Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today as we continue our FTC Safeguards Rule Checklist for Compliance series.
Such a mouthful, but super duper important. Very happy to have you back here today, and today we're actually going through continual ISP improvement. So we're actually getting to the end of the entire checklist. If you don't have the checklist, if you haven't downloaded it yet, if this is the first episode that you're coming into, definitely download the checklist. It's in the description. We are quite literally just going right down the checklist.
Here on this podcast series, in the blog series that we have on the website, which those links are right in the description of this podcast, and also obviously right on the website itself. So use that to follow along, it makes it very simple to go through and make sure you're hitting all of the requirements of the FTC Safeguards Rule. Makes it very easy to go through and a lot of additional information.
So before we go any further today on continual ISP improvement, I've got to give our plug. I've got maybe a little bit of our beg, but go ahead and click that like, click that subscribe. We are adding a lot more onto the social channels. We're bringing up our entire, our own community to have a lot of this information. So would really like to hear what it is that you're struggling with, what you would like to have some help with or some extra insight with regarding your information security and compliance programs. More than happy to dive into it to give you all the help that you need.
So with that said, let's go ahead and jump into 'Continuous Improvement.' Now I don't, I don't think this is going to be a very long episode. I say that and then I run my mouth forever, but I don't think it will be because it's really just doing all the things that we've been talking about, the risk assessments, the implementing the controls, the monitoring, reviewing, and testing policies and procedures, managing service providers, and essentially just keeping up with that. Not having it be a one and done exercise, but continually reviewing and continually improving when we find any gaps, either things we didn't do right or things we could do better. That really sums up this entire requirement of the FTC Safeguards Rule.
But what we'll do here is go through a few different, I guess, specifics that you can do to make sure you're kind of checking that box, make sure that you're showing that you're doing the continuous improvement, which spoiler alert is really just going to come down to making sure that you're documenting what you're doing, which is kind of everything with the information security program, but no more spoilers getting right into it.
The first is really making sure that we're making adjustments to our program based on our testing and monitoring results. So we're collecting all these logs, we're monitoring everything, and when we see something sideways or something that could have gone sideways, a vulnerability but not any type of incident or event, just something that could go bad, we're documenting that.
And then we're showing how we're improving on it. Really it's putting that into our risk assessment process, seeing what can we do, what other controls, how can we avoid, mitigate, transfer that risk, what would be the best to do, and then documenting what we're doing. And what that should look like in practical terms is sometimes we have like IT tickets, sometimes we have a change control ticket. If we have a little bit more mature information security program, we have a non-conformance ticket or non-conformancy identified. And then we just document what we did based on that. How did we improve from it? Did we see that there were a lot more admins in a system than there should be? Then we restricted it, we brought it down to only two or three admins. That shows continual improvement, and it's in direct relation to those monitoring and testing results, our audits.
Another thing we want to make sure we're doing is that we're adequately responding to operational and business changes. The business is constantly changing. The entire economic landscape is changing. So what are we doing based on our risk assessments? It always needs to be tied to our risk assessments. What are we doing to put the company in the best position to best mitigate our risk? And if we look at all of our board information security, board meeting notes, if we look at all of our management reviews, all of our risk assessments, we should be able to see a trend of making things better, tightening things up in different ways. And that doesn't necessarily mean spending money on more controls. That could just be changing the way we do things or changing our risk appetite. So it doesn't always need to be tied to spending money.
We've talked about using the risk assessments definitely as a compass. The risk assessment is the heart of everything we're doing. And every change that we make, every change that we don't make, we should be able to tie to a risk decision. Basically, if a regulator were to sit down with you and say, why did you do this or why didn't you do that, we should be able to tie it to our risk assessment and say, well, based on our risk, based on our appetite, this is why we made that decision.
Material impacts and other circumstances, we handle a little bit of that. Business shifts, just different curveballs, things coming up. I think that really fits into the operational and business changes. But I think it's also important to create a culture of continual improvement. Think of that as your suggestion box. Definitely take from all of your departments, all of your employees, how things could be better. And we don't want to look at this just from a lens of security and compliance. We want this to be a thing of how can the business run better? How can we make things easier for everybody to do their job to meet their goals? Which is essentially going to drive the bottom line. And then we figure out how to meet those security and compliance requirements. So you'll get a lot more involvement if we're including everybody in the organization in the decisions and help them understand, communicate out what it is you're doing, what you're not doing, a little bit of the why. That way they can see how it is that they're interacting with that. And that helps bridge some of that gap between IT security compliance teams and business operations. They can see that you're kind of on the same side, that you're doing the best you can to make their day easier. They're going to work a lot better with you. Their adoption of all of the changes that you want to make, I guarantee is going to be a lot better when you start including them and when you start seeing them some of the why behind things. This is why we are doing things, why we aren't doing other things.
Finally, the biggest thing you want to do is document everything. If you don't have any documentation, if there's no objective evidence, you're not going to be able to show the improvement. There's going to be no documentation to show the trend.
But if we have multiple risk assessments, if we have multiple penetration tests, if we have multiple audits, and we can show here's where we were before, here's where we are now, that's how you can very easily show your continual improvement in your information security program. And some of the key ways that that happens with the program that we have, with the Input Output WISP, that you can also leverage whether you use our program or not, that is those annual management reviews. Sitting down, reviewing the entire security program, getting feedback, you can show where you were each year and how you've improved.
You can also do it, talk about it a lot with the risk assessments. Your audits are going to be a huge area of this. Showing the audits that you do on all of your security controls. Where were you? Where are you now? Also your user access audits, your backup audits, documented penetration tests and vulnerability assessments are huge for showing continual improvement. Because it's very easy to show here's where our pen test and vulnerability assessments were. Here's all the red that we had on the board, all the high, all the criticals. We did all of our changes, we did another one and now we only have some mediums or maybe just all low findings because we tightened everything up. That is a very easy correlation to make that our information security program is driving continual positive change. And this is ultimately just going to show how you're doing everything better in the organization.
So I told you that today's episode was going to be a bit shorter, that it wasn't going to be too long. And that's about all I have to say on the continual improvement. More than happy to dive in and to help discuss it more. But again, it really just comes down to documenting, showing where you were, showing where you're at and showing that you're doing better than you were before. With all of that said and without going any farther to ramble, thank you very much for listening today to Cash in the Cyber Sheets. Can't wait to have you back next week as we continue to talk about our Safeguards Rule Checklist for Compliance. The last areas we have are 'Incident Management.' I think that one will be a little bit bigger. And finally, 'Reporting to Senior Management.'
If you haven't already, download that infographic. Makes it very easy to follow along. Would love to hear from you. Thanks for listening, and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.