Blog

Big Data in Auditing and Analytics

ZenGRC Team · March 20, 2019 ·

As organizations seek to evolve their risk management strategies to drive stronger compliance programs, they increasingly seek to automate their compliance documentation. In cybersecurity, however, traditional data collection methods fail since cybercriminals continuously evolve their threat methodologies. Since point-in-time documentation and audits no longer provide assurance over information security controls, organizations seeking to scale now use internal audit data analytics to mature their programs.

Big Data in Auditing

What is Big Data?

Big data relies on volume, velocity, and variety. To integrate big data and analytics into an audit program, you need to have a large amount of data filtering in from a wide variety of locations in real-time. When aggregating information, it be structured data, as in a table, or unstructured data, such as text, images, or binary programming.

How Data Analysis Uses Big Data

The data sets provide large amounts of information. However, without data analytics, the information remains meaningless. Data analysis can be either predictive or prescriptive.

Predictive analytics use modeling, machine learning, and data mining to take a “best guess” about what will happen next. For example, organizations can use predictive analytics to strengthen their operational business risks analysis.

Prescriptive analytics enable the organization to prioritize actions and make decisions. For example, a company can use prescriptive analytics to identify financial reporting controls that need to be strengthened first.

Using these analytical procedures, organizations can better assess risk and prioritize mitigation strategies.

What Are Audit Data Analytics?

The internal audit process requires documentation to support the American Institute of Certified Public Accountants (AICPA) auditing standards.

For example, an organization that needs to maintain compliance with the Sarbanes-Oxley Act of 2002 (SOX) needs to provide their external auditors with audit evidence supporting its ability to maintain effective financial reporting controls. However, since organizations use a variety of integrated Software-as-a-Service (SaaS) platforms, SOX compliance also requires cybersecurity continuous monitoring over the environment and continuous documentation to prove governance.

All of these tools are ways that companies strengthen the quality of their audit evidence.

How Big Data For Audit Evidence Changes Professional Skepticism

Professional skepticism is the foundation of audit quality. The traditional audit approach relied on auditors bringing personal experience to review a company’s policies, processes, and procedures. However, as companies adopt automation, the traditional approach which focused on manual operations and relationships to input and output change.

To maintain their professional skepticism, auditors need to create new audit procedures. For example, automated systems using artificial intelligence and machine learning produce different documentation. They provide continuous monitoring to detect fraud which can ease a financial statements review.

Although this new documentation enables better audit quality, it also means that audit firms need to understand how and from where the automated system collects data.

Why Audit Firms Need Data Scientists

To maintain audit quality, audit firms need to focus on retaining teams who can analyze the way that a company uses automated systems.

A primary problem with automation lies in its cybersecurity risk. Internal or external actors can compromise audit documentation integrity, availability, and confidentiality. Unauthorized access to audit data can lead to malicious actors deleting or changing the information necessary for a relevant audit.

For example, a malicious internal actor may use privileged access to change financial statements to hide embezzlement. If external auditors simply review the financial statements against the general ledgers, the fraud may go unnoticed because both are automated and the malicious actor will have compromised both.

Therefore, audit firms need to focus not just on the documentation presented by the client but also on the controls maintained over access and use.

How Companies Can Protect Themselves in the Big Data Era

In an era of Big Data and automation, companies need to understand the technology they use that enables their audit outcomes.

Maintaining a strong cybersecurity program enables the company to protect itself from fraud while also reinforcing its continuous monitoring and continuous assurance programs.

To promote quality audit documentation, the organization needs to ensure effective controls over:

Change Configurations: immediately change vendor provided configurations so that no users outside the organization can obtain access
Network security: ensure that no malicious actors can infiltrate systems and software to change the documentation.
User Access: reviewing user access to data and ensuring “least privilege necessary” with attribute-based access control monitors who has the ability to compromise the audit by changing data
Privileged Access Management: monitoring privileged users, especially escalated privileges, provides visibility over data access

While these are only a few ways that a company can control its audit data integrity, they highlight some of the primary risks involved with Big Data analytics in an audit.

Why Cybersecurity Enables Audit Quality

Although most organizations view cybersecurity as a way to protect themselves from costly data breaches, they need to also focus on the business processes that their technologies enable.

While organizations need to incorporate automation as part of their audit processes, they also need to understand how the technology works and protect their data integrity. Audit firms recognize the need to review automated system inputs and outputs. Therefore, they will increasingly be including these reviews as part of their audits.

A strong cybersecurity posture becomes the only way that companies can maintain audit quality while also easing the audit process.

How ZenGRC Enables Big Data in Auditing

ZenGRC makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Higher Education Security Breaches To Learn From

Libby Bevin · March 14, 2019 ·

Higher education finds itself facing a threat to its financial security even larger than student retention – data breaches. As colleges and universities begin to adopt mobile technologies, they also find themselves increasingly targeted by malicious actors. Understanding the recent security breaches impacting the industry can educate institutions about information security.

Security Breaches in Higher Education

How Multifactor Authentication Protects Admissions Data

On March 7, 2019, cybercriminals accessed admissions information from three colleges – Grinnell, Hamilton, and Oberlin. After obtaining access to the information, they sent applicants emails holding the nonpublic personally identifiable information, such as birth date, hostage.

The unauthorized access traced back to Slate, a software system that many institutions of higher education use to manage applicant data. The Software-as-a-Service platform, used by over 800 colleges worldwide, transmits emails, texts, and new applications. Slate explained that the breach arose from unauthorized users accessing the colleges’ password-reset systems.

A lack of multifactor authentication for single-sign-on systems allowed the cybercriminals access to the platform.

More than merely a hassle over needing to notify students whose data may have been breached, the cyber attack could put the colleges’ student enrollment at risk. Students worried about data protection and control may choose to attend institutions of higher education who have stronger cybersecurity practices.

Why Protecting Email Matters

On February 27, 2019, Florida Keys Community College announced a data breach arising from unauthorized access to employee email that occurred between May 5, 2018, and November 5, 2018. On October 19, the college discovered suspicious activity. On January 7, 2019, the college confirmed the identities of the people whose data had been compromised. The nonpublic personally identifiable information included name, address, date of birth, Social Security number, passport information, medical information, username, and password.

According to the 2018 Ponemon Cost of a Data Breach Report, the Mean Time to Identify a breach was 197 days, and the Mean Time To Contain was 69 days. Based on the timing above, Florida Keys Community College fared better than some. It took 167 days to identify the suspicious activity and 7 days to contain.

In grading terms, Florida Keys Community College earns a C+ for identification and an A- for incident response.

However, given the information obtained from cybercriminals, students, faculty, and staff may not be comforted by this. Depending on the number of email accounts accessed, the cyber attackers could have used vulnerabilities in the domain and IP configurations, SMTP authentication controls, number of connections to servers, or a variety of other network security issues.

How Vendor Risk Management Protects Student Records

According to the Stanford Daily, a student on campus found a vulnerability in the third-party content management system, NolijWeb, that allowed Standford applicants to access their Common Application forms. In 2015, NolijWeb began offering students access to their files. However, the system used student identification numbers as part of the records’ URL, meaning that anyone could access information by changing a few characters.

Stanford immediately disabled access to the application and suspended online access to the application documents which are protected by the Family Educational Rights and Privacy Act (FERPA).

Since a user needed an authenticated student login to access the site, the regular audits gave the vendor a clean record. However, this also means neither Stanford nor NolijWeb knew how long the vulnerability existed.

However, this is not the first data breach Stanford suffered in recent years. In 2017, a permissions error in the University-wide file sharing system led any Andrew File System (AFS) users to access sexual assault case preparation files. A month later, a vulnerability in the Graduate School of Business site leaked employee information.

All of these data breaches focus on permissions issues and vulnerabilities inherent in third-party vendors.

Four Steps to Securing Higher Education Data

Identify Risk

All of these breaches began with data storage, transmission, and collection points often overlooked in risk review processes. Colleges and universities know they handle sensitive data. However, increased use of Software-as-a-Solution enablements, whether new vendors or updated legacy systems, transform traditional data into electronic information.

Stanford, for example, had been using NolijWeb for scanned documents since 2009, 6 years before the application allowed students web access to the records. Therefore, the vulnerability may have been a part of the update process or new.

Thus, institutions of higher education need to focus more purposefully on identifying all locations that store, transmit, and collect data. Whether using a new integration or an updated legacy provider, colleges and universities need to be more engaged in the risk identification process.

Secure Networks

Higher education incorporates a variety of networks, creating a complex architecture. Library domains, email servers, and guest wireless connections are only a few of these potentially risky networks.

As more students access data via mobile devices, which often lead to man-in-the-middle attacks, colleges and universities need to be more diligent in establishing controls over those networks to protect data.

Focus on User Access and Authentication

Unlike other industries, higher education experiences annual user turnover. Upon graduation, students should no longer be allowed access to systems, software, and networks. Although alumni often love their alma maters, graduates create access and authentication risks.

Moreover, colleges and universities need to be diligent about enforcing multifactor authentication. A lost smartphone or a laptop left open in the library can lead to unauthorized access. Therefore, whether students and faculty like it or not, higher education needs to be more diligent about protecting access by incorporating additional controls.

Monitor Vendor Risk

In the same way that colleges and universities expect incoming first years to prove academic proficiency, they also need to ensure their vendors prove security proficiency.

After identifying risk, institutions need to make sure that they assess and analyze the risk that third parties pose to information. Any SaaS provider that stores, transmits, or collects student, faculty, and staff information needs to align their security controls with the institution’s risk tolerance. Service-level agreements between the institution and its vendor need to document acceptable controls as well as a consequence for failing to maintain control effectiveness.

How ZenGRC Enables Higher Education

Institutions need an automated process for organizing their security reviews.

With ZenGRC’s task prioritization, everyone knows what to do and when to do it, ensuring efficient review the “to do” lists and “completed tasks” lists.

With our workflow tagging, CISOs can assign tasks to the individuals responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.

Finally, with our audit trail capabilities, institutions can document remediation activities to prove that they maintained data confidentiality, integrity, and availability to protect student privacy.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Student Data Privacy Laws by State

Libby Bevin · March 12, 2019 ·

Most educators know about the federal student data privacy laws such as the Family Educational Rights and Privacy Act (FERPA) administered by the US Department of Education. However, modern schools increasingly adopt new technologies such as cloud service providers for managing everything from homework assignments in Google Drive to education data in records management data systems. In higher education, protecting student privacy rights may not only require knowing the federal law but also the applicable state privacy laws.

Student Data Privacy Law

What are the primary federal privacy protection laws?

FERPA protects the privacy of student education records. The law determines that parents have certain rights to their children’s student records while children are under age 18 or in a K-12 environment. Once the rights transfer to the student upon entrance to an institution of higher education, the student is considered an “eligible student” and becomes the custodian of their information.

Under FERPA, parents or eligible students may review education records and have the right to request corrections to records. Schools must have written permission to disclose the information except in certain conditions, such as providing it to schools to which a student is transferring, complying with a judicial order, or sharing with school officials who have a legitimate educational interest.

Nonpublic, personally identifiable information may be disclosed without consent in a directory. This authorized disclosure includes information such as birth date, place of birth, address, telephone number, honors and awards, and dates of attendance. However, the school must notify parents and eligible students, providing them the opportunity to opt out.

What are some critical state privacy laws?

To protect student information, several state legislatures have enacted their own laws governing data security. Some of these state laws impact higher education institutions outside the original state since they protect the students and the rights travel with them.

California

The California Consumer Privacy Act of 2018 (CCPA) established restrictions governing company use of consumer data. In higher education, this impacts educational companies collecting student information. Even more restrictive, the law protects residents. Therefore, if a student lists California as their primary state of residence, educational institutions outside of California need to ensure that their service providers maintain data privacy under the law.

Connecticut

In 2018, Connecticut established a working group to review student device privacy regarding search and seizure and the potential impact of social media posts that could signal student mental health issues. Although the working group focused on public education, the discussions could also lead to data privacy concerns for higher education institutions. The working group also noted that applications that schools use to enable student educational opportunities need to incorporate privacy policies. To the extent that future mandates are informed by the current working group, higher education may need to review the applications they use for student records.

Iowa

Although specifically focused on public school districts and students in kindergarten through high school, the 2018 Iowa bill established additional third-party governance requirements over applications. Public schools need to ensure that their third-party vendors protect student nonpublic information. Although limited in nature, the bill heralds a potential future compliance risk for higher education should the state decide to expand protects in the future.

Rhode Island

This 2014 privacy legislation focused on online services. To protect student data, the law limits data and information that cloud services obtain when providing services for K-12 institutions.

Oklahoma

The 2013 Student Data Accessibility, Transparency and Accountability Act focused on state data collection, mandating a statewide student data security plan. Moreover, the Act set specifications for individual student data that institutions collect and use.

What Data Security Impact Do These Laws Have?

In education, the privacy of student personal information incorporates not only giving students and parents control over information but ensuring data governance controls remain effective.

According to the Data Quality Campaign, more than 120 bills were introduced or passed in 2016 to help enforce data privacy. With the exception of the CCPA, most laws that protect students’ right to privacy focus on the public education K-12 sector. Although many institutions of higher education may feel that they do not need to align their controls with these laws, they need to consider the future of data governance.

Data security is a fundamental aspect of data privacy. While students and parents should have control over information disclosed, they also need assurance that institutions keep the data secure. A data breach, particularly one arising from a cloud service provider, can lead to unauthorized disclosure.

Thus, institutions of higher education need to ensure that they have appropriate vendor monitoring programs in place. These include establishing risk assessments, risk analyses, security policies, and service level agreements.

What Higher Education Needs to Know About Managing Vendor Risk

As higher education moves towards adopting more cloud service providers, it needs to look at how it manages data and cybersecurity risk.

Software-as-a-Service (SaaS) providers who help maintain student records leave nonpublic information at risk. Whether used by the registrar or financial aid office, the platform accesses student information such as birth date, social security number, and address. A data breach arising from one of these services can lead to identity theft.

Moreover, even shared drives that use the institutions’ networks can leave data at risk. Network security, in an increasingly connected world, means engaging in continuous monitoring over firewalls and email gateways.

How ZenGRC Enables Higher Education

Institutions need an automated process for tracking and documenting security reviews.

ZenGRC allows instituions of higher education to prioritize tasks so that everyone knows what to do and when to do it enabling more rapid reviews of the “to do” lists and “completed tasks” lists.

With our workflow tagging, users can assign tasks to the individuals responsible for the activities involved in vendor risk assessment, risk analysis, and risk mitigation.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Understanding the CCPA Compliance Requirements

ZenGRC Team · March 5, 2019 ·

The California Consumer Privacy Act of 2018 (CCPA) is the United States’ most comprehensive and stringent data privacy law.

Enacted in June 2018 and amended the following September, it gives Californians unprecedented powers to view, restrict the use of, and delete the data that for-profit companies collect about them. It also gives them the right to sue (the so-called “private right of action”) if a data breach results in the compromise of their information.

We provide a summary of the law in this post, but if you want complete details, check out our CCPA Compliance Guide.

What is the Reason for This California Law?

Unlike the European Union, which has the General Data Protection Regulation (GDPR), the United States lacks a cohesive set of data privacy requirements. Recognizing that the internet has increased privacy concerns, Californians for Consumer Privacy, a non-government organization, sent its suggestions for new consumer rights to privacy protection to the California Attorney General in November 2017.

The initiative led to the adoption of the CCPA, which intends to protect consumer data compromised as the result of a data breach. In June 2018, the California Legislature passed the bill. On September 23, 2018, Governor Jerry Brown signed amendments to the California Civil Code enforcing the measure.

While focusing in part on data security, this privacy law focuses less on networks, software, and systems and more on giving consumers control over data collection.

Does Your Business Need to Comply?

The CCPA applies to many companies doing business in the state of California as well as those outside the state who collect California consumers’ personal information. To fall under the CCPA’s regulatory umbrella, a business must meet one of any three requirements:

Generates annual gross revenues of more than $25 million
Receives or shares personal information of more than 50,000 California residents per year
Earn at least 50 percent of its annual revenue from selling California residents’ personal information.

Non-profits and companies that do not meet any of these conditions are exempt.

What are the Penalties for Non-compliance?

Penalties for non-compliance can be harsh.

Since the CCPA is incorporated under the California Civil Code, businesses will be subject to lawsuits for data security breaches that improperly disclose consumer information. Statutory damages can be $100-$750 per California resident and incident, actual damages (if they are greater), or any other relief that the court determines.

Moreover, any intention violation can be fined up to $7,500 while unintentional violations can incur a fine of up to $2,500.

What are the Categories of Personal Information?

The California Consumer Privacy Act (CCPA) has a broad definition of personal information. In the interest of data privacy, the CCPA broadly defines “personal information” as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The CCPA’s Categories of Consumer Information include

Identifiers: real names, alias, postal address, unique personal identifier, online identifier, Internet Protocol address (IP address), email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
Commercial information such as records of personal property; products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
Biometric data such as fingerprints, face recognition, retina or iris information, hand patterns, height, weight, and eye color
Internets or other electronic network activity information such as browsing history, search history, and information regarding the data owner’s interaction with a website, application, or advertisement
Geolocation data
Audio, electronic, visual, thermal, olfactory, or similar information
Professional or employment-related information
Education information that is not publicly available
Inferences are drawn from any of the information identified here to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

What Personal Information Must Be Provided Upon Request?

The CCPA requires businesses to provide, upon consumer request, the types of personal information it collects.

As part of this, businesses collecting identifiable information from California residents will need to provide at minimum a toll-free telephone number and website where people can request their information. Companies must disclose and deliver the information within 45 days of the request.

What is the Right to Know About Sold or Disclosed Personal Information?

If a business sells consumer information or discloses it to a vendor, the consumer can request the categories of information involved. However, it doesn’t stop there. Companies need to provide the categories of third parties to which it has provided the information, and identities and contact information of those third parties, as well.

The business must also provide commercial purposes for the disclosure or sale, or explain that no business purpose exists.

How to Comply with the ‘Right-to-Know’ and Disclosure Requirements?

Businesses must verify each customer access request, which means linking information the consumer provides to personal information the business has collected. For each verified request, they must identify the category or categories of information collected for the preceding 12 months.

If the business sold or disclosed information about the consumer, it must also provide names and contact numbers for the third party and the categories of information sold or disclosed to the third party for the preceding 12 months.

What is the Right to Say ‘No’ to the Sale of Personal Information?

Also called the “right to opt-out,” businesses that sell personal data must provide data subjects the option of saying “no” to the sale of their information.

How to Comply with the Right to ‘Opt-out’

The first step to compliance is a “clear and conspicuous link” on the homepage that says “Do Not Sell My Personal Information.” Although the law indicates that businesses don’t need to have this link on their homepage, it also specifies that businesses choosing not to incorporate the link need to maintain a second website just for California residents.

On the page, businesses need to outline their privacy policies and California-specific descriptions of rights. Moreover, the “Do Not Sell” page must clearly link to a California specific page detailing consumer privacy rights and opt-outs for the CCPA.

How ZenGRC Eases CCPA Compliance

CCPA compliance requires documentation collection, storage, and retrieval. And with more people interacting with vendors that interact with consumer data, and with employees monitoring consumer requests, CCPA compliance will require more communication internally and externally.

ZenGRC’s workflow tagging feature allows you to delegate tasks and follow their progress to ensure access requests get followed through to completion within the CCPA’s 45-day deadline. You can also review workflows to mitigate cyber risks and review controls within the organization necessary for maintaining opt-out and opt-in information.

If your enterprise uses ServiceNow for workflow management, ZenGRC has a connector to that solution that enables two-way communications, making it easier to comply with the CCPA and a host of other regulations, standards, and frameworks. Our integration connect ZenGRC with ServiceNow and a plethora of other popular business applications, and even allows you to program in your own.

At audit time, ZenGRC allows unlimited, in-a-few-clicks self-audits and has all your documentation ready for retrieval in our “Single Source of Truth” repository.
Isn’t it time to join the 21st century, and automate your CCPA compliance? Contact us for your free consultation, and embark on a compliance journey that’s worry-free with ZenGRC.

Understanding the Types of Risk in the Oil & Gas Industry

ZenGRC Team · February 28, 2019 ·

Defined as critical infrastructure, the oil & gas industry increasingly faces cybersecurity risks as nation-state cybercriminals attempt to undermine other countries. The integration of information technology (IT) systems into operational technologies (OT) creates a unique threat to the oil and gas industry that places both the companies and the public at risk.

Biggest Risks Facing Oil & Gas Companies

What risk do Operational Technologies pose?

The oil and gas industry suffers from outdated operational technology that makes securing it difficult. The most recent industry report from Ponemon, now theoretically outdated because it released in 2017, indicated that

59% felt operations technology was at higher risk than information technology.
68% had operations with at least one security compromise.
46% of operational technology cyber attacks remain undetected.

These numbers indicate a variety of problems endemic in the industry. First, monitoring IT environments protects data, but it does not keep gas companies from the risks inherent in their operations. Second, while more than 2/3 of companies found at least one compromise, nearly half of compromises remained undetected which means that the number far exceeds that already frightening 68%.

What risks are unique to OT?

Whether as a software or hardware, OT monitors or controls physical processes. However, OT is costly and deeply integrated into a company’s infrastructure.
The industrial controllers, such as programmable logic controllers (PLC), distributed control systems (DCS), and supervisory control and data acquisition (SCADA) systems, come with a longer lifecycle. While enterprise IT comes with a lifetime of last three to five years, OT often comes with a fifteen to twenty year lifetime.

In cybersecurity, IT risks can change at the blink of an eye making the controls outdated. Often, enterprises replace these frequently to keep them as secure as possible. However, with the longer expected lifespan of OT, which directly correlates to the costs incurred, these types of updates are not possible.

Therefore, the primary unique risk for OT comes from how gas companies and others use them and intend to use them.

What risks arise from the Internet of Things?

To monitor OT, more companies within the oil and gas industry rely on the Internet of Things (IoT) to gather data. These sensors, cameras, and embedded analytics systems connect the OT environment with the IT environment.

For example, a natural gas company may need to monitor pressure in the OT environment. The IoT monitors the SCADA system’s ability to control the pressure. Then the IoT informs business leadership or external parties who need to provide oversight.

However, enterprise IT networks that interact with OT networks can lead to cyber risk. Most companies struggle with securing their data environments, and those in the oil and gas industry are no different. Thus, anywhere that the IT networks interact with the OT networks as a result of increased IoT use can lead to a security issue.

Where do workforce members increase cyber risk?

While all industries suffer from employee cyber awareness issues, the oil and gas industry’s importance to economic and social stability means that a single careless employee can undermine the entire country.

While this can sound dramatic, a successful social engineering attack against a traditional enterprise leads to financial, reputation, and compliance costs. However, for a member of the oil and gas industry, a successful social engineering attack can dismantle the critical infrastructure.

An employee idly clicking through to a website in a phishing email enables access to their user ID and password. With this information, a cybercriminal can gain access to all networks, including segregated or secured ones, upon which the employee is authorized. Thus, even segregating the IT and OT networks may not be enough protection is a cybercriminal can obtain the login information.

Why the oil and gas industry needs to engage more cybersecurity professionals

All sectors face a shortage of information security professionals. However, while traditional enterprise IT security remains a continually moving target, it lacks much of the criticality and complexity as security within the oil and gas industry. The overlap between OT and IT means that the industry needs security professionals who can navigate both environments.

As a niche within a niche, cybersecurity professionals with critical infrastructure experience are limited within an already limited hiring pool. Thus, if oil and gas companies can find someone to manage their unique risks, they need to find a way to optimize the staff’s time. If they need to hire two different people to coordinate across the differing environments, then the companies need to find a way to ease communications.

How to engage the Board of Directors for incorporating cyber risk oversight

News outlets and the public often focus on the environmental risk that the oil and gas industry poses. Thus, many companies choose their Board of Directors based on engineering and financial expertise. Although they understand the importance of cybersecurity, they may struggle to quantify the way cybersecurity risks impact the chemical, environmental, and industrial engineering risks that lead to financial loss.
Thus, the risk management process and the Board’s program oversight lead to another overarching risk within the oil and gas industry.

How to mitigate the cybersecurity risks in the oil and gas industry

Mitigating the cybersecurity risks plaguing the oil and gas industry begins the same way other risk management programs start – with conversations.

These interdepartmental conversations need to determine the physical assets and data assets that pose a risk. Enterprise risk mitigation traditionally focuses on software, network architecture, and devices required for business operations. The oil and gas industry, however, adds a second layer of network infrastructure to support monitoring the OT environment. Thus, locating all the points of network risk becomes more complicated.

Looking to mitigate these risks, companies employing a security first approach still face complex issues. In many cases, the oil and gas companies need to segregate their OT networks and keep the IT infrastructure data from migrating to the OT infrastructure. To ensure this, they need to engage in vendor risk management processes and procedures as well as enforce their patch management processes.
Finally, as critical infrastructure, companies also must align controls with increasingly burdensome regulatory requirements and industry standards.

How ZenGRC Enables Risk Management for the Oil and Gas Industry

Oil and gas companies struggle to maintain effective risk management programs, needing an efficient workflow tool to coordinate communication and task management across internal and external stakeholders.

ZenGRC enables companies to prioritize tasks, from alerts to vendor reviews, so that everyone knows what to do and when to do it. This eases the burden of records retention and audit preparation.

With our workflow tagging, a cybersecurity professional in the oil and gas industry can assign roles and tasks to the responsible individuals, enabling stronger review over the activities involved in cyber risk management.

Finally, with our audit trail capabilities, companies can document corrective actions and response activities to prove that they maintained cybersecurity by continuously monitoring the myriad of threat vectors.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.