Cyber risk, information security, privacy and compliance services to business thought leaders.
20 Jul 2017

How Will Information Security Support GDPR Compliance?

July 20th, 2017
Adam Stone, Principal and Chief Privacy Officer

How Will Information Security Support GDPR Compliance?

The effective date of the EU’s General Data Protection Regulation (GDPR) advances like a slow-motion tsunami rolling across the Atlantic. Yet despite the rising swell, many US organizations that trade in the EU are still on the fence, trying to figure out if and how GDPR will affect their business, according to a recent survey (PDF) by NTT Security.

For those who have gotten past that first hurdle, there appears to be lingering confusion about the role the information security function plays in meeting GDPR compliance requirements. Lack of awareness of GDPR’s mandates may create a false sense of confidence emerging from a mindset that the EU’s data protection imperatives are areas that only data privacy professionals and attorneys worry about.

On the opposite spectrum are those who reason that their firms have GDPR covered, due to the IT security controls they have in place. Though prominent features of a robust data protection program, safeguards like firewalls, encryption, and network monitoring tools do not address the need for new or enhanced business processes in support of GDPR compliance. Indeed, as Kevin Townsend, Senior Contributor at SecurityWeek puts it, “GDPR is not just about security and the prevention of breaches — it’s just as much about how personally identifiable data is handled.” In other words, firms still stuck in the “security is an IT thing” mindset must break past this fallacy and address GDPR-enabling information security controls in a holistic manner.

Assuming the arguments above convince the reader, the next logical question on your mind should be: how much will it cost (in time and resources) our organization to comply with GDPR’s security requirements? To find an answer, information security leaders should conduct an assessment that identifies the overlaps and gaps between their current governance structure and GDPR’s standards. The assessment should seek information on all three classes (administrative, physical, and technical) of information security controls.

Now, here’s the good news. Firms that have committed to faithfully implementing an industry-accepted framework are well on their way towards supporting GDPR compliance. In fact, the GDPR Article 32 strongly encourages organizations to certify compliance with a leading information security framework, such as ISO/IEC 27001/2 or 27018 (for cloud providers). Though there is, at the moment, no mechanism enabling organizations to “certify compliance” with guidelines like NIST CSF or the Baldrige Cybersecurity Excellence Builder, adherence framework may also reflect positively on one’s information security program.

The bottom line: US-based organizations need to quickly reconcile any misunderstandings about GDPR’s impact on the information security function, if they want to continue participating in today’s digital economy. Once firms acknowledge their obligations, the next major step is to conduct a GDPR readiness assessment to identify potential gaps in coverage. For those organizations who want to evaluate the quality and maturity of their GDPR-supporting information security processes, we recommend using a platform built for this purpose.

Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions, LLC. SDS’ experienced data privacy and security professionals stand ready to assist your organization as you prepare for GDPR compliance. Choosing a SDS as your trusted advisor will help ensure that your efforts have maximum impact, even with limited budgets and resources. Contact Secure Digital Solutions today to learn more!

Now you can quickly identify, measure, prioritize and communicate the maturity of your information security processes using the industry-leading TrustMAPP® platform. Check us out at trustmapp.com or call 952-544-0234.

19 Jul 2016

Briefing on Cybersecurity Best Practices – July 20th, 2016

Client Briefing on Cybersecurity Best Practices – 7/20/2016

Wednesday, July 20, 2016 from 7:30 AM – 9:00 AM
As you know, cybersecurity is an ongoing challenge for companies large and small. Almost every day there are headlines and blog posts about hacking, data theft etc… Of course, these issues affect both company data as well as customer data (consumer and enterprise). Good cybersecurity practices are essential and are more easily wired into a company in its early stages.
So what to do?
Adams Grumbles Law Firm has arranged a special client briefing on cybersecurity by Chad Boeckmann, CEO and Founder of Secure Digital Solutions, LLC (SDS). SDS is a fellow firm client that specializes in helping companies identify, assess and address cybersecurity risks. Mr. Boeckmann founded SDS in 2005 to offer business-centered solutions to secure digital assets. SDS assists companies to achieve a desired state of risk tolerance while assisting organizations to better serve their respective customer and clients.

AGENDA:

  • Situational Awareness Building Security into the process (and product)
  • Information Security Challenges facing every company
  • Insurance is not a compensating control Information
  • Security as a competitive differentiator

Here are the details:
Date: Wed, July 20
Time: 7:30-9 (bagels & coffee; presentation starts at 8)
Place: Adams Grumbles HQ – 287 6th St. E, Suite 140, Saint Paul (parking in visitor lot or in adjacent ramp and surface lot)
We have space for 20 in the room, but are also providing a dial-in (Phone: 585-632-6390 Pin: 63851) so anyone who wants to can participate. If you can be here live, grab your spot. Should be a very useful presentation. Hope you can join!

Adams Grumbles LLP
287 6th Street East
Ste. 140
Saint Paul, MN 55101

25 Mar 2015

Are You Speaking Risk?

Clearing Up Garbled InfoSecurity Communication

By Corey Tower, GRC Consultant

trustsds.com
trustsds.com

“There is a Threat that can Exploit our Vulnerability – we should address this Risk.”

That sentence alone can be written interchangeably about nine times, causing confusion on what in the information security world we are actually talking about. In my tenure, I’ve seen these risk management terms misused more than not.

What I would like to accomplish in this blog is address what risk management terms actually mean and how to use them correctly. Risk Management TermsOtherwise, we take the risk of creating confusion amongst our team which can exploit…oh, never mind, let’s get to it.

The following definitions are from Shon Harris’ All-in-1-CISSP:

Threat Agent: This is the entity that is responsible for creating a threat. This is your hacker.

Threat: Threat is a danger that can exploit a known or unknown vulnerability in your security.

Vulnerability: This is the lack of having a countermeasure or a weakness in an already existing countermeasure

Risk: Risk is your likelihood and business impact if a threat were to indeed exploit a vulnerability.

Exposure: An instance to being exposed to loses.

So how do these risk management terms interlink? Shon gives another great example of how to show this in her infinite loop:

“Threat Agents, give rise to Threats, that exploit Vulnerabilities, which lead to Risk, that can damage Assets, and cause an Exposure, which can be countermeasured by a Control, which affect Threat Agents.”

Another translation issue can come about when discussing what classification a control is. When it comes to kicking in your home’s front door, did that lock serve as a Physical Preventative control or a Physical Detective? The lock didn’t keep the intruder out, though your busted door frame told you loud and clear what happened. So which is it? Keep it simple – locks are meant to keep unwanted people out. That makes this a Physical Preventative Control. An example of a Physical Detective would be a motion detector.

As you can see, it’s no surprise these terms are interchanged. Within your security team, make it a point to use correct terminology to help bolster a more mature InfoSec program.

04 Feb 2015

Engaging the Board on Security & Privacy

A Moment of Opportunity for Security and Privacy Leaders

By Adam Stone, Privacy Practice Lead, SDS

Following numerous major security breaches in the news in 2014, corporate boards of directors are increasingly interested in understanding information security and what it means to their business. As a data security leader, use this opportunity for engaging your board of directors on information security by honing your message in a way that resonates with the board.

Given the fever pitch of breach reporting in 2014 (culminating with the recent SonBoD-roomy hack), data security has finally found its way into board meeting agendas for organizations across the spectrum. This is a business moment that many have been waiting for. Ask any battle-weary data security leader who’s struggled to gain corporate credibility and visibility and they will utter an exasperated “It’s about time!”

How does a data security leader leverage the board’s newfound interest in data protection and keep members engaged for the long run?

First, a bit of introspection. Data security continues to grapple with how the organization perceives where it fits in the corporate hierarchy (and this perception is often at odds with how data security leaders believe it should be). Traditionally, the Board has perceived data security as an IT issue relegated to a cost-of-doing-business versus a contributor to strategic, sustainable growth and long-term shareholder/stakeholder value. As a result, data security topics are often bundled with operational IT matters and filtered up to the board via established proxies, such as inside of audit or the chief information officer (CIO).

For years, thought leaders[i] have promoted data security as a business issue worthy of its own pulpit. Until recently though, evidence to back the truth of this claim was missing or mixed. With the Sony event, we can reflect on what happens when the board is not adequately exposed to data security topics. Sony is not alone; recent surveys suggest that a majority of corporate boards are minimally involved in cybersecurity preparedness[ii] and remain largely unprepared to deal with a security breach[iii] despite board members’ increasing interest in addressing this subject[iv].

This lack of engaging board of directors on information security, is in part, a branding problem linked to several causes; among these may be the wonky, technocratic way practitioners who try to communicate the benefits of safeguarding data along with reasonable solutions for making this happen. Let’s face it: data security is not a particularly sexy topic for most.

Security industry leaders risk making an already poorly-understood subject less engaging by not clearly, consistently and relentlessly communicating its purpose, objectives and goals in terms of money saved and/or money earned. Board members are rarely inspired to action with heavy-handed, compliance-focused messages and even fewer are motivated by technobabble.

Boards understand risk. They understand that risk (an inherent negative) is a key part of doing business (that’s why data security functions exist). Undesirable, or at least indifferent board perceptions of data security should be countered with positive “opportunity” messages focused on the long view. Board members want to know how data security investments will bolster (or repair) public confidence, and make the organization’s current and future products and services desirable and efficiently produced. Successful data security leaders ensure that their communication strategy lines up with the board’s needs.

To accomplish this task, simply communicate using a dashboard-like approach to reflect, through colors, the areas of the information security program that require the most focus.  Use this simple concept to achieve buy-in then deliver the answer to the forthcoming question “how much effort and capital will that take?”  BE PREPARED!  When engaging the board of directors on information security you will have just 3-5 slides and a maximum of 5-7 minutes.  Create one slide to communicates the state of the union and the next slides that describe the costs of going from “red to yellow” and “yellow to green”.

For more help and information to developing an information security dashboard presentation you may contact our team here: http://securedigitalsolutions.com/contact/

Some references worth noting for further reading on this subject:

[i] One organization assisting board members on how to address cybersecurity issues is the National Association of Corporate Directors (NACD). We recommend accessing their materials on this subject at http://www.nacdonline.org/.

[ii] “Cybersecurity: What the Board of Directors Needs to Ask.” The Institute of Internal Auditors Research Foundation (IIARF). 2014. 10 January 2015. <http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm>.

[iii] “Cyber Incident Response: Are Business Leaders Ready?” Economist Intelligence Unit (EIU) sponsored by Arbor Networks. 2014. 13 January 2015. <http://www.arbornetworks.com/ciso/eiureport>.

[iv] “IT and Cybersecurity Oversight: PwC’s 2014 Annual Corporate Directors Survey.” PricewaterhouseCoopers, LLP. 2014. 13 January 2015. <http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml>.