The level of compliance monitoring your organization demands is relative to the count and severity of regulations your organization must operate within. But whatever your compliance mandate, one thing is true: you need to be on top of your corporate governance and a monitoring solution is essential if you want to lower risk and deliver business benefits.
Fortunately, setting up your solution doesn't have to be the most complicated thing you'll do this fiscal year. You can even use a security information and event management (SIEM) solution that you pay for on a monthly basis. It's a simple line item you don't have to worry about managing or hosting on premise.
But setting up the solution still takes a few steps. Let's jump in.
Regulatory Compliance: 3 Steps Effective Monitoring
Depending on which regulations you have to work with, you'll need varied info types. In general, though, your solution will be collecting information from somewhere.
Step 1: Find Your Sources
So the first step in setting up your SIEM solution is decided exactly where those "somewheres" are, says Alex Insley, Twinstate's Unified Defense Strategies technical manager. Are you expecting information to flow in from every workstation? Every switch? Even your anti-malware platform can feed info to your SIEM solution. Determine what your sources are.
Step 2: Define and Format
You really need to be able to sort through all of the information coming in to understand what's most important to pay attention to, as it relates to your mandate. Picking and choosing what's most important and then configuring your platform to prioritize that information is probably the hardest part of set up.
Step 3: Create Alerts
The formatting you just did is necessary in order to create proper alerts. You set your triggers and your alert process. For example, if your Sophos solution finds malicious activity on computer A (assuming you included individual computers in step 1 and "finding malicious activity" as an action in step 2), the system might send you an email. Or you could request a phone call for more severe activity.
This part is up to your discretion, and based on priority. You might want to consider how much time you'll have to respond to each alert. If something is a little less serious of an infraction, is there a way to delay the alert or alert a secondary team member?
If you have hundreds of potential alerts, that can represent a massive amount of work, notes Insley. The amount of work you need to do can be helpful in determining whether or not you need a third-party vendor.
New York SHIELD Compliance Mandate
In March of 2020 the state of New York enacted the Stop Hacks and Improve Electronic Data Security act, also known as the SHIELD Act. Compliance with the NY SHIELD act is mandatory for any company that poses data on any resident of New York state. Compliance spans three categories of "reasonable security" including: administrative, technical, and physical safeguards. The requirements you need to meet for each of these categories varies based on the size of your company, which is determined in one of three ways. 1 - your total number of employees. 2 - your annual revenue. 3 - the total value of your assets. Working with a vendor like Twinstate Technologies to get NY SHIELD compliant can help you stay in line with the law and avoid hefty fines from the Attorney General.
Do You Need a Vendor's Help?
"Whether or not you need a vendor's help is really dependent on the size of the environment," says Insley. "The turnaround time is a big factor in that too. If you need a solution quickly, you need to outsource."
For many organizations, quick turnaround time is necessary because those organizations may be setting up compliance monitoring as a reaction, rather than a precaution.
Another determining factor: The requirements of your regulatory body. Sometimes, auditors enforcing these regulations want an independent third party involved so there is no room for collusion. As IT staff, you're likely to care a lot about the health of your environment. But there are organizations and roles that just care about how their environment looks to everyone else, and that's why lack of collusion is important to some auditors.
Ultimately, a good compliance monitoring system depends on your setup. Choose your priorities, identify your sources, configure your solution, and create your alerts. And, if you can't do all of the above quickly and without bias, hire a third party to help.