How to deal with “Digital Assurance”
The Why of Digital Assurance
Implementing and maintaining Digital Security in a digitized ecosystem takes work. Nowadays multiple complex frameworks and models are used to implement Digital Security.
Unfortunately these tools are perceived as complicated to implement and maintain in digitized value chains and platforms. Most companies still use spreadsheets to demonstrate their compliance. And surprisingly, regulators too use spreadsheets for supervision.
Business at risk
Research has shown that the number of security incidents has increased [1] over the years, as has the financial impact per data breach [1]. Mastering emerging technologies such as big data, Internet of Things [2], Artificial Intelligence, and social media and combating cybercrime [3], while protecting critical business data, requires a team instead of a single IT person [4].
To protect this data, security professionals need to know about the value of information and the impact if it is at risk [4].
In the past [7] IT security controls were implemented to reduce this risk. These controls were based on best practices prescribed by vendors, without a direct link to risks, regulatory requirements, or business objectives [7].
The controls rely on technology and the audits and assessments (in spreadsheets) were used to prove their effectiveness [8]. Working with scattered Excel spreadsheets becomes a risk on its own due to upcoming regulatory requirements in the European Union, such as NIS2, and the DORA act. And other legislations (see table below).
Unreliable and splintered data across multiple files and systems
Filling in spreadsheets is subject to manipulation [28] because it is not a closed-locked-down cycle. Spreadsheets are stored–sometimes double versions- on decentralized systems, sometimes not well protected, making evidence unreliable. Spreadsheet data cannot always be gathered from the sources, which reduces authenticity and integrity [31].
There is a need for an optimized risk and compliance process
Javid Khan says,“The use of smarter and more intuitive tools and technologies, along with automating processes, will enable organizations to gain the benefits they are seeking, such as real- time alerts, better reporting and bringing all data sources together. In the future, there will be increased demand for this type of technology that can optimize the compliance process, both from a management and maintenance point of view [24]”.
The What: The benefits of centrally managed risk, compliance and privacy controls
A significant amount of documentation and an audit trail is needed for compliance, which can be time-consuming.
What we learned two decades ago in finance, with MCI WorldCom and Enron scandals, is that documenting financial processes in scattered excel based systems is unreliable and not sustainable.
In our experience, a central Information Security Management System (ISMS) is needed. An ISMS is an application that centrally documents all required privacy, risk management, and security control evidence.
Starting in the ’70s and ’80s, the need for systems such as Enterprise Resource Planning (ERP) and dedicated accounting systems that supported accounting regulations, became apparent—systems like SAP, Baan, and later on, Exact and AFASOnline.
To reduce the administrative burden
Because financial processes require a single version of the truth, which is happening now in the security space as well, tighter regulatory requirements urge a professional level of Administrative Organization and Internal control (AO/IC).
Specific Governance, Risk, and Compliance (GRC) tools embody ISMS functions but are, for many organizations, an overkill. Managing and maintaining a GRC system, especially as a mid-sized company, is complex and becomes a task on its own. This can suffocate the business.
Information Security Management Systems (ISMS) facilitate the entire assurance process. They will become vital for companies that must adhere to regulations like NIS2. In Europe, 160.000 companies must conform to this before 18 October 2024.
The administrative burden these future regulations will bring to any Tech reliable company in the EU (EdTech, InsurTech, FinTech, MedTech, GovTech, etc.) is immense when you do not centrally manage and automate via ISMS tools.
Maintain oversight of your valuable digital assets
ISMS systems automate control testing and can create periodic tasks that need to be executed by operational staff. Centrally documenting the outcomes will make Governance over Digital security and compliance with regulations easier.
As forerunners of this ISMS technology via Ph.D. research, we invented the “Test once Comply Many” way of working. And incorporated The Return on Security Investment (ROSI) calculation.
This Test Once Comply Many philosophies is already successfully implemented in many organizations such as NN Group, UWV, and ON2IT. It allows these organizations to maintain oversight over digital assurance and secure new customers as trustworthy partners.
The administrative load these future regulations will bring to any Tech company in the EU (EdTech, InsurTech, FinTech, MedTech, GovTech, etc) is immense when you do not centrally manage and automate
The How: Protect your business and assure compliance
Anove has been at the forefront of Digital Security since 1996 with the inception of the first security technology in the market.
Currently, they have combined +25 years of experience, knowledge and the latest insights into a new digital assurance technology: Anove. This proven and in-house developed Information Security Management System captures all relevant data you need to protect your business and assure compliance.
Anove is a-cure for lowering administrative bureaucracy and enables your go-to-market simultaneously. When you suffer from splintered information across multiple tools and systems, complex risk management, unstoppable bureaucracy, and uncontrollable compliance activities, Anove can support you.
Anove aims to simplify and continuously improve its profession, simplify things, and put action over talking. We provide an aid for digital assurance so you can focus on your business. You can rely on our expertise and experience as we know:
- How to handle your business risks,
- How to measure your exposure and
- How to ensure you undertake the right actions at the right time with the foreseen effects.
What's next?
Have you become eager to learn more about what digital assurance can mean for your company? Get in contact with us for an informative talk or get a free demo.
References and other information
* The NIS Directive is the first piece of EU-wide legislation on cybersecurity. The Directive on the Security of Network and information systems (the NIS Directive) Requires member states to be appropriately equipped. More information on this directive.
** The DORA is designed to consolidate and upgrade ICT risk management requirements throughout the financial services sector to ensure that all financial system participants are subject to a common set of standards to mitigate ICT risks for their operations. European Commission, And the Digital operational resilience act (DORA) for the financial sector and amending. Source
- Ponemon, "Cost of Data Breach Study: Global Analysis," Ponemon Institute LLC, United States, 2016.
- M. Conti, A. Dehghantanha, K. Franke and S. Watson, "Internet of Things security and forensics: Challenges and opportunities," FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF ESCIENCE , vol. 78, pp. 544-546, 2018.
- B. Cashell, W. Jackson, M. Jickling and B. Webel, "The Economic Impact of Cyber-Attacks," Congressional Research Service, The Library of Congress, United States, 2004.
- ITGI, Information Risks; Who's Business are they?, United States: IT Governance Institute, 2005.
- W. Yaokumah and S. Brown, “An Empirical Examination of the relationship between Information Security / Business strategic alignment and Information Security Governance,” Journal of Business Systems, Governance and Ethics , vol. 2, no. 9, pp. 50-65, 2014.
- D. Zitting, "Are You Still Auditing in Excel?," Sarbanes Oxley Compliance Journal, 2015. [Online]. Available: http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=4156.
- S. Powell, K. Baker and B. Lawson, "Errors in Operational spreadsheets," Journal of Organizational and End User Computing, vol. 21, no. 3, pp. 24-36, 2009.
- Deloitte, "Spreadsheet Management, Not what you figured," 2009.
- J. Khan, "The need for continuous compliance," pp. 14-15, June 2018.
- Y. Bobbert and T. Papelard, Critical Success Factors for Business Information Security, Antwerp: Diagloog Publishers, 2018.
- D. Hubbard, The Failure of Risk Management, Hoboken New Jersey: John Wiley & Sons, 2009.
- Y. Bobbert, Improving the Maturity of Business Information Security: On the Design and Engineering of a Business Information Security Administrative tool, Nijmegen: Radboud University, 2018.
- W. Flores, E. Antonsen and M. Ekstedt, "Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture," Computers & security, Vols. 2014-43, pp. 90-110, 2014.
- J. Van Niekerk and R. Von Solms, “Information security culture; A management perspective,” Elsevier, pp. 476-486, 2010.
- C. Seale, Researching Society and Culture, Sage Publications - Second edition: ISBN 978-0-7619-4197-2, 2004.