No one wants their data to be hacked and used for nefarious gain. Employees, customers, clients, patients, students, and vendors are depending on your organization to protect their data. You have been entrusted with it and they have a reasonable expectation you are going to take steps necessary to keep it out of the wrong hands.

We all understand there is no such thing as 100% secure, therefore “reasonable” is a much more practical goal. Ideally, every organization would prioritize investing time and resources into having an adequately mature cyber security program. However, there are myriad pressures and objectives facing every organization. Sometimes cyber security does not get the attention it needs.

Numerous regulatory bodies have established requirements with the intent of attempting to ensure organizations are adhering to common measures of cyber standards. These requirements vary based on elements such as industry, type of data and geographic location. Once an organization finds themselves falling under data protection regulations, it is common to have multiple, applicable regulatory requirements. Compliance can get complex and seemingly overwhelming quickly. Below are examples of data protections requirements:

Japan – APPI
Brazil – LGPD
Canada – PIPEDA
China – PIPL
European Union – GDPR


Data Break Notification Laws
Data Privacy Laws
State Grants & Contracts

For organizations that want to comply, there are two paths typically taken when faced with this complexity. The first path involves a process that looks good on paper. All the boxes are checked but no value has been provided to the organization other than dodging the penalty and fine bullet for another year. This approach has been common with credit card compliance requirements.

The second path involves a process not only addressing compliance requirements, but also recognizes there are many other objectives that can be accomplished that bring value to the organization. For example, most data regulatory standards require a risk assessment be performed. However, each standard typically narrows the scope to just the applicable processes, systems and data being regulated. If you are performing a risk assessment, why not make it enterprise-wide? The resulting information not only assists with compliance but helps identify other initiatives that are needed.

As previously mentioned, the phrase adequately mature is intended to recognize that each organization has different cyber security needs. Even though this is the case, there are fundamental steps applicable to all organizations that are beneficial to data protection. These steps will help deal with the complexities and provide a clear path forward. See the demonstration below:

Data Inventory
Determine what data you have, where it resides, and who is interested in the data. The “who” element can include internal stakeholders, but for the purposes of compliance make sure to identify external stakeholders. I.E., regulatory bodies. Relevant information to include in your data inventory:

Application/System Name
Version #
System Owner
Data Owner
Users of System
Primary/Secondary Locations
Sensitive Data Elements*


Based on the sensitive data elements, identify the applicable regulatory bodies governing data protection.

Cybersecurity Control Framework
Many regulatory bodies recommend or require specific control frameworks. A control framework helps create a vision of what your organizational security program should look like. It provides a path and eliminates the need to create everything from scratch due to the many resources available. Your data inventory will drive selecting the right framework.

See example of cyber security control frameworks:

To summarize, one path does take more work and effort, but the results speak for themselves. Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit and Compliance Services

Kevin W. Cornwell | IT Audit Associate Director