The threat of a cyberattack is ever present on executives’ minds, and cybersecurity is the hot topic in governance circles. The issue facing executives is that many different standards and frameworks regarding cybersecurity have evolved, and each framework tends to be more widely adopted in certain parts of the globe.
Variations in Frameworks
In the U.S., the trust services principles established by the AICPA have emerged. This is the backbone of what is commonly known as a Service Organization Controls (SOC) 2 report. The International Organization for Standardization,(ISO), is a globally recognized standard setter that has established benchmarks for quality for many different concerns and industries for over 70 years. The European Union has seen the emergence and wide adoption of general data protection requirements (GDPRs). There are other industry standards, such as the Payment Card Industry Data Security Standards(PCI), in play as well.
Not all of these frameworks overlap with one another. There are common themes, but there are also unique characteristics to each framework or standard. As you begin to develop and enhance your own security posture, be mindful of the options available to you.
Considerations for Choosing your Framework
If you have, or expect to have, any formal reporting requirements around security or data protection, take your audience into consideration when selecting a reporting framework. If your customers, or regulators, are largely based in the U.S., the SOC 2 report would be a good option. If your customers are based internationally, then a standard established by the ISO or the GDPR may be a better fit.
For example, Microsoft recently updated their Supplier Security and Privacy Assurance program (SSPA) data protection requirements to align with and consider the elements of the GDPR and other frameworks. Domestic companies with a global reach are also beginning to focus on the GDPR as a gold standard.
The concern over cyberthreats is here to stay. Selecting the framework to measure your security and IT infrastructure should be done carefully, with your audience in mind. Regardless of the framework you choose, begin the process by identifying gaps between your systems and controls and the established criteria in your chosen framework. Then, you can get to work remediating those gaps and building for the future.
© Clark Nuber PS and Focus on Fraud, 2017. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Focus on Fraud with appropriate and specific direction to the original content.