chevron-down Created with Sketch Beta.
July 25, 2022 Practice Points

A Brief Discussion on Cybersecurity Compliance Programs

A few points to consider when evaluating the strength of your client’s cybersecurity compliance program.

By Leonard Wills

A compliance audit consists of an independent evaluation to ensure a company follows external laws, rules, and regulations or internal guidelines, such as corporate bylaws, controls, and policies and procedures. To prepare for these audits, clients need robust compliance programs to mitigate the risk of noncompliance. I have provided a few points to consider when evaluating the strength of your client’s cybersecurity compliance program.

Documented Process

Does your client have a documented process that allows them to comply with cybersecurity standard(s) or regulation(s)? Documented processes (also process documentation) provide a detailed description of how to execute processes to achieve a business objective or compliance. These documents reduce confusion as personnel have guidance on roles, responsibilities, and how to perform particular tasks. As personnel perform the various tasks, documented processes serve as a baseline for process improvement. The organization can review the processes and its production output to determine how to improve operations. This review permits the company to adapt its processes to new technologies, business solutions, laws, regulations, etc.

Risk Management

Does your client have a robust IT risk management program? Risk management remains a foundational component of any compliance program. Risk management consists of a formal process to quantify, qualify, and mitigate specific risks as defined by an organization. Risk is the potential for loss, damage or destruction of assets or data caused by a threat. Risk comes in numerous forms such as an insider threat or a cyberattack. Failing to manage risk may result in financial and monetary loss, reputation, legal or compliance issues, or potential loss of life.

A robust risk management program regardless of the framework should include the following.

  1. Identify the risk(s).
  2. Analyze the likelihood and impact of each risk.
  3. Prioritize risk based on enterprise objectives.
  4. Treat or respond to the risk conditions.
  5. Monitor results and adjust as necessary.

Your client can use numerous risk management frameworks to serve as a guide to developing or improving their risk posture including NIST’s Risk Management Framework.

Internal Controls

Does your client implement internal controls to reduce the risk of noncompliance? Internal controls consist of a series of policies, procedures, and/or technical protections that protect assets, promote operational effectiveness and efficiency, and minimize the risk of noncompliance.

Internal controls can be classified as preventative, detective, or corrective. Preventative controls avert negative events from occurring. Detective controls detect and report a negative event, and corrective controls minimize the impact of or correct a negative event.

Evidence Retention

What kind(s) of evidence must your client retain to demonstrate compliance to auditors? How long must your client retain that evidence? Your client should have a documented process to address this topic. Failing to gather, collect, store, and preserve evidence appropriately will lead to a finding of noncompliance. Your client should have a process to retain electronic and physical evidence.

On a final note, this list does not address many components of a compliance program such as access management, network security, physical security, configuration and change management, backup policies, data life cycle, etc. Remember, compliance programs must be customized to the needs of your client.

Leonard Wills is a presidential management fellow in Washington D.C. 

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).