Click this link for the full article published in MD News Cleveland/Akron/Canton Edition, November/December 2018
Documenting and Implementing a Cybersecurity Compliance Program
This article concludes my series on Cybersecurity, taking what I’ve discussed over the previous five articles on Cybersecurity and turning it into an effective Cybersecurity Compliance Program. There are seven primary parts to a Program.
- Understanding the Applicable Laws. You need to understand the laws that apply to your business in order to have a baseline of components to your Program.
- Conducting a Risk Assessment. A risk assessment gathers and analyzes the existing compliance efforts as well as gaps or areas for improvement in the Program.
- Action Plan. Once you have conducted a risk assessment, an effective action plan should prioritize the gaps and risks affecting your ability to comply with applicable laws as well as to implement best practices beyond simply complying with laws into steps and timeline to implement improvements to the Program.
- Document Changes to the Program. As you work through and complete the action plan, documenting the changes made to the Program is key. My advice is not to wait until you have completed the steps in the action plan to begin documenting what has changed. Document as you work through the action plan so that the documentation is less at risk of omitting actions taken.
- Communicate and Train. Your Program is ineffective if you simply make changes and then throw it into a drawer. The audience, employees, officers, directors and contractors should be made aware of the changes to the Program. Depending on your business or practice, there may not be one-size-fits-all training. You need to analyze the functions of the business and determine the level and content of the training.
- Evaluate Effectiveness. Seeking feedback from the target audience of the Program is important to understand whether the changes that the Program has undergone are understandable and that the target audience is able to comply with the updated Program.
- Rinse and Repeat. These steps should be repeated each time that a new or change occurs in applicable laws. If there have not been any changes during the previous year, it is advisable to have a regularly scheduled review of applicable laws, followed by a risk assessment and so on to ensure that the Program is kept relevant and up to date. Even if there have been no changes to the business and applicable laws, you should plan to reinforce the Program on a regular basis by communication and training.
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.
Allison E. Cole is an attorney with the law firm of Krugliak, Wilkins, Griffiths & Dougherty Co., L.P.A. in Canton, Ohio.