Although the California Consumer Privacy Act (“CCPA”) has been in effect since January 1, 2020 and subject to enforcement since July 1, 2020, it seemed until recently that compliance had been somewhat spotty. Well, it’s time to wake from your compliance slumbers and start paying attention because California’s new Attorney General (“AG”) Rob Bonta has…
In today’s regulatory and economic environment, organizations need to keep pace with constantly-shifting cybersecurity and data privacy threats. ADCG has sifted through current best practices to provide the following (non-exhaustive) guidance for Chief Information Security Officers (CISOs), and other compliance professionals tasked with cybersecurity and data protection.
Hire an SOCaaS Vendor
Your organization should consider contracting with a third-party security operations center (SOC) to provide SOC as a Service (SOCaaS) on a subscription basis. SOCaaS engineers and analysts can review the current operations of your organization and provide an audit of security capabilities, including risk and incident management, compliance assessments, behavior and threat analysis, and situational security awareness.
Outsourcing to professionals in this manner can save time and money, and improve resilience: Research indicates that when organizations attempt to facilitate these services in-house, they run the risk of incurring “alert fatigue,” which research indicates leads to 44 percent of alerts going uninvestigated, or investigated at a detrimental speed.
In selecting a SOCaaS provider, organizations should consider the following:
- Your provider must be able to adapt to the ever-changing and evolving threat landscape quickly and effectively. Providers must demonstrate a proven ability to respond to the most current and prevalent threats.
- In order to ensure that your organization receives monitoring and response instruction that is particular to the services, structure, and objectives of their operations, the service provided by the SOC must be customizable. Prospective vendors should provide CISOs a customized strategy that’s approved by the IT department, the compliance department, and senior leadership before your organization signs a contract.
- You should ensure that your provider conducts their operations in accordance with the most recent guidance and frameworks for conducting security as a service, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, ISO 27001 and CIS Critical Security Controls.
Achieve NIST Certification for Vendors
In addition to their vendor framework, NIST has also created NIST 800-171, which outlines a set of standard security practices for “nonfederal” entities that you and your provider should adhere to.
You’ll need to check that vendors are capable of and willing to maintain compliance with the following 14 practices from NIST 800-171:
- Access Controls – requires organizations to limit access to their systems on an as-needed basis;
- Awareness and Training – requires organizations’ employees receive IT security awareness training;
- Audit and Accountability – requires organizations’ employee’s activities to be monitored, tracked, and recorded within their systems;
- Configuration Management – requires organizations to track any changes or updates made to their IT security configuration settings;
- Identification and Authentication – requires organizations to authenticate the identity of users accessing systems;
- Incident Response – requires organizations to establish and maintain an incident response plan for detecting and recovering from a security breach of their systems or any systems they access;
- Maintenance – requires organizations to ensure that their IT department follows their security best practices when conducting maintenance on their systems;
- Media Protection – requires organizations to properly mark, protect, and dispose of any Controlled Unclassified Information (CUI);
- Personnel Security – requires organizations to maintain a system of authorization for system access;
- Physical Protection – requires organizations to properly safeguard physical IT infrastructure;
- Risk Assessment – requires organizations to assess and remediate any IT security risks or vulnerabilities on a periodic basis;
- Security Assessment – requires organizations to regularly assess IT security controls and adapt them to achieve effectiveness;
- System and Communications Protection – requires organizations to monitor their IT systems; and
- System and Information Integrity – requires organizations to ensure that their systems are properly protected against cyber threats or incidents.
Devalue Your Data
According to this report, “85 percent of data breaches are caused by human error.” As such, your organization should consider devaluing data, making it useless to any threat actor who gains access to your system via breach. There are two methods for data devaluation: tokenization and encryption.
- Tokenization – each data component is encoded with a set of random numbers and stored on the server instead of the actual data itself. The actual data is kept in a third-party location with a “token” that allows authorized parties to access a link to any personally identifiable information.
- Encryption – each data component is translated into another form or code, which can only be decrypted via an access code held by authorized personnel.
Train Your People
Your organization should consider giving employees who manage, utilize, or have access to any sensitive data in your information systems a privacy training and certification. This can ensure that your employees know their role in maintaining secure operations, and that they are aware of practices and policies that lead to breaches.
Although there are many certifications that your organization could consider, the following five privacy certifications are well regarded in the cybersecurity industry.
- The Certified Information Privacy Professional (CIPP) –
- This certification course, offered by the International Association of Privacy Professionals (IAPP), focuses on the practical aspects of data privacy, such as the specifics of compliance with current data privacy and protection laws.
- Due to the differing laws and regulations in different countries, this certification offers four areas of concentration: Asia (CIPP/A), Canada (CIPP/C), Europe (CIPP/E), and U.S. private sector (CIPP/US).
- The Certified Information Privacy Technologist (CIPT) –
- This certification course, also offered by the International Association of Privacy Professionals (IAPP), focuses on the more technical and behind-the-scenes aspects of data privacy, such as best practices, protocols and procedures, and recommendations for data infrastructures.
- The certification is generally targeted toward individuals with a background or a current role in software engineering or information technology and security.
- PrivacyOps –
- This certification course was designed by Securiti.ai, which creates AI-powered and machine learning-based tools.
- This free course assists privacy professionals in gaining an understanding of the best tools, techniques, and approaches to delivering data privacy.
- The Certified Information Privacy Manager (CIPM) –
- This International Association of Privacy Professionals (IAPP) certification course focuses on an organization’s strategy for outlining the role of data privacy within its business plans, and establishing policies and procedures that further an organization’s data privacy philosophy.
- The certification is generally targeted toward managers and executives that participate in the organization’s risk management and privacy maintenance practices and procedures.
- The Health Care Information Security and Privacy Practitioner (HCISPP) –
- This certification course, offered by International Information System Security Certification Consortium (ISC), focuses entirely on data privacy in the healthcare
Your organization’s CISO—or, if you do not have one, the personnel tasked with maintaining your data security systems and operations—should ensure that the entire organization, its vendors, and third-party contractors are made aware of any operational changes or security incidents. This organization-wide system of communication will ensure that there are no instances of inconsistency in data security maintained, transferred, or utilized by your organization.
Additionally, security personnel should ensure that all third-party vendors who work with security systems maintain their operations in accordance with your organization’s security policies and procedures.
* * * * * * *
For ADCG’s Breach Report and more news updates discussing: the U.S. Department Establishes Cybersecurity Bureau; U.S. Intelligence Community Gets New CIO; Ransomware Facilitator, Russian-based, dark web cryptocurrency exchange known as Hydra Marketplace, Hit With Sanctions; and Colorado AG Issues Early Guidance on Data Security, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.