Deploying a Data Security Defense

Deploying a Data Security Defense
Author: Jason Fanghong Jiao, Ph.D., CPA
Date Published: 31 August 2020

Data security has always been a top priority, but the COVID-19 pandemic has made it even more prominent. In a COVID-19 study from ISACA, 87 percent of the 3,700 respondents stated that the rapid transition to remote work has increased data protection and privacy risk, and only half say that their security teams are prepared for the rising cybersecurity attacks. Although EU members have adjusted to the General Data Protection Regulation (GDPR) in recent years, many countries do not yet have any national regulations that address data security issues. However, there is an important resource to seek to deploy your data security defense: the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework.

Effective implementation of the five elements of the 2013 COSO Internal Control Integrated Framework are helpful in operating, reporting and being compliant with data security. To deploy a data security defense, an organization must establish a control environment, assess risk, implement control activities, configure an information and communication system, and monitor existing activities.

The COVID-19 pandemic has created new risk to data security; however, the fundamentals of data security have not changed. A control environment needs to be established to address the importance of data security, especially with the prevalence of remote accesses to sensitive data. The control environment requires management to make a commitment to integrity and ethics in the area of data security. New risk factors need to be assessed to match the risk appetite of the entity, whether it is to accept, avoid, reduce or share risk.

Existing control activities should incorporate a defense-in-depth approach with multiple layers of defense in place and a time-based model to allow more response time to thwart hackers. Preventive controls should include procedures such as user access controls, encryption and hashing, and social engineering controls. Detective controls should include activities such as log analysis and penetration testing. Corrective controls should include having an effective and efficient response team and patch management personnel. Entities should also have an information and communication system configured to suit data security needs. Monitoring activities are mandatory to provide evaluation and feedback for improvement in data security practices.

Editor’s note:
For further insights on this topic, read Jason Fanghong Jiao’s recent Journal article, “Deploying a Data Security Defense” ISACA Journal, volume 4, 2020.

ISACA Journal