CyberSecOp Cybersecurity & Breach News
CyberSecOp is an ISO 27001 Certified Cyber ...
CyberSecOp is an ISO 27001 Certified Cyber Security Consulting Firm

EU Compliance - General Data Protection Regulation (GDPR

Board Oversight of Cybersecurity Risk

Why CISOs and Boards Should Work Together to Improve Cybersecurity

Corporate board members often ask management specific questions that stop short of demanding metrics, It is this lack of measurable criteria which often hinder the effectiveness of cyber-security efforts.

First and foremost, it is imperative for the board to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. Major security events can have a significant impact on revenue, brand, and can lead to catastrophic results.

Board oversight of cyber-security has increased over the years. Even board members without technical expertise have had to become rapidly acquainted with IT risk and security concepts. In recent years, frameworks and best practices have emerged to help boards get a grip on their organizations’ cyber-security posture.

Specific Areas of Focus:

  • Improved emergency response times and evacuation management with real-time tracking of personnel movements around your site.

  • Information related to how the organization manages cyber-security, security awareness, and the enterprise risk management (ERM) program.

  • Actively monitor workers within a zone, on local or remote sites.

  • Ensure blast zones have been cleared before explosives are detonated.

  • Monitor the movement of people to a muster area during an evacuation.

  • Ensure the security control room is aware of workers who are alone on remote sites.

  • Monitor personnel who remain within a high security area at the end of a working day or shift.

Breach Response Protocol

Corporate boards should receive regular reports from executives about the company’s cyber-security risks, management review processes, overall health, and readiness to respond to an incident. Best practices include quarterly reports from firm leaders and more frequent reporting if needed.

Company leaders should carry out incident response plan tabletop exercises annually at a minimum. Board members should expect reports on the test outcomes. Details about how the plan will be updated are based on the test results.

Third-Party Risk

Regulators are increasingly targeting third-party risk. Wide-reaching laws like GDPR, industry-specific regulations such as the New York Department of Financial Services (NYDFS) Cyber-security Regulation and NERC CIP-013 in the utilities industry, provide specific requirements for managing third-party risk.

User-Related Risk

Human error can expose an organization to a wide array of cyber-attacks.. Business leaders commonly state that employee negligence is the most common cause of data breaches. Phishing for example, was implicated in 32% of data breaches in 2018. In addition, poor password practices, connecting to public Wi-Fi from company devices, and sharing files that contain malware are all examples of employee errors that could translate into huge costs for any organization.

In terms of board qualifications, 41% of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34% of organizations mentioned the frequency of board reports, with just 11% reporting briefing the board annually or quarterly.

Recommendations for Boards of Directors

Questions to ask:

  • Has responsibility for cyber-security been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?

  • Is the board getting regular briefings on the organization’s strategy regarding cyber-security risks and cyber resilience?

  • How engaged is the board in reviewing the organization’s cyber-risk management program and security-related investments?

  • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

Vinny La Rocca

CEO

CyberSecOp.com

CyberSecOp assists organizations with Cyber Security and Privacy Consulting Services, providing services such as Cyber Security Program, Data Privacy Security Program, and Cyber Security Assessment services based on the following: NIST, ISO 27001, GDPR, CCPA, HIPAA, PCI, CMMC, GLBA amongst others. Don’t risk regulatory fines. Stay compliant with CyberSecOp Security Compliance and Cyber Incident Response Services. For More Information Call 866-973-2677

CyberSecOp an award winning cybersecurity consulting company, Click here to find out more.

, ,

GDPR Questions Answered: Do We Need Consent to Hold Information in a Database?

, ,

Now just a few weeks remain before the deadline for the General Data Protection Regulation (GDPR), so data protection advisor Jon Baines is here to answer your questions.

Today, Jon was asked:
 
Q: “If our database holds names, email addresses, telephone numbers addresses and job roles of people involved in the classical music industry, of which most of the information is available on their websites, do we have to have specific consent to hold this information, which we use to contact them in terms of business and to occasionally send out a newsletter (twice a year) from which they can unsubscribe? There are a few thousand names involved so it would be good to know whether we need to contact them or not!”
 

A: “I wish my answer could be a simple one, but, regrettably, the law here is rather complex. However, I will try to explain.

“Unfortunately, what we don’t have here are details on how the business gathered this personal data, and whether the marketing they wish to send is by email (I’ve assumed it is). The author says the information gathered appears publicly on websites, so it might be inferred that the business has ‘scraped’ the details from those sites. If that’s the case, then there may be some problems. 
 
“As a general rule people should be aware (or be made aware) that their personal data is being gathered and collated, even if it’s publicly accessible. Furthermore, sending marketing in electronic form to individual recipients (which I think most of the musicians here would be) requires explicit consent from the recipient (or, in some circumstances, and subject to various qualifications, a prior customer relationship). Sending email marketing, therefore, without consent, would almost certainly be a breach of the law.
 
“If, contrary to what I’ve inferred, the business got the musicians’ details direct from the musicians themselves, then the question as to whether they can send them email marketing is a bit different. If the business has their prior explicit consent to receive marketing emails, then they can continue to do so. Or if they got the musicians’ details during the sale (or negotiations for sale) of a product or service, they can send them marketing emails, provided that at all stages they have offered, and continue to offer, the option to opt out of receiving them.

“The irony here is that the law in question is not the GDPR but the Privacy and Electronic Communications (EC Directive) Regulations 2003, which often get overlooked. Over recent years the Information Commissioner has issued plenty of fines for breaches of this 2003 law.

“Generally, the firms getting those fines have sent very high volumes of unlawful electronic marketing, and the Commissioner has not tended to target SMEs. Nonetheless, even if the risk to a small business of big fines may be relatively low, they do need to be aware of the other risks, particularly of legal claims by individuals, and reputational harm.”

CyberSecOp assists organizations with Cyber Security and Privacy Consulting Services, providing services such as Cyber Security Program, Data Privacy Security Program, and Cyber Security Assessment services based on the following: NIST, ISO 27001, GDPR, CCPA, HIPAA, PCI, CMMC, GLBA amongst others. Don’t risk regulatory fines. Stay compliant with CyberSecOp Security Compliance and Cyber Incident Response Services. For More Information Call 866-973-2677

CyberSecOp an award winning cybersecurity consulting company, Click here to find out more.

, ,

Are you ready for GDPR compliance?

, ,

GDPR Is Coming. Are You Ready

What is the GDPR requirements:

                     EU Compliance - General Data Protection Regulation (GDPR

                     EU Compliance - General Data Protection Regulation (GDPR

For more details on GDPR see GDPR a risk to your organization

CyberSecOp assists organizations with Cyber Security and Privacy Consulting Services, providing services such as Cyber Security Program, Data Privacy Security Program, and Cyber Security Assessment services based on the following: NIST, ISO 27001, GDPR, CCPA, HIPAA, PCI, CMMC, GLBA amongst others. Don’t risk regulatory fines. Stay compliant with CyberSecOp Security Compliance and Cyber Incident Response Services. For More Information Call 866-973-2677

CyberSecOp an award winning cybersecurity consulting company, Click here to find out more.

YOUR TRUSTED SECURITY CONSULTING PARTNER             

CyberSecOp provides high-end cyber security consulting services and incident response support for organizations worldwide. Our cyber security customer service support can be contacted using the Contact Us form, or you can reach our live customer service representatives 24/7 using our Live Chat and 866-973-2677.

Use the search to find the security services, or call the number above to speak with a security professional.  

CYBER SECURITY SERVICES

Cyber Incident Response

CYBERSECURITY EXPERIENCE

Cyber Security Governance Network Security Security Risk Management Security Awareness Training Managed Security Services

CyberSecOp Your Premier Information Security Consulting Provider - Company HQ in Stamford, CT & New York, NY. CyberSecOp is a top-rated worldwide cyber security consulting firm that helps global corporations with cyber security consulting services and Cyber Incident response services.