Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone. Again, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today as we continue our FTC Safeguards Rule Checklist for Compliance series. And today, we're actually going to dive into implementing appropriate controls for your information security program. This is, when we think of an information security program or we think of controls, this is really one of the biggest sections that people think about. And we're going to review some of the best practices, some of the things to look at, and how to tie that all together to some of the other parts of your information security program and those FTC safeguards requirements. Before we get started today, please go and download the FTC Safeguards Rule Checklist. It will actually be available in the description of this podcast and within our blogs, it is there as well but we are just going right down, checklist is on this side. We're just going right down the checklist in this series. So a really good follow along to make sure you're covering all of your areas of FTC compliance, and before getting in, please also click that subscribe, click that like, follow the podcast, and leave us a comment. Let us know some things that have worked for you in your programs or maybe that you're struggling a little bit and you would like to have us dive in deeper.
With that said, let's dive into implementing appropriate controls. Now, if you read the FTC Safeguards Rule, if you actually like to see what it is they're looking for, this is related to implementing controls to protect the CIA confidentiality, integrity, and availability of your client information.
As we've talked about in previous podcasts, you also don't want to forget privacy or safety is part of your appropriate controls. Not specifically stated in the FTC Safeguards requirements. But if you're not evaluating those, it's very difficult to make the justification that you're applying appropriate controls altogether.
So, that ties into your whole risk management process that we actually talked about in our last episode, FTC Safeguards Checklist episode. Utilizing a risk-based approach, that actually is how you can tie those together and how what you identify in your risk, the different threats, the different vulnerabilities, how those are going to translate into actual controls for this step. Now, as I said before, when we think of an information security program, when we think of security controls, really where everybody's head primarily goes to is the technical side of things. There's technical controls, there's administrative, and there's physical. Most people are really thinking of all of those technical. Multi-factor authentication, malware, SIM solutions, password management systems, MDR, encryption, all of those different technical controls to help protect the environment is one, covered within this kind of umbrella section of the FTC Safeguards rules, but also where most people's head goes to.
It's also one of the things, if you've looked at some of our e-books on the subject, where a lot of companies have a pretty big miss, because they forget the administrative and the physical controls. Now, the administrative are really your policies and your procedures. How you structure things, how you actually run the business.
And a big part of it is going to be your information security policies, your information security procedures. And that's very important around, let's say, your incident response. If you see something, say something. That's an administrative control. It's something that employees have to execute. It's something that employees have to follow. Administrative controls also come into play with system processes. How you run the business, how you do things. And this is very important.
It's something you don't want to overlook. Especially on the side of money management, money transfers. So how do you request a wire? How do you make changes to the wire information? And how do you approve one and finally send it out? Technical controls are very good for keeping bad actors out. For keeping them from getting access. But that administrative process, that structure that you follow every time, that you do not deviate from, is where you're going to catch the majority of the fraud that may get introduced into your business. Or where somebody does gain access, it's them not following your structured process that's really going to throw up the red flags and get you to hone in. So you want to be sure that especially around critical processes, critical systems, you have very good administrative controls. Meaning you've got policies, you've got structured processes that you follow to appropriately manage those. We also don't want to forget physical controls. These are, again, this is normally a very big goal just because it's almost hiding in plain sight. But we want to make sure we've got appropriate door locks. That we're locking cabinets that have sensitive information. That we have key logs. We know who has those keys, and can we put any type of cameras in place? Can we position screens so that people can't see them? Are we cognizant of whiteboards or other bulletin boards that may have information that people can see from the outside? All of these things are very important to make sure that collectively you're protecting the CIA and the S, confidentiality, integrity, availability, privacy and safety of your firm.
Some really good best practices here. Because implementing controls can get wildly out of control. You can just spend money until you don't have any money left and still have big gaps. So some really good ways to help hone this, help make it more manageable and affordable is one, centralize the management as best you can.
If you can, utilize a remote monitoring and management tool. That way you can have almost a single pane of glass to see what systems are encrypted. Which ones have good passwords? Do we have malware? Is everything updated? This makes it much easier to see what's going on in the environment and to control everything. You also, as much as you can, want to standardize your setup. Set every system up the same way.
Set every server up the same way. And as much as possible, get the same type of equipment. This way you don't have multiple configuration settings. You don't have to remember how everything is set up for each individual system. It's all done the same way. And that makes it much easier to spot any type of discrepancy or anything that shouldn't be there.
What's also very important, perhaps the most important, is making sure you have an appropriate scope. A lot of times coming in to set up an information security program, it's a thing of we need to protect everything as much as we can. That can quickly drain budget.
It can quickly stretch resources thin. What's more important is as part of your risk approach, as part of your risk analysis in your previous step, scope out where all of your sensitive data is. Identify all of your critical systems. Identify all of your critical systems and processes. Once you have those defined, any other sensitive information, anything else that's perhaps slightly critical, consolidate it as much as you can. So that way you have fewer systems, fewer system processes to actually secure and monitor.
That's not to say to leave everything else completely exposed. But you don't need to have, say, a full MDR solution and 24-7 monitoring and hourly backups on just a regular laptop that's going to browse the Internet as opposed to the corporate network and the corporate servers and this can help make sure that you're appropriately monitoring, that you're applying the correct controls, and when you structure your control implementation in this way, you'll be able to tie it back to your risk approach and have that objective evidence that our risk approach wasn't just something that we put on the shelf. This has allowed us to make effective decisions moving forward and apply the appropriate controls. And that's how you tie these different parts of your FTC rule requirements together.
That is all the time we have for today. Please do not hesitate to reach out if you have questions about your control implementation. I would love to hear about things that have worked well for you, some things where maybe you stubbed your toe, and also the ways that you worked around that. Thanks again for listening to us today, and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.