Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure computing environment, has released their take on the European General Data Protection Regulations (GDPR) which take effect May 2018. In addition to releasing the CSA Code of Conduct for GDPR Compliance they also have launched the CSA GDPR Resource Center designed to educate Cloud Security Providers (CSP) about the new regulations.

The “CSA Code of Conduct for GDPR Compliance” offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.”

As most companies struggle to understand the requirements of GDPR, CSA is taking the holistic approach by adding it to their existing Privacy Level Agreement Working Group. The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. This gives CSA the advantage of adding GDPR to what they already know about other compliance standards.

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

 

I’ve been spending a lot of time lately with early startups and small business owners talking about privacy and security.  My previous jobs sent me into some very large enterprises to solve for some very large privacy and security concerns.  One has to ask, are these two worlds so different?  I’d have to say yes and no.  A recent series of outages involving an industry-specific ERP vendor understandably had business leaders in the marketplace upset.  Many days worth of revenue was lost and regulatory reporting was halted which, in turn, froze commerce in its tracks.   In fact, there is a certain amount of outrage amongst the customers experiencing the outages; there’s also a certain amount of learned helplessness.   This got me to thinking: how can we apply a little Fortune 500 wisdom to help out the folks just getting started?

In general, businesses should adopt a holistic approach to their commercial continuity needs.  While the challenges of fledgling industry software and service vendors may share the responsibility, there are broader issues business leaders should consider when developing their plans to accelerate commerce and ensure regulatory compliance.   Just as “compliance by design” is a mantra of certain industry pioneers, “availability by design” and “(cyber) security by design” are two best practices commonly employed by traditional lines of business; likewise, these measures should be adopted by emerging enterprises as well.

Continuity of critical business function has been a mainstream technology concern as far back as the 1970’s when federal regulations required the telecommunications industry to provide highly available 911 services through their networks.  “Five nines” of availability was the brass ring and billions of dollars were spent to achieve it.  Today, many of those lessons learned can be applied to our “as-a-service” economy.  Just as traditional businesses require high-availability from their vendors, small enterprises should vet their service providers for continuity, redundancy, and disaster recovery considerations.

Securing applications and productivity technology must also be a part of this plan.  Cybersecurity has recently become a hot topic and there is a lot of hype.  While nearly all business executives agree it is critical and cyber risk is now a board-level topic, the industry itself is constantly evolving.   No matter how large or small, it’s not a matter of if but when a business will be breached.

But where to start securing your business?  Consider taking a look at the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs).  CIS is a non-profit entity comprised of global IT professionals who’s charter is to promote best practices for safeguarding against cyber crimes.  A copy of their SME guide can be found here:  https://www.cisecurity.org/white-papers/cis-controls-sme-guide/.  Recently, the California Attorney General endorsed CIS security controls as the “minimum level” of “reasonable security” measures.  Further, the AG’s report goes on to state, “failure to implement all the [CIS] controls that apply to an organization’s environment constitutes a lack of reasonable security.”  Anyone looking to do business in the Golden State should definitely familiarize themselves with the CIS Top 20.

With the widespread adoption of cloud computing, mobile accessibility, and social media, these are really exciting times.  Never before has it been easier to start something new and big.  Along with the opportunity comes some bumps in the road but business leaders don’t necessarily have to go it alone.  While the products and markets may be new and fresh, chances are someone has already spent sleepless nights solving the technology problems.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.

The world seems to be a buzz about GDPR.  If you’re not buzzing – you’re not in the know.  People want to know what it is, who has to deal with it, when do they have to take action, and where they can turn to for help.   Simply put, GDPR is the European Union’s (EU) latest attempt to ensure that it can control the data protection for all individuals within the EU.  GDPR stands for the General Data Protection Regulation 2016/679 and was adopted by the European Parliament on April 14, 2016, which goes into enforcement on May 25, 2018.   It is the most important privacy change in the last 20 years.  If you offer goods and services in Europe, have European employees, partners, or suppliers, you’ll need to comply with some form of GDPR.

So, what does ‘comply’ mean.  For entities (people and companies) that you deal with from Europe, it means that you’ll need to ensure you are transparent with them about the data you collect, why you collect it, and what you intend to do with the data.  Also, before you collect their data you’ll need to get their permission to use it (explicit consent).  You’ll need to ensure you only keep it for as long as you need it and that you’ll protect it while you have it.   If something happens to the data (it’s lost, stolen, or corrupted) you’ll need to tell the person whose data was effected and the authorities (Supervisory Authority in Europe).   It’s a really good idea to encrypt the data and if you can you should anonymize it; which means removing the identifiable information.  If a European citizen asks you what data you are storing or processing about them, you’ll need to tell them and if they ask you to delete their data, you’ll need to do this too.  There are also some additional record keeping functions like data mapping and Data Protection Impact Assessments (DPAI), which you will need to regularly perform and keep up to date.  Plus, there are some financial penalties if you don’t ‘comply.’

Not all of this is bad.  In fact, it might actually be good news as companies will need to review their practices and programs in order to determine exactly what data they are collecting and why they are collecting it. These efforts alone will increase their maturity in data handling and system design   As data breaches become more common, utilizing these improved processes can only be a good thing when the companies we entrust with our information have to follow more strict rules.  If you would like more information about GDPR or if you need help understanding the complexity of the compliance.

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

October is National Cyber Security Awareness Month and in keeping the National Cyber Security Alliance’s theme for week two, “cyber security in the workplace is everyone’s responsibility,” I’d like to share some thoughts from a recent interaction with a small business leader.

Last Friday, my colleague and I met with a startup CEO in Boulder to discuss her cyber risk needs. Like most executives, she had many things on her mind and was very busy – it was obvious from the two backpacks, coffee mug, notebook, and jacket she juggled as she entered the conference room. After we settled in and got into the conversation, her request was simple: how can she rationalize all the buzz about security and come up with a plan that is complete and becomes a part of her organization’s culture?

While security in the workplace is everyone’s responsibility, executives can delegate the authority to act but not the accountability. Risk reduction starts at the top and executives need to distill an ocean of hype into something reasonably actionable. But where should these leaders look to get a start?

A couple of weeks ago, I mentioned the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs) as a good place to begin this journey: https://www.cisecurity.org/white-papers/cis-controls-sme-guide/ In fact, this is the very link I sent to the CEO’s tech person after the meeting. Based on our experience with SME’s and this body of work, our recommendation was that similar sized companies take the following actions:

• Create a managed list of those devices allowed on your network. Also create a list of those devices not allowed on your network. Whitelisting creates a map of devices that need to be defended on the network. Blacklisting is an easy way to quickly identify troublesome agents.
• Understand the software used by your organization. This is important to a) prevent shadow IT from creeping in and b) having a map of those packages that require security patching; patching can be the greatest defense against cyber intrusion. Additionally, this control is necessary for implementation of control number 4 below.
• Make sure your hardware and software are configured for security. Remove those default admin passwords, setup new accounts, implement role based authentication, enable multi-factor authentication, understand the security capabilities and align your use to the business needs.
• Patch, patch, patch. Implement a system to ensure your hardware and software are updated with the latest vendor patches. Equifax might have have prevented a lot of heartaches if this one control was followed.
• Create policies and a culture of least privileged access. This is probably the hardest to implement in the fast-paced environment of a small business. It’s also the control that will get you the most mileage when the bad guys get ahold of that password somehow.
  Train your team and make risk reduction a cultural tennet. Security Awareness is critical, but be sure to put it into context of your business systems in order to best educate your employees and suppliers.

These processes can be folded into everyday behavior in a small or midsized business if the corner offices are involved in creating and modeling the culture. They also provide a sound foundation for more quickly identifying threats, protecting against them, detecting when they occur, responding, and recovering. CEO’s need to recognize this is the most crucial part of their overall risk profile. It is said that “fish rots from the head”. Despite how busy our corner offices may be, best practices and a healthy environment of risk abatement starts at the head too.

I hope we helped simplify at least one of those items our CEO friend was juggling.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.