How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?

Another question to consider: Is there a clear plan for response, including incident and crisis communication?

The Driver Behind This

Incidents are going to happen, it’s not a matter of if but when.  Whether it’s a result of you being placed in the crosshairs by a sophisticated adversary or an employee who has a laptop with personal information stolen out of their locker while at the gym, the organization’s leadership must be engaged.  Understand, this is not an IT function, this is a joint effort and means having the appropriate authoritative representatives available and ready.  Ensure general counsel is engaged to address any regulatory or privacy implications, the corporate communications lead is effectively communicating with the media and identified staff are sufficiently trained to answer questions from concerned customers. Engage with the appropriate team members from IT Operations, Information & Cybersecurity to understand what happened from the technical aspect; as well as internal audit teams to understand what control weakness allowed the incident to occur in the first place.   Based on the type of breach, you may have to notify third parties such as Attorney Generals, specific payment card brands (e.g., Visa, MasterCard) or a federal agency (i.e., Department of Health and Human Services).

Continue reading “How will your organization respond when sensitive or regulated data is lost/stolen/ransomed?”

Who has access to our systems?

Other questions to consider: How do we identify who has access? After third parties have access, how quickly can we sever access to our systems and data?

The Driver Behind This

This expands on the previous question from the last post, adding additional granularity to the matter.  Specifically, which third parties have access to regulated/sensitive data your organization has been entrusted with?  This includes everything from cloud applications to service providers (e.g., HRIS, ERP, CRM systems).  It doesn’t matter if the system is onsite managed by a third party (i.e., HVAC system) or hosted offsite (i.e., Amazon Web Services), you need to know who has access to your data (and why?). Accept that an adversary will consider all available attack vectors, to include your providers, business partners and vendors. These are common attack vectors used to gain access to systems as they advance on their objectives.

Continue reading “Who has access to our systems?”

How are you protecting and handling sensitive or regulated data? Are you protecting data on devices that can be lost or stolen?

The Driver Behind This

The fines and penalties, as well as brand impact for data violations (e.g., PII, PHI, Credit Card) can be severe as well as being very, very public. Legal requirements frequently differ greatly between states, and considering most now operate with our global marketplace, it is important to understand that this is especially true when operating between countries. In 2020, most employees rely on a variety of methods and means to support routine operations, systems which are comprised of components such as smartphones, laptops and tablets, all of which carry an inherent risk of being either lost or stolen.  To not be prepared on addressing this threat is sheer folly. 

Continue reading “How are you protecting and handling sensitive or regulated data? Are you protecting data on devices that can be lost or stolen?”

Cyber: Q&A with the Board

As an information security professional, whether you’re working within Risk Management, Information Security, or Cybersecurity; you need to be prepared for a multitude of situations.  This includes being asked very direct and candid questions around your current security posture.  This series is based on our experiences and interactions with a variety of Boards of Directors, Advisory Boards, and other Governing Bodies with our clients across multiple industries. 

Continue reading “Cyber: Q&A with the Board”

Global IT Governance Expert Panel, Session 3: Governance systems

Global experts weigh in with their top tips on transitioning to the new normal in the context of privacy, cybersecurity, and IT governance systems. Join us for this three-part webinar series as we engaged with these experts on their advice on today’s hot topics.

Meet the Panel

Global pandemics don’t stop IT governance, they expose the need to change it! Top experts offer their tips on the new normal in IT governance systems.

Recorded May 27, 2020 07:00 AM Central Time

Webinar is now available!!!

Audio only version available here

Global IT Governance Expert Panel, Session 2: Cybersecurity

Global experts weigh in with their top tips on transitioning to the new normal in the context of privacy, cybersecurity, and IT governance systems. Join us for this three-part webinar series as we engaged with these experts on their advice on today’s hot topics.

There’s no such thing as post‐pandemic cybersecurity. Top IT Governance professionals offer practical tips on the post‐pandemic cybersecurity environment.

Recorded May 20, 2020 07:00 AM Central Time

Webinar is now available!!!

Audio only version available here

Global IT Governance Expert Panel, Session 1: Privacy

Global experts weigh in with their top tips on transitioning to the new normal in the context of privacy, cybersecurity, and IT governance systems. Join us for this three-part webinar series as we engaged with these experts on their advice on today’s hot topics.

Privacy in the times of coronavirus: gone or just beginning? Lessons learned so far and areas to focus on from global experts.

Recorded Wednesday, May 13, 2020 07:00 AM Central Time

Webinar is now available!!!

Audio only version available here.