Considering legal regulations, investigations, and compliance structures

In information security, there are some red tape and regulatory structures that can be tricky to navigate, or stressful to be a part of. When we're considering compliance, in terms of regulatory and legal requirements, audits, questionnaires, and responsibilities, it might seem like an entirely different job all in itself. Oftentimes, organizations aren't going to have somebody who is focused entirely on those compliance structures, and as a result, you are going to need to feel comfortable in navigating, potentially more than anybody else in the organization.

I would like to discuss how these structures will be a part of your day-to-day responsibilities, and how we can leverage the predefined requirements to determine an acceptable level of risk for our organizations. Furthermore, before we conclude this section, I would like to highlight the importance of continual improvement as a requirement for compliance, and how this requirement enables optimization to be a key focus for you and your team.

Compliance structures

Something that we need to cover is the functionality of the information security team in terms of understanding the requirements for your organization's information security program. These could be from governmental authorities and legislation or certification bodies. For some standard examples, a huge share of organizations are responsible for being compliant with regulations and acts for privacy when it comes to processing the personal data of individuals. There are hundreds currently in place globally, and there will be even more by the time you are reading this book. For a few examples of privacy regulations, we can look at the following:

• The General Data Protection Regulation (EU) (EU GDPR)
• The Children's Online Privacy Protection Act (COPPA)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The California Consumer Privacy Act (CCPA)

These acts and regulations are seen as legal obligations, and there can be huge financial and reputational repercussions for not complying with their requirements.

Most of the privacy regulations have a focus on transparency when it comes to processing Personally Identifiable Information (PII) or Protected Health Information (PHI). Some are focused on young people, while others are focused on people in specific jurisdictions, such as California, Brazil, or the EU. Most of them will require you to give your data subjects the ability to review and revoke access to any personal data that is being processed by your organization, as well as requiring your organization to be open about how and where the information is being processed, and by whom.

In addition to those governmental compliance requirements, there are standards that are offered by bodies such as the International Organization for Standardization (ISO), which aim to create a baseline of minimum viable levels of information security. These could include standards such as ISO 27001, which we've briefly mentioned already, which focuses on how to manage information security, or ISO 27018, which focuses on providing a code of practice for cloud privacy, and so on. Generally, organizations that comply with the requirements set forth in the standard are able to be audited by a third-party certification body, and certifications or accreditations can be earned for compliance with the requirements of that standard.

These certifications are highly valued by customers (both potential and existing) and partner companies, especially in the Business-to-Business (B2B) world, as a testament by a third party that the minimum baseline of security at the organization has been achieved. Many organizations that are selling their SaaS to other businesses, for example, will show that they hold a ISO 27001 certification from a certification body such as the British Standards Institute (BSI), Deloitte, or a similar consulting firm. The various standards have different purposes and suit different organizations.

In order to stay on top of all the requirements, it's highly valuable to use a structured solution to catalogue any and all the requirements at your organization, and quickly report on the current compliance of your environment. Changes to these regulations can occur on a daily basis, and depending on your organization, this could mean that keeping up to date requires a team of people to be distributed globally, working full time and translating legal requirements to a singular compliance requirements matrix, which is then internally audited by the organization. At the time of writing, there are over 200 updates per day from 750 regulatory bodies.

There are many software solutions that are currently offered by various suppliers. Essentially, what they do is simplify your compliance management process by providing automated and continuous assessment scans through your environment(s) to monitor your data protection controls, as well as giving you the functionality to assign tasks and record progress against each requirement. The tools may give you recommended actions and instructions for how to implement controls that improve your compliance posture, and map your existing controls to any new requirements in the evolving compliance landscape. Large organizations are continually being exposed to compliance risk, which could spell millions of dollars/euros/pounds per year being lost, so paying for a tool such as this makes sense for many businesses.

Understanding legal and regulatory requirements

A lot of the requirements in regulations or standards are not exactly the type of thing a software solution is even able to automatically track. How could a software solution know if you, for example, turn off access to all accounts and services during the exit interview of an employee that is leaving the company? Keeping on top of how your organization actually manages the various compliance requirements often requires working with every team in your organization. Yes, this does include legal and HR teams, and will include doing internal audits to ensure your organization does what it says and says what it does.

All these controls are relevant to your information security program and should be documented and reviewed with updates on a regular basis. When I say on a regular basis, you can take that however you want, but keep in mind what the compliance requirements are for your organization. Some standards require proof of annual review and updates to policies and controls, for example.

So, imagine that the employees at The Ketchup Company are on a bit of a hot streak, and they have managed to move what turned out to be a huge amount of PII into the cloud. Some of the data subjects are EU citizens, while others are based in California, and as a result the lead-up to this migration has included determining the following:

• The type of processing and storage that was being done
• The reasons for this processing and storage
• The basis for which they were legally allowed to process and store the data
• Updates to privacy policies and documentation
• Notifying the data subjects regarding the change

Most of the data subjects were probably surprised that their favorite ketchup company held data on them, but in this data-driven society, it would be irresponsible for The Ketchup Company to not understand their customers.

A few of the data subjects decided they didn't want their data being stored by The Ketchup Company and filed a subject access request (to which The Ketchup Company complied with in the permitted timeframe), as well as a data deletion request for their data (to which, again, they complied with in the permitted timeframe). It sounds like The Ketchup Company has their privacy compliance requirements running smoothly and efficiently!

Compliance isn't all about privacy or certifications to standards, however. As we mentioned previously, there are many different types of requirements from acts and regulations globally, such as the Sarbanes-Oxley Act (SOX), which requires companies to retain their financial records for up to 7 years, or the Federal Information Security Modernization Act (FISMA), which mandates all federal agencies to develop protection methods for their information systems. Understanding how the various frameworks, standards, regulations, and laws apply to your organization is an important task for the information security team at your organization, in order to avoid fines and penalties, as well as to provide a good baseline for protection against information security risk.

Responding to and undertaking investigations

Even if you're part of a simple organization with very few employees, there is still a chance that events will either occur on your estate (or in a way that is related to your estate) that require further investigation by yourself, somebody in your organization, or by another organization. This could include anything from finding out who deleted a file from a shared drive to a legal investigation on insider trading, or handing over server logs to law enforcement for them to perform forensics. It is your responsibility as not only an employee, but also as a law-abiding citizen, to comply with these requests to the extent in which you are legally obligated. The last thing you want is to be found obstructing an investigation; it's just simply not worth it.

Many solutions exist so that you can comply with these types of requests, including actions such as placing legal holds on email inboxes to "freeze" activity, or storing snapshots, or ensuring that items such as emails or files aren't actually "deleted" when an employee deletes them. Organizations have more control than ever before, with the help of software and information systems, to ensure that their employees are abiding by the both the law and the protocols devised by the senior managers in the company's defined policies.

When it comes to internal investigations on unauthorized access, or some sort of integrity issue, sometimes, it might be important to ensure that those aiding your investigation aren't able to find out who and what is being investigated. It sounds extremely tricky, but again, there are tools that provide pseudonymization, which gives us a way to track the activity of users by assigning aliases. This prevents investigator bias or collusion with the subject.

Another interesting legal aspect of the information security compliance domain is that of eDiscovery, or electronic discovery. eDiscovery is a way to identify and deliver information that can be used as legal evidence. By leveraging eDiscovery tools, you can find content in mailboxes, shared groups, Teams/Slack/Skype chats, shared drives, and device hard drives. You can finely filter your search results in order to identify and hold and share the results with the parties required, but not extra data that isn't relevant to the investigation. It reduces costs, time, and complexity to use eDiscovery tools during these events. If you are aiding in this process, you will be working with people who make it their business to be great at this work, and providing your knowledge of your estate and its structure is likely going to be your responsibility.

Further compliance optimization

Remember, a huge part of most information security standards is the principle of continuous improvement. We have a long way to go in order to make operating in a digital environment secure, and optimization needs to occur constantly! We need to put ourselves into an engineer's state of mind and see the world through those critical eyes. Throughout the rest of this book, I'm going to be reminding you of the requirements for continuous improvement, as well as give you examples to apply to your estate.

For a quick example, let's go back to our example organization, The Ketchup Company. Imagine you (as the information security manager) run through an incident response playbook for restoring from a backup in the event that an on-premises server for running a few applications has a hard drive failure. During the simulation, you notice that the spare hard drives that you have stored for this event will be at 90% capacity once the data is restored from backup. You also note that a better state of redundancy than RAID-0 would have prevented this from happening in the first place.

First, you take a look at your risk register, and you notice that you overlooked this previously. You add the details of the risk to the register, and perform a risk assessment to calculate the risk score determined from the impact and likelihood scores, and find that the level of risk is above the formally defined risk acceptance level for The Ketchup Company.

After going through some discussions with team members, as well as giving it some individual thought, you decide that at the moment, with the budget you have available, you can buy some hard drives and set up some redundancy as a mitigation tactic. You make a support ticket to purchase enough hard drives to quadruple the capacity, create another one to add them to the server, and then increase the redundancy to RAID-1. Is it the perfect solution? No; it's an incremental optimization that reduces the risk of downtime on your server and allows your staff to focus on important things for the future, rather than fighting fires in the present.

Are you done? Of course not. From that optimization activity, you now have some updates for your asset register and risk register, as well as some further investigation for other servers and systems. If you find that one of your servers was running RAID-0, is that likely to be isolated to just that single server? Or are you going to lift the curtain and find that The Ketchup Company has absolutely no redundancy in any of its servers and backups, and now there's a high-priority IT operation required to prevent a catastrophic failure? It's going to be somewhere in-between those two extremes, most likely… but the investigation and findings lead to a project for your organization that can be broken down into small, achievable goals that amass together to form a sum greater than its individual parts. An optimized solution is something you can get funding for by presenting the level of risk facing the organization if the vulnerability is level unmitigated.

Once the project is completed, you perform another risk assessment to see if that new optimized level of redundancy mitigates the risk of data loss to an acceptable level, record your results, and present the results of the project and the economic impact of the improvements to the relevant stakeholders. It sounds like you're using ideologies from risk management and continually improving your organization's risk posture – nice work!