Security is a hot potato, has been for ages, and isn’t going away anytime soon. Obvious to say, harder to deal with. GDPR is one of the top subjects for CIOs up and down the land. Brexit won’t change that, we’ll still deal with the mainland and they will still expect us to comply with their legislation, even if it ends up not being directly on our statute books.
On May 25th 2018, businesses will be expected to adopt GDPR. Many will be ready but I suspect many more will not. Many of them may believe they are ready and in reality will be unable to prove that if required. Like the Data Protection Act before it, many businesses may think that it is an IT problem and simply assume that it is being dealt with. This is probably as far from the truth as you can get in many businesses.
The reality of the situation is that the whole organisation needs to be engaged and that many of the controls to ensure that will emerge from IT. The biggest challenge is not in knowing what has to be done, but in actually ensuring that the business is doing it. Predictably, there is a big difference between knowing what is required from GDPR and actually implementing it in a way that is consistent and auditable.
At the heart of this is the organisation’s ability to apply, re-inforce and check the controls that should give us the means to implement GDPR and other information governance. The ability to translate the governance (GDPR) into auditable IT goals and then ensure that the requirements that emerge from that become part of a culture of secure information management throughout the business is crucial to success.
In the US, an organisation called ISACA produced a framework which is designed to turn internal and external governance into a measurable, auditable framework. It’s called COBIT5 and many US businesses use it to ensure that they can achieve the requirements of their own external legislation, ‘Sarbanes-Oxley’. COBIT5 provides a framework whose intent is to turn high-level governance into measurable KPIs that can demonstrate achievement in line with stakeholders needs and expectations.
COBIT5 can be used to ensure that the right questions are being used to address the challenge that GDPR poses and that the answers are being checked and fed back into a cycle of adoption and improvement. This includes specific challenges about assuring information security and getting the whole organisation to think about the cyber resilience challenge through the IT delivery cycle?
That’s where RESILIA comes in. Its job is to ensure that ALL staff within the business are asking the right questions regarding information security and cyber resilience. Getting that thinking embedded into the culture so that the requirements of GDPR, information security and cyber resilience are given equal weighting as part of any decision making process around information management actually happens.
The upshot of those decisions need to be weighed against the needs of governance, which means COBIT and RESILIA feed off each other and provide assurance that governance is being addressed, acted upon and audited in order to meet the requirements of GDPR and all other governance.
This combination of legal requirements, audit capability and service management should put your organisation into a great place to deliver on your customer’s expectations.
For more information on how Quanta can help your organisation to adopt and adapt best practice to meet the needs for governance, audit and managing information security, please click here for COBIT5 and here for RESILIA.
More information on COBIT from ISACA
More information on RESILIA from AXELOS