If you’ve been following any of our recent webinars or in-person presentations, you’ve heard us talk a lot about shifting the mindset from a focus on compliance to a risk-first approach. We’ve discussed that the best way to do this is to align your risk management program to specific outcomes, where compliance becomes a subset of your risk management program. But what does that mean specifically? And what are some examples of how this can be done?
What is a Cyber Assurance Program?
The Reciprocity® ROAR Platform is built on the foundation of connecting risk to your business outcomes. That context keeps everyone aligned and, in a way, provides a common language for everyone to communicate risk from risk managers all the way up to the Board.
We do this through the use of Cyber Assurance Programs, which provide an easy way to hone the focus of your organization to something relevant. These programs are based on your organization’s specific, desired business outcomes and can ensure that the organization remains focused on its specific goals, and that you’re able to report on risk in a way that connects to these business goals.
How to Get Started with Cyber Assurance Programs?
As part of our push to encourage you to shift your thinking to business outcomes, Reciprocity has put together a collection of example Cyber Assurance Programs that represent a set of common goals that will apply to many organizations. These programs are also intended to give you an example of some of the benefits of this more focused approach.
We will be continually releasing new functionality in the Reciprocity ROAR Platform that will not only support this changing approach, but will enhance the example programs that we’ve built. The six programs listed below are currently available in the Reciprocity Community but below, I’ve provided a brief description of the program and who can benefit.
Use the templates in the Community to build these programs in your instance of ROAR and then ask yourself:
- “What other opportunities are there for me to build Cyber Assurance Programs specific to my organization?”
- “Could I look at building programs around specific products that my organization markets?”
- “Could I consider aligning my programs based on data classification?”
The possibilities are endless and provided they are aligned to specific goals in your organization, they’ll give you the ability to provide more meaningful insight and context into all of your risk management activities.
Reciprocity ROAR Platform Cyber Assurance Program Examples
Cloud Assurance Program
This program provides an approach to managing specific cloud environments across multiple frameworks like SOC 2, ISO 27001, PCI and others. Organizations can look at multiple approaches to determining the scope of a Cloud Assurance Program, including considering a product-based approach, or one based on network segmentation.
Protected Health Information (PHI)
This program focuses on the goal of protecting PHI and ePHI, regardless of which environment(s) it’s processed in. Like other Cyber Assurance Programs, this looks at compliance across multiple frameworks like HIPAA, PIPEDA and the Australian Privacy Act of 1998. This is an excellent example of a program that is focused on protecting a specific type of confidential data and brings considerations around data mapping into play.
Enterprise Information Security Management
Organizations struggling to establish a baseline information security program can benefit from this program. It focuses on leveraging industry best practices like defined control sets and frameworks that can be used to build an Information Security Management System (ISMS). It’s also an effective means of building a program that will allow you to prepare for future compliance needs as they arise.
US Federal Agency Enablement
Doing business with the US Federal Government often requires compliance with multiple frameworks and specific requirements. This program looks at examples like FedRAMP and CMMC to provide organizations with an overview of how to manage these initiatives as separate and specific goals, while illustrating how this work can often be used to pivot to additional compliance requirements.
Data Privacy Assurance
Privacy compliance can be a daunting effort for any organization. And as additional consumer privacy frameworks continue to be released in the US and across the world, an adaptable and clearly-defined Data Privacy Assurance program becomes more important for any organization processing personally-identifiable information. This program provides a baseline around GDPR and CCPA that can be used to build a solid foundation for adapting to new and changing requirements.
Do you think of PCI when you think of retail operations? Well, you’d be partially right! This program shows you how to build a program that focuses on the entirety of retail operations and provides opportunities for leveraging the work you do around PCI for other frameworks that can enable the expansion of retail operations (think SOC 2 and ISO 27001).
Put These Programs in Action
If you’re already a ROAR user, visit the Reciprocity Community to find more on these Cyber Assurance Programs and how to use them in your instance.
If you’re looking to get started with ROAR, you can do that for FREE with our Community Edition. It gives you the same robust features of the ROAR Platform with no credit card required and unlimited time to explore. Try it FREE.