The CISO's Desk (August 2023)

The Journey to Risk-Informed Compliance

(Stevens Fox, Deputy Chief Information Security Officer - Contributing Author)

Many state agency leaders subject to OCIO 141.10 compliance requirements wonder how to apply risk assessment outcomes to their security practices. Compliance and risk management are essential tools for reducing the impact of threats. Organizations can achieve mission objectives and security by integrating these tools into a holistic framework.

Ralph Johnson
State CISO Ralph Johnson

To operate within a specific industry, it is necessary for an organization to adhere to the established rules, standards, and best practices. Compliance requirements exist to mitigate risks common to a particular sector. For example, Publication 1075 - Tax Information Security Guidelines outlines the expectations of the Internal Revenue Service regarding the protection of Federal Tax Information (FTI).

Agencies that handle FTI are obligated to meet the criteria set forth in Publication 1075 and undergo an audit. While these requirements are based on the security controls found in the NIST 800-53 standard, they are not comprehensive enough to cover other types of information, such as Protected Health Information (PHI).

Risk management is crucial to identifying and responding to risks not covered by compliance requirements. This involves three steps:

  1. Evaluating the likelihood and impact of various risks through a risk assessment.
  2. Implementing technical and/or administrative mechanisms to reduce risks.
  3. Continuously monitoring the security status of the information system to detect and respond to changes.

The goal is to protect an organization's mission, reputation, and values, not just comply with regulatory requirements. The infamous 2013 Target breach is a prime example of how ineffective vendor risk management can compromise 40 million credit card accounts, despite passing a PCI audit.

For a culture that prioritizes informed risk management, agencies can implement the following recommendations:

  • Integrate regulatory compliance with risk management. Agencies must recognize that compliance is crucial in addressing the risks that may hinder their strategic goals. By framing regulatory compliance as a tactical response to potential risks, agencies can better manage them.
  • Implement risk management practices to monitor and respond to emerging risks. In addition to compliance-based controls, agencies can adopt proactive measures to mitigate potential risks.
  • Highlight the benefits of risk management in creating value. Risk management can help agencies reduce exposure, capitalize on new opportunities, or improve customer satisfaction.
  • Foster collaboration between compliance and risk management teams. Agencies should ensure that compliance and risk management activities are well-coordinated and transparent across the organization.

In essence, compliance involves adhering to laws and regulations that aim to reduce the risks faced by various organizations in particular sectors. Agencies can employ risk management techniques to customize their security controls based on specific risks. However, making this adjustment requires a change in culture and mentality.

Organizations that integrate risk management and regulatory compliance are better equipped to focus their security investments by mitigating the risks which impact their operations. To achieve this, agencies must integrate these tools into a holistic framework and foster collaboration between their compliance and risk management teams. By doing so, they create value and safeguard their mission, reputation, and values.

The updated OCIO policy 141.10 is a crucial step towards a more effective risk management approach. WaTech is fully equipped to guide agencies through this transition and ensure a smooth implementation. Together, we can achieve a safer and more secure environment for all.