How to effectively structure your regulatory monitoring when you are a CISO?

Guaranteeing the security of your organization requires perfect knowledge of current regulatory compliance. This is why regulatory monitoring of information systems security is one of the main missions and obligations of the CISO. With structured monitoring, you can easily follow the evolution of practices, standards and laws that govern your organization’s cybersecurity. Project management, identification of benchmarks, documentary updates, dissemination of relevant information, impact analysis… so many subjects to coordinate behind this notion of regulatory and normative monitoring. So how can you set up SSI regulatory monitoring without being overwhelmed? We share with you some food for thought and answers in this article.

What is regulatory and standards monitoring?

Before getting to the heart of the matter, it is appropriate to return to the definition of regulatory monitoring and to understand the difference with normative monitoring.

By definition, regulatory monitoring consists of keeping informed of the legislation applicable to your industry, but also of following the evolution of texts and obligations. Knowing the legislative framework dedicated to the security of information systems allows you to implement the necessary actions to guarantee the conformity of the IS to which the organization is subject. This monitoring of the regulatory environment is essential for the CISO and his teams to discover new laws, decrees or regulations, analyze the impacts and adapt the organization’s IS security policy accordingly. Regardless of the size, type of activity or geographic sector of the organization, regulatory monitoring is part of a risk management approach. It may also be mandatory for regulated sectors or during compliance audits.

Standards monitoring, for its part, allows you to identify the standards in force to which your organization must comply. Like regulatory monitoring, it is a continuous and iterative activity which aims to actively monitor the environment of its organization. International, European, national or even sectoral standards, they are a guarantee of quality and their proper compliance is mandatory for obtaining certification. Let’s take a concrete example: if your company hosts or uses health data, your company is subject to the obligation to use HDS certified hosting (health data hosting).

How to effectively structure SSI regulatory monitoring?

To follow regulatory developments and guarantee the security compliance of his company, it is essential for the CISO to effectively structure his SSI regulatory monitoring in order not to be subject to changes but to anticipate them as best as possible.

The first step in setting up an SSI regulatory and standards monitoring project is to align all project stakeholders on a common objective. As discussed previously, the purpose of monitoring is to identify your legal and normative obligations in order to enable you to validate your compliance. If necessary, a corrective action plan will be put in place. But monitoring is not limited to compiling the documents! It generates strategic decisions for your organization.

To define your monitoring strategy, it is necessary to answer the following questions:

What is the impact on business teams within the organization? What is the investment required and the expected return on investment? What human and material resources will be mobilized?

The monitoring approach is part of a notion of knowledge capitalization, information management, and is one of the components of the organization’s economic intelligence. SSI regulatory and standards monitoring is a founding element of corporate strategy. It helps secure your activity by ensuring compliance with current standards and legislation. This is why the definition of the framework, responsibilities, means as well as the frequency of monitoring are all key elements to be defined initially.

This involves determining the documents and information to which your company must refer. These may include texts of laws, decrees, standards, government reports, etc. Each company or organization has its own regulatory monitoring framework and will “draw” from the texts of legislation in force according to:

• Its geographical area: What are the legal texts applicable locally and/or nationally? Are you subject to European and international regulations? Which foreign laws must you apply?
• Your sector of activity: Are you in a regulated field of activity (health or banking for example)?

• Its quality guarantees: What certifications does your organization wish to possess or maintain (ISO 270001 certification for example)? What are the organization’s internal security policies (ISSP, PRA, PCA, etc.)?

Once your information system security regulatory and normative framework has been completed, you will then be able to follow the evolution of the texts. What will be the impact on your organization of a legislative text in preparation? What new actions would be put in place when the European NIS V2.0 directive is adopted by the European Commission?

Monitoring these developments allows you to control the impact of new legislative risks on your business and get a head start on your compliance.

Carrying out this monitoring allows you to define and characterize compliance requirements to secure your organization’s IS. These requirements can be grouped into categories and subcategories to facilitate risk management. Let’s take the example of the ISO 27001 standard which establishes the framework for information security management within an organization. This international standard is divided into 252 requirements grouped into 6 process families. It should be noted that the same requirement may come from different regulatory or normative texts. You then establish your own framework of requirements to respect.

Meeting all of the criteria can be complex if your organization integrates obsolete IT systems that are nevertheless essential to the proper functioning of your business, as is often the case in the health or energy sectors. This is why the identification of new requirements or their modifications allows you to analyze the corrective actions to be implemented using a risk-based approach. What is the impact of not meeting a requirement? What would be the financial cost of non-compliance? Based on the responses, a suitable action plan is established. Your goal is indeed the SSI compliance of your organization.

Providing the right information, at the right time and to the right person is the winning trick to facilitate decision-making. The formats for sharing your SSI monitoring are numerous and will depend on the purpose sought from your recipients: newsletter, summary note, analysis, access platform to complete documentation. Determine the frequency of sending by keeping these two questions in mind: who are you sending the information for and what can they use this information for?

For your management committee and your company’s decision-makers, provide a strategic view of the threats and opportunities linked to legislative and normative developments. Favor short formats such as strategic notes accompanied by an analysis.

Also distribute a summary of your monitoring to your sales and marketing department. They will thus have the ability to rely on certifications and compliance for the sales pitch. Assets and guarantees of trust that they will be able to highlight to your organization’s customers, prospects and partners.

The RD team, for its part, will use your monitoring to anticipate developments in their product roadmap. Give them the opportunity to access complete information if they wish, via a knowledge management platform for example.

The mission of the CISO is to disseminate useful and relevant information to its various contacts in order to inform their decision-making. And in the eyes of your colleagues, you will be a facilitator!

The 5 best practices for effectively carrying out IT security monitoring

1. Put a pilot on the plane

By reading this article, you understand that implementing an SSI regulatory and normative monitoring project is a complex and strategic project for your organization. Designate someone from your team to be responsible for monitoring. It may rely partly or entirely on the help of external service providers whose job it is.

2. Translate legalese

SSI regulatory and standards monitoring does not consist of piling up texts that are more complex than each other. Make texts intelligible by modeling them into compliance requirements. With “intelligible” language, you make it easier to understand threats and opportunities.

3. Make updates regularly

Establishing a regular update frequency is essential. By regularly monitoring developments, you are equipped to understand the corrective actions to be implemented. Don’t let yourself be overwhelmed.

4. Demarcate your perimeter correctly

Faced with the proliferation of regulatory texts and safety requirements, delimiting the strictly applicable and/or necessary texts is essential. This will help you avoid being overwhelmed by a multitude of information that does not concern you.

5. Stop believing you can do it alone

Define the text repository, translate them into requirements, manage updates and deduce the consequences on the compliance of your company… This cannot be improvised! Depending on your constraints, your resources, your budget or even the time to allocate to this mission, rely partly or entirely on external service providers who are experts in the subject. You will gain peace of mind and free up time for your other missions.