IT Best Practices for Highly Regulated Industries
The regulations some companies are subject to encompass many aspects of your business, including your IT. IT-relevant regulations typically focus on security and data protection. They provide a baseline of best practices for IT and security. They do not prescribe detailed solutions. This leaves it to your business to identify specifics.Understanding and implementing these best practices is no small task. Don't feel bad if you feel intimidated. Framework has consulted highly regulated businesses for over a decade and provides compliance and security related services. We're going to provide general best practices that apply to regulated industries. We'll also shed light on some specific applications of these best practices.
So, what are the IT and security best practices for highly regulated industries?
We’re going to answer this question by overviewing the NIST Cybersecurity Framework (‘NIST Framework’).
Why are we using the NIST Framework?
Some laws and regulations specifically reference the NIST Framework. Even if your industries' regulations don’t reference the NIST Framework directly, there’s a heavy overlap between regulations and the NIST Framework. The guidelines are so universal that adoption will cover many of your industry’s regulations.
So, what is the NIST Cybersecurity Framework?
It's the National Institute of Standards and Technology's Cybersecurity Framework, formally called 'The Framework for Improving Critical Infrastructure Cybersecurity.' What a mouthful! It’s a voluntary framework of standards and best practices to manage cybersecurity risk. The NIST Cybersecurity Framework helps businesses prevent, detect, and respond to cyber-attacks.
What are the 5 NIST Framework functions?
We’re going to explore the major functions within the NIST Framework. We'll also offer some specific best practices you can adopt. The 5 NIST Cybersecurity Framework functions are:
Identify: What are the best practices to identify cybersecurity risks in regulated industries?
The NIST Framework defines 'Identify' as developing the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Basically, 'Identify' means assessing the cybersecurity risk of the business. Now let’s break down the components of ‘Identify’ and offer some best practices:
You need to define and document all your technology. As a best practice, this documentation should live in one centralized, secure location for organization and ease of use. You'll also need to define the controls in place for each technology. For example, you’ll need to write out how user identity is verified to control access and any processes or systems in place to prevent unauthorized access (such as 2FA/MFA).
A business environment means defining the implications of risks in the context of your business. Your client-base, your reputation, your messaging, your contracts, etc., are relevant. These all shape your risk. When identifying your risk, make sure to address the following as a best practice:
- Risk to your firm of data exposure for various types of data including
- Reputation risk
- Revenue risk
- Cost of mitigation
- Regulatory and legal risks
- Potential liability costs
- Risk to your clients or other stakeholders of a data exposure on your end
- Your relevant contractual obligations to clients, their remedies under those contracts, and the risk it poses to the firm.
Governance refers to the processes and policies stating how you'll direct or control security and data protection. It's much the same as Corporate Governance but focused on security and data control.
You need to identify the target state of control over your tech and data. Then you need to assess the gap between your current and target controls. You’ll need to get a risk assessment, vulnerability assessment, or penetration test. Your specific industry regulations may require one of these and may specify that a 3rd party performs the assessment.
Risk Management Strategy
Following your Risk Assessment, you need to plan to remedy the gaps. This plan should incorporate your business context to prioritize risks appropriately. Your prioritization should also account for the needs of all stakeholders. You'll also need to define how you'll communicate issues with your stakeholders.
This Identity function lays the foundation for the actions your organization will need to take. It’s necessary to hash this out before moving on to the other 4 functions.
Protect: What are the best practices to protect your company from cybersecurity risks in regulated industries?
It's critical to put safeguards in place for your infrastructure and data to protect against cybersecurity risks. Following the NIST Framework best practices will prevent, or limit, the impact of security events.
You need systems in place to verify identity, limit and control access to your systems. To provide specific asset control examples, you may:
- Install a Domain Controller
- To authenticate and allow users to access a domain type network.
- Use 2 Factor or Multi-Factor Authentication
- Requiring 2 + means of verifying identity before allowing system access.
- Require Unique Usernames & Passwords
- Enforce Complex Passwords and Password Change Policies
Awareness & Training:
For your IT best practices to be successful, you need everyone on your team on board. To do so, you must raise their awareness with training. There are two relevant best practices:
- Educate all team members about your company cybersecurity plan and where they fit in.
- Provide training resources to educate them. You can buy web-based security awareness training or have trainers come onsite. There are also training resources for specific regulatory standards.
Ensure your data is secured behind protective measures. Also, you need to ensure it's managed according to your standards. Your aim is to protect your data's integrity, availability and confidentiality.
Specific best practices would be:
- Deploying data encryption for data at rest and in motion.
- Subjecting all data to best practice access controls.
- Provide only the minimum necessary access to data for staff to perform their duties.
- Ensuring you have robust data backup & disaster recovery capabilities.
Information Protection Policies and Processes:
You need policies and procedures to manage your protective measures. Absent strong policies and processes, your protections will degrade and lose effectiveness. You must publish them to your staff and provide training to ensure integrity.
This sounds mundane but keeping up with maintenance is a universal IT best practice. You need to repair your technology systems, upgrade them as needed, and mitigate flaws.
There are potential severe consequences if maintenance is not adhered to. Case in point, Framework helped clean up two security breaches where the root-cause was ransomware that exploited bugs in Microsoft’s Operating Systems. Microsoft had patched those flaws a month before these companies' breaches. Unfortunately, they'd failed to keep up with maintenance, and it cost them dearly.
Specific Best Practices:
- Only use supported computer and server Operating Systems.
- Update the firmware on your networking equipment.
Deploy security solutions that align with your policies, needs, and regulatory requirements. Your mix of security solutions should be tailored to you, but consider the following:
- Advanced Threat Detection
- Email Security Services and Email Encryption
- Endpoint Encryption
- Next Generation Firewall
- Vulnerability Management
Detect: What are the best practices to detect cybersecurity risks in regulated industries?
You must install systems and perform tasks to detect a cybersecurity breach ASAP. Timely identification is critical for mitigation. There are several components to a best practice detection strategy.
Anomalies & Events:
You need systems and procedures to detect irregular activity ASAP. Also, when there are events, you need to ensure relevant stakeholders understand.
Implementing a SEIM is an ideal way to track this. A SEIM is a security information and event management software. SEIM’s track and log events and alerts from IT infrastructure and applications. They provide real-time analysis and generate reports for compliance needs.
You need 24x7 monitoring of your information systems to identify security breaches. This necessitates security monitoring software.A recommended, best practice monitoring and detection program should include:
- Advanced Threat Detection
You need tested processes to back your detection systems and to provide rapid discovery and awareness of security events. Once you know, you need to disclose to appropriate stakeholders.
The longer a cyber breach occurs, the greater the risks. Detection can make all the difference when it comes to mitigation and response.
Respond: What are the best practices to respond to cybersecurity risks in regulated industries?
You must create a plan for the activities you'll take after a security detection. A response plan will limit a breach's impact. The major functions of a best practice response plan are:
Create a plan dictating actions you’ll take to respond quickly to an event. Your plan should consider various breach scenarios and how you’d respond accordingly. Also, your plan should address how you’ll disclose and communicate after an event.
Once a security event occurs, you need an analysis to determine the impact. Analysis is a supporting activity for mitigation, communications, and improvement. It's also necessary to know what you’re dealing with to recover. You’ll need to hire a professional cybersecurity company to get an analysis using best practices.
You or hired experts must take actions to contain the event, reduce the effects, and end the threat. It’s situation dependent, so the only specific advice I can offer is to engage experts. Failing to do so could result in less than total mitigation, and a costly repeat.
You need to report breaches and coordinate with relevant stakeholders, including law enforcement. Your chances of justice are exceedingly low, but it's the right thing to do. There's also a good chance you're required by law or regulation to report breaches. As a best practice, involve an attorney for this task.
Security breaches are painful. Most people are inclined to avoid a repeat. Time passes though, their motivation fades, and they make little or no improvement. Learn from these events! Review what worked, what didn’t, and what you were missing in your plans. Then adjust. Don’t let the pain fade without taking action to avoid repeats!
Recover: What are the best practices to Recover from cybersecurity events in regulated industries?
In short, you need plans to maintain business continuity. You’ll also need solutions to aid a timely restore of systems and services. Best practices around recovery has three functions:
You need to develop and test processes and solutions to recover from a breach. There should be a written continuity plan addressing recovery for all types of events. You'll also need the technology to support your recovery plan. You need data backup and disaster recovery solutions!
You should iterate and improve with each recovery (and each test). It’ll save you money, and heartache.
Recovery entails a lot of coordination to plan and execute. Communication involves internal and external stakeholders like employees, clients, advisers, and law enforcement. You shouldn't overlook the importance of this step. It has potential legal ramifications as well, so involve your attorney as a best practice.
Ensuring IT Security in Highly Regulated Industries
Highly regulated industries face greater standards for data privacy and protection. As a result, the IT best practices for highly regulated industries emphasize cybersecurity. The NIST Cybersecurity Framework provides a thorough guideline for best practices around cybersecurity. Implementing the NIST Cybersecurity Framework requires IT best practices that also address most of the IT-related regulations your company faces.
Even with this information in hand, we realize this is still a monumental task. If you don't have a cybersecurity expert on your team, we strongly recommend expert help. You may also want to investigate a managed security services provider to help you manage this ongoing.
The Framework team is passionate about best practices and security and would love to speak!