Data Security… Don’t risk being the weakest link #CASRO #MRX


Live blogged in Nashville. Any errors or bad jokes are my own. Any typos are purely the fault of the iPad.

by Peter Milla and Dave Christiansen

CASRO has seen an increase in requests from clients and regulators for data privacy and security compliance
– code of standards
– safe harbor program
– ISO

COmpliance means confirming to a rule, like a policy or law. CLients want operational transparency.

COmpanies will require 50 percent less business process workers and 500 percent more digital business jobs. especially regulatory analysts and risk professionals. These jobs are generally only in larger companies. This includes privacy officers.

Privacy and security are symbiotic. This can be a crisis for MR. Privacy is appropriate use of the data. security is the confidentiality and integrity of data.
– you cant just destroy data. what about all the backups. the saved copies that everyone has from their piece of the work.
– availability of data could impact life or death in some cases

What drives compliance
– client wants it [i hope vendors want it too. why is because clients want it?]
– legislation or regulation like HIPPA GLB COPAA FTC PIPIDA. you could be accused of unfair trade practice for discontinuing a poor responder.
– gain a competitive advantage

[wow, typing on an iPad keyboard is quiet and completely unobtrusive when you lay it flat! But i cant put pictures or links easily. Sorry.]

ISO 27002 – you cant be certified, you can be compliant

HIPAA compliance case study
– business associates now face liability. Uses not in accordance with BAA. failure to limit PHI. failure to provide breach notification. failure to provide HHS access when required. failure to comply with security rule.
– many companies state one year but they keep it forever

HIPAA compliance
– Protected Health Information PHI.
– employees don’t usually intend to make errors, they just don’t know
– no easy checklist of requirements
– does offer a set of principles. instruction is to take necessary steps to disclose minimum necessary information
– much is process based

HIPAA security rule compliance
– risk analysis – evaluate likelihood of risks, implement appropriate security measures, document those measures, maintaining continuous review and assessment, ensure access control and integrity control, ensure transmission security, keep documentation up to date

BLUE CROSS – just had a breach that affected 80 million US citizens, 25% of the population. names, SIN, birthdays. be sure to use your free annual credit report. Take advantage of free credit monitoring. monitor your children as well. be alert when filing your income taxes.

Top security trends
– cybercrime, privacy and regulation, third party provider threats and breaches, BYOx in the workplace – Bring Your Own Device [like i’m doing right now. are my office security systems on my personal tablet?]

[note to self and everyone. turn the GPS off all of your devices. it is not necessary that every software program knows where you are, where you live, where you work, where your kids live]

Advanced Persistent Threat – APT
– china and Russia and Iran have active cyber espionage, aligned in every industry to take whatever they can, causing information security bar to be raised

CLients expect all their information is safe. need a dedicated person or team. CISSP, CISM, CISA, ISO, SDLC. [we have this person. they went to every single office in every country over the last couple weeks to remind every single person just how serious security issues are.]

[everyone should have come to this session. i don’t care if you think you’re doing fine. you need persistent reminders of just how worried you really ought to be.]

Information security is not IT security. spans people processes and technology. its digital written and spoken. it’s being proactive. it’s an organizational discipline.

ISO27001
– best practice for information security, NIST, CSF, COBIT. can be audited and certified. Earth’s ‘best practice’ its the policies procedures and controls and training.
– it is not industry specific. it is federal, state, industry, contractual relevant.

Identify weaknesses
– vulnerability assessment annually or quarterly, penetration testing, gap assessment, awareness training, internal audit, risk assessment.

[Annie’s free public service announcement – do an internal audit today. if it looks like spam, it probably is. if it doesn’t look like what I usually email to you, i probably didn’t email it to you.]

%d bloggers like this: