#AmericanCSM   #privacy   #GDPR   #gap analysis #competitive advantage

GDPR is about responsible data practices not just ensuring you can check the right boxes. With about four months before the May deadline, a lot of companies are seriously behind with their GDPR implementation. So instead of worrying about it, what steps can you take today that will move your company forward?

It really is very simple, you must start to develop a culture that is concerned about how you treat other people’s data. Just do the right thing. It starts with a commitment from the executive team. They must be transparent and accountable for their actions.   Doing the right thing with other people’s data might also be part of purchasing criteria for consumers – hopefully, it will become the social norm. It can become a competitive advantage as you build trust with your clients, vendors, and suppliers.

To do this, one thing you can do is tell your story. You need to be able to articulate what your company is doing to change how it deals with other people’s data. Here are some good examples of how some companies are making changes:

• We used to collect erroneous data and now we only collect fifteen (15) pieces of data to help us make a hiring decision.
•  We never used to delete client data and now after a contract ends, we properly notify the client and delete the data 90 days after final payment.
• We did a full audit of our data and were able to consolidate all personally identifiable and sensitive data into just two systems. We are working towards an integration that will give individuals seamless, simultaneous access to both systems but right now it is a manual process to look that data up in both systems.
• We are taking consent very seriously. We updated our privacy policy, cookie policy, and ensure that all correspondence is utilizing double-opt-in. There is a higher return on our marketing dollars because we know that each person who receives our information WANTS it.
• We do regular security training with our employees. This ensures that they can protect the data that we collect.

This is huge progress. So, what is your story? Where is your company on the journey to responsible data management? Here are some suggestions that you can do right now:

• Understand your data. Know its purpose to your business, know where it is coming from, where it is going, and all the stops it makes along the way.
• Perform a gap analysis. You can’t fix something you don’t understand.
• Prioritize and create a plan for how you will implement a comprehensive privacy program and make it realistic.

It might seem overwhelming but don’t make bad short-term decisions. Remember May isn’t the destination, it is just another date on the calendar. What really matters is the change in attitude over how other people’s data is handled and understanding that you have a responsibility to ensure its safekeeping.

Need help realizing the benefits of a GDPR gap analysis or creating an action-oriented plan, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by
seasoned experts.

As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. American Cyber Security Management would like to bring together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our first meeting will be a collaboration of the attendees to define our future meetups and put a framework for the meetings in place that will be designed to aid in information sharing.

Our first meeting will be held on Wednesday, January 17th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.

#AmericanCSM #Risk  #Assessment

When it comes to risk assessments, there isn’t a one size fits all kind of questionnaire template. You need to figure out what is important to your organization, your organization’s approach to governance, and the organization’s risk tolerance. There are lots of guides and thousands of canned questions to choose from, but it really depends on having the knowledge to ask the right questions about your specific organization.

• First, you need to identify what information your business manages. As they say, you can’t protect something you don’t know exists. List as many of these assets as you can. Create a table because you will fill in information, as seen below, about each asset.
• Second, you must figure out what the asset is worth. You can either use a dollar value or high/medium/low scoring system. Play the ‘what if’ game: What would happen if this asset was hacked? What would happen if this asset was stolen? What would happen if this asset wasn’t available for 24/48/72 hours?
• Third, create some attributes about the asset. Who owns it? Does it rely on a third-party? Where is it physically located? How quickly can I actually access it? Type of information (PII, PCI, PHI)? How quickly will I know if it is gone?
• Next, think about the impact that asset has on your business. Again, either dollar value or a high/medium/low scoring system.
• Now, understand the likelihood of specific threats and vulnerabilities. Using something like the National Vulnerability Database (NVD), US-CERT, or InfraGard you can get a list of common threats. This will help you prioritize the areas of focus.

With all this information you should get a great picture of where to concentrate your efforts. After this exercise you’ll know what you want to protect and whether or not it is protected to the appropriate value that it is worth.

A full risk assessment should be done on the assets which you determined are high risk, high value and have a high impact on your business. So, start simple and with something everyone can agree on. Start with determining your critical assets, what are your company’s crown jewels? The things that must be protected above all else. It should be easier to design a set of questions that will help you determine if these assets are well protected or not.

For small to midsized businesses, the CIS Top 20 Critical Controls is a good place to start, in order to define a set of standard security controls. Also, NIST has a great document Small Business Information Security: The Fundamentals to review.

There are also some simple things you can do today, even before you do the risk assessment:

• Always encrypt sensitive information both in transit and in storage
• Understand your data retention policy – if you don’t have the data, it can’t be compromised
• Limit access to information – the fewer people that can access it the better
• Create a good password policy – and enforce it!
• Patch your systems – as often as possible or at least know why they are not patched
• Ensure good boundary protection – including wireless access points and BYOD
• Train your employees on good security hygiene

Need help realizing the benefits of a risk assessment or need to turn your analysis into a Security and/or Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.

Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure computing environment, has released their take on the European General Data Protection Regulations (GDPR) which take effect May 2018. In addition to releasing the CSA Code of Conduct for GDPR Compliance they also have launched the CSA GDPR Resource Center designed to educate Cloud Security Providers (CSP) about the new regulations.

The “CSA Code of Conduct for GDPR Compliance” offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.”

As most companies struggle to understand the requirements of GDPR, CSA is taking the holistic approach by adding it to their existing Privacy Level Agreement Working Group. The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. This gives CSA the advantage of adding GDPR to what they already know about other compliance standards.

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

 

Who was breached today? This is the common question. Days are gone where we wonder if a business was breached or if our data was stolen from a public system. But what happens after May 25th, 2018 when GDPR is in full effect?

With the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), if breached systems contain European citizen information then specific steps and the timing of those steps are now mandated.

How many cases have we seen where U.S. companies are taking weeks, months, to even a year to disclose to their customers that their data has been inappropriately accessed, lost or stolen? In the recent case of Uber’s announcement, it took them more than one year to notify their customers of a massive data breach. Uber announced that over 57 million people were affected by their data breach and that 2.7 million were located in the UK.

How would this look under GDPR and the EU’s new watchful eye and powerful penalties? The EU wants to ensure communications of data breaches are accurate and timely. According to GDPR Article 33, any business who is suffering a breach of EU citizen information must notify the EU authorities within 72 hours. And the notice must contain, at a minimum; Nature of the breach, Name and contact details of the company’s Data Protection Officer (DPO), Description of the likely consequences, and a description of the corrective steps being taken. Secondarily, the business must also notify the EU citizens under Article 34 definitions. This article requires that notice is given “without undue delay” and the content of the breach notice to be a subset of the information sent to the EU authorities.

These few rules will change how many global U.S. companies handle breach notification and it will undoubtedly impact their processes for incident management. The good news is that we are seeing many companies implement GDPR in a holistic way whereby they are including all customer data, regardless of citizenship, in their data classification strategy when approaching GDPR. This means that these companies will treat all customer data the same way as they need to under GDPR, and not silo EU citizen information, which would require a duplication of many business processes. GDPR is also helping these larger multinational businesses understand the value and role of the DPO, the one responsible for the assurance of the new privacy controls.

The GDPR may be one of the largest privacy regulations the world has ever seen, but it may be just in time. In a world of constant data breaches, we all need to be more diligent and concerned of how companies collect and use our data, share that information with their third party suppliers, and keep us notified of the access to our information.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.