report the result and appropriate remedial action is taken.  The whole process is securely logged, so when someone needs to audit the who, when and where, it’s easy to do so.

This process ‘evidences’ the steps you take to ensure that the policy is adhered to, and it also shows that the situation is quickly addressed by IT when the result of a check is not at an acceptable risk level.

OK, so now all you need to do is repeat this for every policy point that you can consider in quantitative terms. Yes it will be a big job, but when you’ve got your evidencing in place, you can prove to yourself, and to anyone, exactly what you do to prevent bad things from happening:

  • you take appropriate steps to protect data and systems
  • you have the procedures in place to get back to normal as quickly as possible
  • you can provide forensic evidence needed for the insurers and law enforcement, if and when required

All you need to do is read what happened to Baltimore city when they got hit with a nasty piece of Ransomware to find out why it is important for the person responsible for cybersecurity to keep detailed records of activities. 

Just last May 7, the government computer networks of the city of Baltimore were infected with the RobbinHood ransomware, and malicious hackers demanded that a ransom was paid for the safe recovery of encrypted files on the city’s affected computers and servers.

They demanded in the region of $70,000, but Baltimore Mayor Bernard C. “Jack” Young refused to pay. The city ended up paying $18.2 million to address and rectify the problem and the person responsible for security got the proverbial boot. Why? Their backups were incomplete and they had no procedure for this kind of attack, so there was no way of knowing that when they confidently told the attackers where to go, they had everything in place to make a straightforward recovery.

The story beggars belief, but also shows the importance of evidencing, and how it can protect the IT person. Log your evidence and audit your logs. That way, you’ll always know where you stand. 

Want to discuss more on evidencing? The experts at TBG Security are here to help.

Previous ArticleWhy it is high time to consider a CISO on demand Next ArticleThe current state of privacy laws in the USA 2020: what you need to know