The best data security offense is a good defense

Pennsylvania's Department of Public Welfare establishes a security risk framework that rationalizes 4,000 regulations into 350 integrated requirements.

It was like finding a needle in a haystack. On her first day as security and risk manager at the Pennsylvania Department of Public Welfare, Pamela Skelton was met with piles of disorganized compliance files and random pieces of paper that her predecessor had left behind.

When she was told that an IRS audit report was due in a few months, a mild panic set in. "I saw all this paper and said, 'Where is everything?' It was very disorganized. I could never find anything that I needed," she recalls. That was just the start of a risk compliance odyssey for Skelton and her team.

The Department of Public Welfare must safeguard the financial and medical data of its 2.7 million participants. Yet with more than 4,000 federal and state regulatory requirements and policies to comply with, trying to gather and review data and take corrective action in response to myriad audits became nearly impossible.

By 2010, record keeping had gotten so murky that the department's annual security review had fallen by the wayside. "We had not given a response back to the IRS in years," says Clifton Van Scyoc, the department's chief information security officer. Other required audits had fallen behind, too, he adds.

While there are no official penalties associated with a lack of response, the missed deadlines pointed to a harsh reality: "We do not have the most secure environment if we are not actively reviewing this information and creating responses to them. They aren't even able to appropriately define where our [security] gaps are if we aren't making these responses," says Van Scyoc.

That same year, the department began building an ambitious security risk framework that would capture all of the controls it had to comply with and drop them into an Excel spreadsheet. Then a team analyzed the individual requirements in each control and decided which one was the most stringent and then used that one control to cover all similar requirements. As a result, some 4,000 individual regulatory requirements were rationalized into 350 unique integrated requirements.

To continue reading this article register now

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon