Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today as we finish up our FTC Safeguards Rule Checklist for Compliance series. Today we'll be finishing it off with reporting to senior management.
Now, we have gone through all of the different steps. We've actually been following our infographic, the FTC Safeguards Rule Checklist for Compliance. If you look in the description of this podcast, you'll actually have a link to that checklist.
You can also go all the way back through all of our different episodes and we quite literally go right down the checklist so you can make sure that you're doing each of these items in your practice and get a little bit of insight as to how best to make that happen. As always, if you have any questions, we're always here, always happy to connect with you. But with that said, let's go ahead and get jumped into it today.
I'm actually running today a little bit different on a new remarkable tablet. We are not sponsored by them, but I'm trying it out, trying every way that I can figure out to keep myself focused and to stay productive, which is definitely difficult. I don't know if it's ADHD, what it is, but there's the kitty.
In any case, trying it out, pretty cool. But before we jump into it, please click that like, click that subscribe, and let us know some things that you're having trouble with, some things in your organization that have worked out well. And what would be really cool is drop us a line. Let us know anything you've heard on our podcast that's actually helped you out. I would like to know that we're actually helping make things easier for you. So grab that checklist, go right down the list, make sure you're doing all of your things.
And with that said, let's jump into reporting to senior management. Now, when we do audits, this is an area that a lot of companies, they're just not doing it right. We find a lot of issues. We a lot of times find companies, they're not doing it at all. And what's wild is that this is such a critical part. It's so important because of all the different things it's going to pull together.
And it's a very specific requirement. But with how easy it is to do, it's just wild that so many companies aren't doing it. And I think what happens is that, like a lot of things in compliance and in security, is we make it seem and feel like it's much more of an issue, much more difficult than it actually really is.
So we're just going to tear it all apart and show all the different steps to go through. What's cool is in our written information security program, in our whole platform that we have, we actually have a form for this. It's an entire template.
And that's what we're going through today, just all the steps of that template. But it's designed really just to be a safeguard or a senior management reporting ad lib. Fill in the blanks.
You've gone through all of the different steps. And it's going to make sure you're covering everything on the compliance side and also make it very concise and structured to go through with management, which we've gotten a lot of management teams actually give kudos on this, which I think in itself is pretty wild. You don't typically get too many kudos on forms.
Not enough kudos. But I think that just goes to it keeps the meeting concise. It gets the relevant information there.
It allows digging in where needing to, and it cuts out fluff. So cutting out the fluff, diving into it. You're reporting to senior management.
That report, done at least annually, it's got to cover the status of your information security program. It's got to cover your organization's compliance with the FTC safeguards rule. So you actually want to tie those together.
A summary of your risk assessments, information about different security events or incidents, and recommendations for how you can improve things. Tying it back to that constant improvement, which is one of the other FTC requirements actually two episodes back. So the very first part of our template, the very first thing that you want to do in your management review, is review any prior action items.
What were the things that you were supposed to do? What were the takeaways? And what are the status of those items now? And it doesn't necessarily mean that they all have to be completed. Just where are we at? What were the roadblocks? And if there's anything that management needs to get involved with to help move things forward, this is the best time to talk about that. So what this shows, why it's so important, is it shows that ongoing accountability and progress.
And that's, you're going to be able to tie that back to your audits and any regulators that come in. This is great objective evidence that we're addressing things, we're following up with them, we're keeping things moving. The next part you want to go into, and this ties in with your risk assessment, but identifying any new or changed internal and external issues.
A great way to look at this internally is just what are the people, processes, and products or solutions, anything with any of those that has gone sideways or could potentially, and doing a PESTEL analysis. That's basically looking at political, economic, social, technological, legal, and environmental issues. And you can just go right down that list.
Just brainstorm anything that you can think of that might impact the organization, give it a little flavor as far as how you think it could impact the potential likelihood, and you can quickly go through all these things. What's nice about this is when you have the management team, is a lot of issues you bring up, they're going to say, you know what, don't really care about, that's not an issue, we're not concerned, and that's perfectly okay. If there's any, however, that you feel like they're not addressing in the best way, that's where you can push back a little bit, have that dialogue.
But what that's going to do is really help show how you're involving senior leadership with your risk management process. It's documented evidence. That's why it's so important.
Reporting on non-conformities and corrective actions. This kind of ties into the action items, but in this section you want to have a list of every single non-conformance, every single corrective action and opportunity for improvement. And just give the status.
Where are we at with each of these items? What's our progress look like? What's it going to look like going forward? And what do we need from leadership to get these where they need to be? And just have a discussion. It doesn't need to be a very deep discussion. This is also somewhere that you can celebrate a lot of wins, things that we got done, things that we got completed.
But again, if your leadership team really wants to dive in, they're going to let you know. And what we tell our teams when we talk to leadership, what we tell leadership is, we're going to go through this pretty quick. We don't want to bore you with everything.
I'm going to really dive into the things I think we really need to talk about. But if there's any area that you want to go deeper into, just let me know, stop me, and we can dig as deep as you want to. And they will take you up on it.
It gives a very good dynamic to where you're keeping the meeting moving, and they feel like they can jump in and get the clarification that they need. The next section is you want to review your security metrics and KPIs. Now, this is typically lighter for smaller firms, but definitely for larger firms, you should have very specific KPIs and metrics related to your information security program.
A lot of times that looks like specific uptime. We want to make sure that we have our Internet up so much, not being offline more than, say, for two days, or that our backups, that we can restore everything no farther back than eight hours ago, and that it won't take us any longer than three days to fully restore things, and our communication lines aren't down for more than two hours. Whatever those are, and those should be driven by the business, by leadership, but whatever those are, your information security program is really designed to address all of those and to meet those metrics.
This is really where you're tying it together between management, business operations, and security compliance that the information security program, what we're investing all this time and money to do, is actually being effective. Next area is we'll present any audit findings and assessment results. This is pretty quick.
You just go through. We had a user access audit. Everything was good, or we had a backup audit.
Actually, there were some hiccups. Here's what we did to correct it. Here's what we're doing to make sure that doesn't happen again.
This doesn't need to be somewhere that you go very deep, but you do want to talk about each of them. If management has questions, they're going to let you know, and they'll definitely dive into it. Next section is summarizing stakeholder feedback.
All of that feedback that you're getting, good and bad, about the information security program, about things in the organization, you want to put in here, and what are some things that people have said about certain processes. Things that leadership has said about our form, we would put in there. Leadership really likes the way that this is concise, but allows us to dig in where we need to.
That way, we can do that with other forms. Management didn't like how long it took to restore the mailbox during the incident. Okay, now we're going to perhaps look at new tech or new solutions to be able to shorten that time to be able to get everything restored.
You want to make sure also not to cherry pick all the good stuff. Really having the good and the bad in here, and it honestly, there's not really any bad feedback, it's opportunities, but it just helps build trust and shows leadership that the program's listening, it's evolving, and really working to best support the business and the business needs, which if you can show management that the program is meeting the business needs, looking out for the ultimate financial benefit of the company, you're really going to go far with helping to get them on board and helping to keep them involved. Number seven of our template is providing an updated risk assessment.
Anything that we've done, this typically ties into our internal and external issues, where on our form it differs a little bit, is we actually will list all of the risks that we have in our risk register that are coming due for review, and we'll just quickly go through them. We'll also put any general assessments, kind of high-level overviews, and this is somewhere that we sometimes really start digging into with management because the risk ultimately can affect the business. It's something they're interested in, and we'll sometimes pull you back to that internal, external issues.
Moving on with it, offer recommendations and strategy updates. This is really where we're just our continual improvement. What would we like to do? What should we put into place? How can we make things better? And this is really tying everything together from our risk assessment, from our corrective actions, and where we can show that very defined evidence that the information security program is continually improving, that we're including management, that our risks are actually reviewed and are actionably implemented into our information security program.
The light hamster is falling off the wheel here. I don't know why some of this is so hard to get out, but it also shows all of the change management. That's why this document, this process is so important.
It's showing all of those different things that we need to do. It's tying it together in one document, that is including leadership and showing their direct involvement in them propelling this throughout the company. And in some cases, is really kind of the cornerstone of the information security program being tied to top leadership.
I can't stress enough, this is something you don't want to skip over. It's something you definitely want to do. And if you execute it correctly, it can build a lot of confidence in you and your team with top leadership and help keep them involved and feel good about this investment, because information security program is definitely an investment.
Make them feel happy about that investment and that they made the right choice. With all of that said, I will close us out today with reminding you, go ahead and check that description, grab the FTC safeguards rule infographic, follow along, make sure you're doing all of those things. We also have a companion article that goes into a bit more detail about this and also links to all of the different FTC safeguard checklist items.
So if there were any you missed, any that you were having trouble with, definitely dive back in there, real easy to access that information. Can't thank you enough for listening today. Please click that like and subscribe if you enjoyed what you listened to on the show today. And until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
