Are you GDPR Ready?  May 25 2018 is just around the corner and the efforts are really heating up.  Please come enjoy discussing this topic with other like-minded folks. This MeetUp brings together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

The next topic will be “GDPR and the Legal Basis for Processing: Is consent really required?”

This Meetup will cover the legal bases for processing under GDPR, including an analysis of the legitimate interests and other exceptions allowing for lawful processing, as well as the basic requirements for consent. Austin Chambers, CIPP/US, CIPP/C, CIPP/E, from Lewis Bess Williams and Weese will be presenting.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/.

This informative meeting will be held on Tuesday, March 27th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

On an early April morning in 1953, Union Pacific 4005, known as “The Big Boy”, was hauling sixty-two cars westbound at nearly 70 miles per hour along the tracks in southern Wyoming. Weighing in at a whopping 1,200,000 pounds, Big Boy was the biggest steam locomotive ever built.

At about 9:55 AM, the massive locomotive barreled toward Red Desert where the switch operator had erroneously opened the siding switches due to a miscommunication in the morning’s track line-up message.

An eyewitness recounts the incredible event: “the head brakeman and the fireman were screaming at the top of their voices to the engineer, STOP, STOP, RED SWITCH AHEAD! But it was too late.”

The 4005 entered the open switch at 50 mph causing it to careen off the rails and skid along its left side tearing up rail and roadbed. The locomotive, tender, and first 18 cars derailed. The cab of the locomotive was destroyed as the tender tore into it twisting and smashing the metal. The first 12 cars were badly damaged and piled in a 70-foot high heap. The engineer and fireman aboard were killed instantly.

While the engineer had many controls in the main cab of the locomotive and made an emergency attempt to break, the train entered the siding rails at an unsafe speed nonetheless. The scattered load of dead hogs, tractors, typewriters, coal, sewing machines, and other goods was not the result of a single point of failure. Rather, it was the fault of a systemic breakdown in communication and culture.

What does this massive catastrophe teach us about privacy and responsible data stewardship? A massive breach of privacy data can feel just like the 4005 wreck. The collateral damages incurred due to a large-scale data breach are broad and not easily remedied. In order to prevent the loss of personal data, we must establish a culture of privacy by design and responsible data stewardship.

Realizing no single control can prevent a data disaster, we must retrofit existing process and design new systems employing these control planes:

• Visibility – “What assets are we protecting?”
• Audit-ability – “Are we compliant to applicable regulations?”
• Controllability – “Is the location and access to our data properly controlled?”
• Agility – “How quickly can we adapt to change?”
• Automation – “Are our processes repeatable?”
• Scale – “Are we scaling to meet the demands of our constituents?”

When we work these six control planes into our culture of design, we are better prepared to avoid a massive privacy train wreck. GDPR provides us with an opportunity to take a look at our existing maturity of data stewardship and the related risk levels. If we take advantage of the impending deadline to review our current posture, we can emerge with an improved opportunity for transformation and not just a “check-the-boxes” response.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

Do you understand how to measure your security and compliance program? – if not, check out this webinar with our own Janelle Hsia, Director of Privacy and Compliance.  Learn how good metrics can build the story you bring to management to help ensure your data stays protected and secure.

Click here for the Webinar hosted on Surveygizmo.

#AmericanCSM   #privacy   #GDPR   #gap analysis #competitive advantage

GDPR is about responsible data practices not just ensuring you can check the right boxes. With about four months before the May deadline, a lot of companies are seriously behind with their GDPR implementation. So instead of worrying about it, what steps can you take today that will move your company forward?

It really is very simple, you must start to develop a culture that is concerned about how you treat other people’s data. Just do the right thing. It starts with a commitment from the executive team. They must be transparent and accountable for their actions.   Doing the right thing with other people’s data might also be part of purchasing criteria for consumers – hopefully, it will become the social norm. It can become a competitive advantage as you build trust with your clients, vendors, and suppliers.

To do this, one thing you can do is tell your story. You need to be able to articulate what your company is doing to change how it deals with other people’s data. Here are some good examples of how some companies are making changes:

• We used to collect erroneous data and now we only collect fifteen (15) pieces of data to help us make a hiring decision.
•  We never used to delete client data and now after a contract ends, we properly notify the client and delete the data 90 days after final payment.
• We did a full audit of our data and were able to consolidate all personally identifiable and sensitive data into just two systems. We are working towards an integration that will give individuals seamless, simultaneous access to both systems but right now it is a manual process to look that data up in both systems.
• We are taking consent very seriously. We updated our privacy policy, cookie policy, and ensure that all correspondence is utilizing double-opt-in. There is a higher return on our marketing dollars because we know that each person who receives our information WANTS it.
• We do regular security training with our employees. This ensures that they can protect the data that we collect.

This is huge progress. So, what is your story? Where is your company on the journey to responsible data management? Here are some suggestions that you can do right now:

• Understand your data. Know its purpose to your business, know where it is coming from, where it is going, and all the stops it makes along the way.
• Perform a gap analysis. You can’t fix something you don’t understand.
• Prioritize and create a plan for how you will implement a comprehensive privacy program and make it realistic.

It might seem overwhelming but don’t make bad short-term decisions. Remember May isn’t the destination, it is just another date on the calendar. What really matters is the change in attitude over how other people’s data is handled and understanding that you have a responsibility to ensure its safekeeping.

Need help realizing the benefits of a GDPR gap analysis or creating an action-oriented plan, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by
seasoned experts.

#AmericanCSM #Risk  #Assessment

When it comes to risk assessments, there isn’t a one size fits all kind of questionnaire template. You need to figure out what is important to your organization, your organization’s approach to governance, and the organization’s risk tolerance. There are lots of guides and thousands of canned questions to choose from, but it really depends on having the knowledge to ask the right questions about your specific organization.

• First, you need to identify what information your business manages. As they say, you can’t protect something you don’t know exists. List as many of these assets as you can. Create a table because you will fill in information, as seen below, about each asset.
• Second, you must figure out what the asset is worth. You can either use a dollar value or high/medium/low scoring system. Play the ‘what if’ game: What would happen if this asset was hacked? What would happen if this asset was stolen? What would happen if this asset wasn’t available for 24/48/72 hours?
• Third, create some attributes about the asset. Who owns it? Does it rely on a third-party? Where is it physically located? How quickly can I actually access it? Type of information (PII, PCI, PHI)? How quickly will I know if it is gone?
• Next, think about the impact that asset has on your business. Again, either dollar value or a high/medium/low scoring system.
• Now, understand the likelihood of specific threats and vulnerabilities. Using something like the National Vulnerability Database (NVD), US-CERT, or InfraGard you can get a list of common threats. This will help you prioritize the areas of focus.

With all this information you should get a great picture of where to concentrate your efforts. After this exercise you’ll know what you want to protect and whether or not it is protected to the appropriate value that it is worth.

A full risk assessment should be done on the assets which you determined are high risk, high value and have a high impact on your business. So, start simple and with something everyone can agree on. Start with determining your critical assets, what are your company’s crown jewels? The things that must be protected above all else. It should be easier to design a set of questions that will help you determine if these assets are well protected or not.

For small to midsized businesses, the CIS Top 20 Critical Controls is a good place to start, in order to define a set of standard security controls. Also, NIST has a great document Small Business Information Security: The Fundamentals to review.

There are also some simple things you can do today, even before you do the risk assessment:

• Always encrypt sensitive information both in transit and in storage
• Understand your data retention policy – if you don’t have the data, it can’t be compromised
• Limit access to information – the fewer people that can access it the better
• Create a good password policy – and enforce it!
• Patch your systems – as often as possible or at least know why they are not patched
• Ensure good boundary protection – including wireless access points and BYOD
• Train your employees on good security hygiene

Need help realizing the benefits of a risk assessment or need to turn your analysis into a Security and/or Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.