Cyber risk, information security, privacy and compliance services to business thought leaders.
25 Jul 2018

Uncertainty of Privacy Shield

July 24th, 2018
By Adam Stone, Principal and Chief Privacy Officer

While many in the United States were recovering from summer vacations and fireworks displays, the European Parliament passed a non-binding resolution that could lead to the suspension of the EU-U.S. Privacy Shield Framework. For the 3000+ organizations participating in Privacy Shield, this resolution may have a profound impact on the way firms conduct business in the EU. If the Europeans follow through on their threat to suspend Privacy Shield after the first of September 2018, participants may need to scramble for an alternative mechanism for lawful transfers of personal data from the EU, lest they run afoul of the General Data Protection Regulation (GDPR).

Such uncertainty can’t be good for business. The US enjoys a top ranking among the EU’s trading partners with $1.1 trillion in annual bilateral trade. The threat of suspending or invalidating Privacy Shield creates fresh anxiety for senior executives whose firms rely on the digital and global economy to prosper.

Disappointingly, companies interested in learning about Privacy Shield will find, on privacyshield.gov site, no mention of the dispute or its potential ramifications for participants. The relative lack of interest in this topic means that fewer news outlets will pick it up. This summer’s Privacy Shield developments have also been drowned out by the passing of the California Consumer Privacy Act of 2018.

Thus far, it seems that the only public statement coming from the Department of Commerce (Privacy Shield’s oversight body) is a July 17 meeting recap claiming a “productive discussion” between the European Parliament’s LIBE Committee and senior US officials from the National Economic Council, the Departments of Justice, Commerce and State, and the Office of the Director of National Intelligence. The released statement includes a document blandly summarizing US responses to many of the EU’s long list of grievances. What the press release lacked was a clear signal about next steps. Instead, we must wait to see what comes of these negotiations in coming weeks.

The ongoing tariff dispute between the US and EU degrades public confidence in the future of the Privacy Shield program. The current “misunderstanding” between the parties may lead to a protracted argument. Like the Safe Harbor program before it, the EU may choose to invalidate Privacy Shield’s “adequacy” status under GDPR Article 45. The result of such a decision would mean that the sides must regroup and come to consensus on a new data protection accord. Just as privacy practitioners experienced a few years ago, the lengthy limbo period between old and new will lead to much frustration among business leaders.

Some argue that the EU’s recent threat is a strictly punitive measure in the face of a zero-sum game. Others note that Europe’s concerns stem from a view that the Privacy Shield program – like its predecessor – does not deliver on promises to enforce data privacy practices among participants. These issues magnify the culture clash that emerges from different histories and sociopolitical perspectives on national security, foreign intelligence gathering post-9/11, and the role of privacy as a fundamental right.

If the Privacy Shield is Suspended, What Options Remain for US Companies?

From a legal perspective, GDPR Articles 46 and 49 offer several alternatives for lawful transfers of personal data from the EU to US. These alternatives may lead to new operational challenges for privacy leaders. Add to this the hassle of dismantling a Privacy Shield-focused compliance program and starting anew (this activity is almost always an unbudgeted expense). Regardless, organizations may need to pivot to one or more of the following mechanisms:

  • Explicit Consent: Improves awareness through greater transparency; May not be appropriate for every type of business transaction.
  • Binding Corporate Rules (BCRs): Complex and expensive; Appropriate for the largest multi-national companies.
  • Standard Data Protection Clauses: Requires contract negotiations with each trading partner; Adds to firms’ contract management challenges.
  • Participation in an approved industry Code of Conduct: Limited to certain industries, such as pharmaceuticals, digital advertising and marketing.
  • Demonstrated compliance with an approved Certification program: Also limited; with uncertainty about which certifications meet EU standards for data protection.
  • Derogations (Exemptions) for Specific Situations: Promising alternative for some companies; Requires documented review and business justification.

Which option above is best for your organization? Privacy experts will probably respond with a lawyerly “it depends.” It depends on myriad factors unique to each business function and process. It depends on an understanding of risk appetite balanced with organizational values and goals. In short, the suspension of Privacy Shield may require some to go back to the drawing board to develop new data protection solutions to meet the challenge of transatlantic data flows.

Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or info@trustsds.com.

22 May 2018

GDPR Deadline Looming

Does the GDPR "due date" remind us of Y2K? What will really happen on May 25th? No one really knows for sure the answer to this question but likely there will be a lot of work to continue to do in the months (and perhaps years) to follow May 25th, 2018.

Just for fun here is a timer you can refer to for the GDPR deadline.

GDPR Top Ten Disciplines for EU Data

#1 Data Portability
#2 Accountability Principle
#3 Extraterritorial applicability of the GDPR
#4 Maintaining records of processing activities
#5 New Data Subject Rights
#6 Privacy by Design and by default
#7 Data Protection Authority enforcement methods
#8 Pseudonymization and its use in profiling
#9 Security and breach notification
#10 One stop shop

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our privacy services page for more information.

16 Jan 2018

The Great GDPR Compliance Panic of 2018

January 16th, 2018
Adam Stone, Principal Consultant

Are you falling into the rut known as the great GDPR compliance panic of 2018? Stop worrying. Many data security and privacy leaders have successfully addressed the challenges of new regulatory compliance obligations before.

Several years ago, I entered the data security and privacy world just as new business challenges emerged from two separate congressional reform bills intended to solve certain problems in the US healthcare and financial services sectors. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), followed by the Gramm-Leach-Bliley Act of 1999 (GLBA), triggered federal regulation focused on – among many other areas – data privacy and security. At the time, organizations of all sizes struggled to prepare for the new federal requirements.

The first hurdle for some organizations was to simply acknowledge the fact that HIPAA and GLBA applied to their operations. For those who moved past the acknowledgement phase, preparatory scope creeped, and unplanned business disruptions followed. In an environment where executives were unclear about the applicability and impact of HIPAA and GLBA regulations, data security and privacy professionals found little support to implement new controls structures. The result: compliance programs poorly-aligned to corporate mission, values and objectives.

Though data security and privacy professionals emerged wiser from the HIPAA/GLBA compliance experience of the early aughts, evidence suggests that many firms now struggle with the emerging challenges of the EU General Data Protection Regulation (GDPR). As principal consultant with Secure Digital Solutions (SDS), I hear from lots of panicked leaders who need help understanding the impact of GDPR ahead of its May 2018 effective date. We find that firms can avoid some of the setbacks of the past by adopting an effective, scalable process for GDPR compliance preparations today. Whether preparing for GDPR with in-house resources or hiring an experienced consultant, firms should adopt a GDPR Readiness process like the one in the image below.

This is an image of a simple process to help organizations prepare for the General Data Protection Regulation (GDPR) compliance requirements.
Preparing for GDPR: Process Steps

Stop Panicking and Start Your GDPR Readiness Journey Today

The time to act is now. Firms of all sizes must determine how GDPR will impact their business and act accordingly. For business executives who do not have the time or expertise needed to meet GDPR’s stringent requirements, our seasoned consultants will help you identify GDPR readiness gaps and define common-sense strategies for meeting compliance obligations. We leverage the in-the-trenches experience of past compliance initiatives to provide maximum value for today’s clients. Start your GDPR-focused compliance journey today with an affordable Readiness Assessment. Contact us at 952-544-0234 or visit our Web site for more information.

17 Aug 2016

How Measuring Process Maturity Exceeds a Binary Compliance Approach

August 17th, 2016
By Corey Tower, CISM, PMP

If you have ever been in charge of implementing an inaugural security program or have been asked to formally organize information security, you know that compliance requirements are at the forefront of the conversation. Yet if you’ve been building and managing a security program for years you already know a compliance-based approach is not robust to handle modern threats or comprehensive to manage risk across the entire business. As a measurement tool, compliance assessments are blunt instruments that focus primarily on the existence of controls. These assessments tend to yield binary results – either the organization is compliant, or not.  Let’s explore how measuring your process maturity exceeds a binary compliance approach.

Implementing security effectively from the results of a compliance assessment is challenging, since gaps in compliance suggest the need for security investments that may be disproportionate to the problem the organization is trying to solve.

How Maturity Prioritizes Investment

Focusing on your maturity will allow you to view your program in both dark and bright lights. If you are serious about the effectiveness of your security program, you must be honest about the current state. For example, if you have in-house software development and you complete the compliance section of securing source code, you have two choices:

  1. Compliance Approach: Check the box that says “We do it – done.”
  2. Maturity Approach: Deep dive into process-level maturity. (I.e. “How do we protect source code? How well defined are the standards to protect source code? What goal have we defined for source code protection? Is the security of our source code library adequate?”) Each scored on a maturity scale of 0 through 5 such as those defined by COBIT.

Once you’ve completed a maturity assessment of all processes that make up information security program, you can begin a more efficient plan for resource allocation and budget management. For example, perhaps 250 hours of project resource time can be shifted from your very mature patch management process to help your struggling security and event management effort. A maturity-based assessment helps to identify the performance level of key process areas and the output compliments and enhances a risk assessment.  Looking at processes through the lens of maturity provides greater dimension to team and security program performance and conveys how to allocate resources once maturity goals are achieved.

Automate Maturity Assessments
Secure Digital Solutions’ TrustMAPP™ platform, powered by the MAPP™ (Maturity Assessment, Profile, and Plan) methodology, offers security leaders the ability to:

  • Identify how much security is “enough” by establishing process-level performance goals
  • Measure the effectiveness of your security programs and the capacity to accomplish outcomes
  • Link information security metrics and measurement back to business value and strategy
  • Use analytics and estimated level of effort to tell a compelling story to business executives and the board

TrustMAPP reports security posture by maturity levels, including trending analysis, planning, budgeting, and built-in support for multiple security frameworks and regulations. As a cloud solution, TrustMAPP enables clients to begin assessing their information security program in weeks instead of months. TrustMAPP helps security leaders create and communicate a strategic roadmap, build budgets and resource plans to guide their organizations’ security activities.

23 Mar 2016

Unifying the Message of Information Security

By Tennelle Anderson, CISSP, CISA, CPA, Secure Digital Solutions

I started out my career as an auditor. Then I moved into compliance. Now I’m a security consultant. One thing I’ve observed during my journey, is that while each of these groups value controls such as logical access and vulnerability management, each group is evaluating these controls using a different lens. These different lenses cause each group to speak a different language, leading to the confusion and frustration of management (and each other). All teams should focus on unifying the message of information security.

Isn’t there a single language that all three groups can use to consistently communicate the state of control effectiveness, compliance position and risk? Is there a single language that can also accommodate an ever-changing technological and compliance landscape? Is there a unifying language that can also communicate “how good is good enough” AND address concerns regarding overinvestment in security and compliance?

Yes, there is.

A Single Language

icons-mappYou probably think I’m dreaming, but I assure you I am not. The security industry is increasingly moving toward process maturity as the standard by which security programs are measured and improved[1].  The five CMMI maturity levels (Ad hoc, Managed/Repeatable, Defined, Quantitatively Managed, Optimized) can be used to describe control implementation and effectiveness, compliance with a specific requirement, as well as the level of risk present for any given process or asset.

 

Harmonization of Controls and Processes to Reduce Compliance Fatigue

As you have no doubt observed, there is a great deal of overlap between the various security regulations and frameworks that exist today. Rather than trying to keep up with hundreds of different individual (and ever-changing) control objectives, organizations can harmonize those individual controls into a set of processes that can be measured based on their maturity level. For example, rather than measuring adherence to 20 different logical access-related controls, break those controls into a subset of processes (e.g. provisioning, de-provisioning, access reviews, etc.) and measure the maturity of those processes.

Unlike audits and risk assessments, which provide only a point-in-time view of the existence and/or effectiveness of controls, assigning maturity levels to existing processes gives a point-in-time snapshot of these processes AND helps determine a company’s ability to adapt to ever-changing compliance requirements and control expectations. In addition, it reduces the number of assessments that must be conducted (and the number of widgets assessed), helping to reduce your organization’s audit fatigue.

How Good is Good Enough?

Using the CMMI maturity levels is also a great way to help your organization define “how good is good enough”. For example, if your logical access provisioning processes are considered Level 1, or ad hoc, most auditors, compliance specialists and security analysts would agree that the associated controls are likely not operating effectively (if they exist), do not meet associated compliance requirements, and present a higher level of risk to your organization. Processes rated a Level 2 (repeatable, but reactive) or Level 3 (defined) may be considered to be operating effectively, meeting associated compliance requirements, and presenting less risk to your organization. Processes rated a Level 4 (quantitatively managed) or a Level 5 (optimized), while indicating effectively operating controls that meet compliance requirements and present little risk, may be getting into overinvestment territory for your particular organization. Having management define maturity goals for the organization can help everyone know how good is good enough from the outset, eliminating confusion and reducing the risk of under- or overinvestment.

Bringing it all Together

Once audit, compliance and security begin to speak in the same language, management will immediately benefit by receiving a consistent and understandable message. This will allow your organization to move to the prioritization and implementation stages more quickly without fear of overinvestment. It may even help your organization to recognize audit, compliance and security as valuable business partners contributing to business goals, rather than impeding them.

How SDS Can Help

SDS’s TrustMAPP platform, powered by their MAPP methodology, empowers organizations with a clear picture of security posture based on maturity levels, including trending analysis, planning and budgeting, and built-in support for multiple security frameworks and regulations. With TrustMAPP’s SaaS delivery model, scoring, tracking improvements and communicating performance of a security program happens in weeks, instead of months, using built-in analytics. Accliviti helps CISOs create and communicate, using a unifying message for information security, a roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model of Maturity Assessment, Profile, and Plan, using an automated tool like TrustMAPP, CISOs can focus more of their time and interactions towards security strategy and advisor roles for the business.

[1] Veltsos, Christophe; “A MAPP to Clearer Information Security,” January 2016,

 

27 Oct 2015

Controls Are for Auditors

An Information Management Approach

By: Chad Boeckmann, CISSP, CISA (CEO, Secure Digital Solutions)

Consider this approach to information security: Controls are for auditors; processes are for managers. As someone who has for nearly two decades provided guidance to help companies improve their information security, I’ve concluded the typical industry approach to information security (focusing on controls) is too narrow.

Often, tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance that the organization will achieve its objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First there are many controls that can be harmonized into processes. You might be thinking, “There are too many processes to manage effectively. Controls are easier.” I would challenge any security program, in most use cases, to identify more than 40 processes that need to be managed to align with regulatory and internal or external policy objectives for information security. Yes, this includes regulations such as GDPR, HIPAA, PCI DSS, FFIEC and frameworks like ISO27001/2 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. To use a golf analogy, if we raise our eyes from the rough outlining the fairway, we can see the ball and pin clearly. Taking an industry recognized IT Management and Governance framework like COBIT and marrying it with a set of consolidated processes, your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organization’s objectives (the pin) with metrics related to the process (the fairway) to get the ball to the pin.

This is why we’ve automated this process with TrustMAPP. This is part 1 of a 2-part blog post. In the next entry I’ll discuss how to go about measuring process level performance to align with frameworks and regulations in a simplified but meaningful way.

23 Sep 2015

Seven Tips to Improve Security Audits

Achieving an Efficient, Measurable Process

By Tennelle Anderson, CISSP, CISA, CPA (Principal Security Consultant, SDS)

When I transitioned from “Internal Audit” to “Information Security” more than 10 years ago, I was immediately met with “you were an auditor, you deal with the auditors”. Once I realized no one else was going to take this disjointed and muddled (yet essential) function off my hands, I set out to turn my company’s audit scavenger hunt into an efficient and measurable process.

AUDIT

The most important thing I’ve learned during this experience is that all it takes is some consistency, organization, and proactive planning to eliminate your company’s audit scavenger hunt and make more effective use of your company’s resources. The following are some tips to improve security audit response.

“Where do I send this?”
The first phase of the scavenger hunt is identifying who will respond to the RFI once it is received in-house. A lot of time is wasted as an RFI is forwarded through a series of email inboxes. And RFI completion can be further delayed if any individual is out of the office or unable to check their individual email for an extended period of time.

1. Assign responsibility for completing these requests to a designated group of individuals. Believe it or not, there is an art to completing security questionnaires, and efficiencies can be gained by having a consistent group of individuals responding to them.

2. “Funnel” all requests to these designated individuals. Using a workflow management tool or ticketing system that end users are already familiar with provides a repeatable process that users are more likely to follow. If your organization needs a simpler solution, set up a group emailbox (e.g. SecurityInformationRequests at companyname dot com) accessible from the company’s intranet that end users can use to submit RFIs.

3. Provide education to frequently impacted groups. In my experience, security information requests often come via Sales or the Customer Relationship Managers (identify your company’s equivalent groups). Knowing this, my team of “responders” gave a short presentation at each monthly Sales new hire training meeting so that when the new Sales Reps inevitably received a questionnaire or other security request from a customer or client they would be able to forward the request quickly.

“Where do I get the answers to these questions?”
Once the request is received by the person(s) who will be responding, the next phase of the scavenger hunt will begin: where to find the information requested. I’ve found it valuable to apply the 80/20 rule to this exercise.

4. Organize and store the information you gather. The majority (80%) of security RFI’s are looking for the same core information. Once you’ve gathered this information once you can likely re-use it for subsequent requests. Organize and store this information in a place that can be accessed by the entire group of designated responders for future use.

5. Identify “Good Names to Know”. For the other 20% of information requested (e.g. information that is extremely technical or system-specific, or changes frequently) identify “Good Names to Know” (GNTK) – these are folks you can always count on to work with you to get information quickly or can tell you where to go to find it. Early in my career I was told “these people are treasures and should be treated as such” – I wholeheartedly agree and I encourage you to establish very good working relationships with these resources once you find them.
“Where do I find the documentation I need?”
The final (and often most difficult and time-consuming) phase of the audit scavenger hunt is obtaining the necessary documentation. Oftentimes this documentation already exists and is readily available – if you know where to find it.

6. Become intimately familiar with your company’s web site. Many of the documents that are repeatedly requested can be found on your company’s intranet, such as HR policies, employee code of conduct, acceptable use policy, security policies, etc.

7. Gain access to IT’s departmental procedures. After HR and Security Policies, the most commonly requested documentation includes process documentation that is typically owned by the IT organization, such as access control processes and forms, change control processes and forms, system development lifecycle processes and forms, data destruction processes and certificates of destruction, etc. Utilize your GNTK’s to obtain detailed information such as user lists, system configurations, and other report- or screen print-based evidence on a request-by-request basis.
One caveat to consider when it comes to providing documentation: some of the information may be classified as confidential and should not be shared via insecure and uncontrollable means such as email. Discuss with your Security team or Legal Counsel if you are unsure whether certain information should be shared, especially without a non-disclosure agreement.

Conclusion
It really is this simple – implementing and consistently applying the seven recommendations I’ve outlined here is the first step to turning your company’s security audit scavenger hunt into an efficient and measurable process.  If you are looking for a repeatable client security audit response try using the SIG-Lite from Shared Assessments. We will address this approach in an upcoming blog. Stay tuned.

How Secure Digital Solutions Can Help
Information Security Audit Liaison Services (Audit Liaison) can add essential clarity help to improve security audits. From audit preparation to in-audit support to post-audit assistance with management’s response – we understand information security information requests and audits because we also perform them. We can be your coach, your buffer, and your advocate — and your staff can get back to their day jobs.