How do you structure your regulatory watch when you're a CISO?

To guarantee the security of your organization, you need to be fully aware of current regulatory compliance. This is why regulatory monitoring of information systems security is one of the main missions and obligations of CISOs. With a structured watch, you can easily keep abreast of changes in practices, standards and laws governing your organization's cybersecurity. Project management, identification of policies, document updates, dissemination of relevant information, impact analysis... there are so many subjects to coordinate behind the notion of regulatory and standards monitoring. So how do you set up an SSI regulatory watch without getting overwhelmed? In this article, we share our thoughts and answers with you.

What is a regulatory and standards watch?

Before getting to the heart of the matter, let's take a look at the definition of regulatory intelligence, and how it differs from normative intelligence.

By definition, regulatory watch means keeping abreast of the legislation applicable to your industry, as well as monitoring the evolution of texts and obligations. Knowing the legislative framework dedicated to information systems security enables you to implement the necessary actions to guarantee IS compliance to which your organization is subject. This monitoring of the regulatory environment is essential for CISOs and their teams to discover new laws, decrees or regulations, analyze their impact and adapt the organization's IS security policy accordingly. Whatever the size, type of activity or geographical sector of an organization, regulatory monitoring is an integral part of risk management. It may also be mandatory for regulated sectors, or during compliance audits.

Normative watch, on the other hand, identifies the standards in force with which your organization must comply. Like regulatory watch, this is a continuous and iterative activity, aimed at actively monitoring your organization's environment. Whether international, European, national or sector-specific, standards are a guarantee of quality, and compliance with them is a prerequisite for certification. Let's take a concrete example: if your company hosts or operates healthcare data, it is obliged to use HDS-certified hosting (healthcare data hosting).

How to structure an effective SSI regulatory watch?

To keep abreast of regulatory developments and ensure your company's security remains compliant, it is essential for CISOs to structure their SSI regulatory watch effectively, so as not to be subjected to change, but to anticipate it as effectively as possible.

The first step in setting up an SSI regulatory and standards watch project is to align all project stakeholders on a common objective. As previously mentioned, the purpose of the monitoring is to identify your legal and standards obligations, so that you can validate your compliance. If necessary, a corrective action plan will be put in place. But monitoring is more than just compiling documents! It leads to strategic decisions for your organization.

To define your monitoring strategy, you need to answer the following questions:

What is the impact on business teams within the organization? What is the investment required and the expected return on investment? What human and material resources will be mobilized?

The monitoring approach is part of the concept of knowledge capitalization and information management, and is one of the components of an organization's economic intelligence. SSI regulatory and standards monitoring is a fundamental element of corporate strategy. It enables you to secure your business by ensuring compliance with current standards and legislation. This is why the definition of the framework, responsibilities and resources, as well as the frequency of monitoring, are all key elements to be defined from the outset.

This involves identifying the documents and information to which your company must refer. These may be laws, decrees, standards, government reports, etc. Each company or organization has its own regulatory watch framework. Each company or organization has its own regulatory watch framework, and will "pick and choose" from the legislation in force according to :

• Geographical area: What laws apply locally and/or nationally? Are you subject to European and international regulations? What foreign legislation do you have to apply?
• Business sector: Are you involved in regulated activities (e.g. healthcare or banking)?

• Its quality guarantees: What certifications does your organization wish to hold or maintain (ISO 270001 certification, for example)? What are the organization's internal security policies (ISSP, PRA, PCA...)?

Once you have completed your politique information systems security regulations and standards, you will be in a position to keep abreast of new legislation. What impact will a forthcoming legislative text have on your organization? What new actions will you need to take when the European Commission adopts the NIS V2.0 directive?

Keeping abreast of these developments will enable you to monitor the impact of new legislative risks on your business, and get a head start on compliance.

This watch enables you to define and characterize compliance requirements for securing your organization's IS. These requirements can be grouped into categories and sub-categories to facilitate risk management. Let's take the example of ISO 27001, which sets out the framework for information security management within an organization. This international standard is broken down into 252 requirements grouped into 6 process families. It should be noted that the same requirement may be derived from different regulatory or standard texts. In this case, you can draw up your own politique of requirements to be met.

Meeting all these criteria can prove complex if your organization integrates obsolete IT systems that are nonetheless vital to the smooth running of your business, as is often the case in the healthcare or energy sectors. That's why identifying new requirements or modifications to existing ones enables you to analyze the corrective actions you need to take, using a risk-based approach. What is the impact of not meeting a requirement? What would be the financial cost of non-compliance? Depending on the answers, an appropriate action plan is drawn up. Your objective is indeed your organization's SSI compliance.

Providing the right information, at the right time, to the right person is the winning triptych for facilitating decision-making. There are many ways to share your SSI watch, depending on the purpose you wish to achieve with your recipients: newsletter, summary note, analysis, access platform to complete documentation. When deciding on the frequency of distribution, keep in mind these two questions: for whom are you sending the information, and what use can they make of it?

Provide your management committee and decision-makers with a strategic view of the threats and opportunities posed by changes in legislation and standards. Prefer short formats such as strategy notes accompanied by an analysis.

Also distribute a summary of your monitoring to your sales and marketing departments. They will then be able to use the certifications and conformities as a basis for their sales pitch. They'll be able to promote these assets and guarantees of confidence to your organization's customers, prospects and partners.

TheR&D team, for their part, will use your intelligence to anticipate changes in their product roadmap. Give them access to complete information if they wish, via a knowledge management platform for example.

The CISO's mission is to disseminate useful and relevant information to his or her various contacts, in order to inform their decision-making. And in the eyes of your employees, you'll be a facilitator!

5 best practices for effective IT security monitoring

1. Put a pilot in the plane

By reading this article, you'll understand that setting up an SSI regulatory and standards watch project is a complex and strategic undertaking for your organization. Designate a member of your team to be responsible for monitoring. He or she will be able to call on the help of external service providers, some or all of whom are experts in this field.

2. Translate legal jargon 

Keeping an eye on SSI regulations and standards doesn't mean piling on more and more complex texts. Make texts intelligible by modeling them in terms of compliance requirements. With "intelligible" language, you make it easier to understand threats and opportunities.

3. Update regularly

It's essential to establish a frequency for updating your watch. By regularly monitoring developments, you'll be better equipped to take corrective action. Don't be overwhelmed.

4. Define your perimeter correctly 

With the proliferation of regulatory texts and safety requirements, it's essential to define which texts are strictly applicable and/or necessary. In this way, you can avoid being overwhelmed by a multitude of information that doesn't concern you.

5. Stop believing you can do it alone

Defining the politique texts, translating them into requirements, managing updates and deducing the consequences for your company's compliance... It's not something you can improvise! Depending on your constraints, your resources, your budget and the time you have to allocate to this mission, you can rely in part or in whole on external service providers who are experts in the field. You'll gain peace of mind and free up time for your other missions.

Keeping up to date with the regulations and standards that apply to your organization is vital to the smooth running of your business. Keeping abreast of regulations is a key factor in controlling risks and correcting non-compliance. Modeling requirements and keeping them up to date is time-consuming and complex. Let the experts help you!