Documentation

2023 State Data Privacy Laws Overview

2022 was a big year for data privacy in the U.S., with many states passing or considering data privacy legislation and the American Data Privacy and Protection Act (ADPPA) nearly passing both chambers of Congress. Had it been successfully passed, it would have been the U.S.’s first national data privacy act, superseding the many state-level provisions. With 2022 in the rearview mirror, it’s time to look ahead to what awaits us for data privacy in 2023.  Five new laws at the state level are coming into effect this year, including CPRA that will supersede CCPA. Over the coming days, we’ll take a look at each one and review how they affect the data privacy landscape.

Many of the core tenets are shared by each state-level data privacy law coming into effect in 2023 and also should be comparable to the European Union’s General Data Protection Regulation (GDPR) in many regards. Though the language varies from statute to statute, each law requires certain consumer rights regarding data privacy to be honored by businesses and data controllers in these states. These rights include the right to access their personal data, the right to correct inaccuracies in their personal data (excluding the Utah Consumer Privacy Act), the right to delete their personal data, the right to a copy of their data, the right to opt-out of the sale of their personal data, and the right to opt-out of targeted advertising. 

Additionally, data controllers subject to these statutes will be required to provide consumers a privacy notice detailing how they handle personal data. In all of the 2023 laws, UCPA data controllers will be required to detail their data retention schedules along with their purpose for retaining such data. All of the 2023 data privacy statutes will also require data controllers to implement and maintain reasonable security controls to protect consumers personal data. Again, these will vary from statute to statute, but their inclusion will help to protect consumers’ sensitive personal data.

Our 2023 State Data Privacy Laws series will look at the requirements in each statute,  along with how each statute varies from another. The similar, familiar core to these data privacy laws should make general compliance manageable. However, there are some tedious edge cases that will only get more complicated as new data privacy laws pass across the nation. Sooner or later, there will be a need for a simplified nation-wide data privacy law like we almost saw passed in 2022. While we don’t know whether 2023 will build on what the ADPPA started, states certainly won’t wait for Congress to act on data privacy.

read more

What is a Privacy Impact Assessment? Does My Business Need One?

Privacy is progressing across the US and it stops for no one – so what does it take to keep up? Well, as an increasing number of privacy regulations following the example of GDPR and CPRA arise, it naturally follows that more companies than ever are going to be newly bound to rigorous sets of privacy standards. In the interest of meeting those standards it’s crucial to have some standardized form of data system assessment to weed out privacy risks, which is exactly the role Privacy Impact Assessments (PIAs) fill. These assessments are thus primed to become an invaluable asset for organizations newly assessing privacy risk at the behest of legislation, as well as existing privacy-conscious organizations aiming to maintain their privacy posture – so it’s a great time to take a look at what a PIA is, whether or not you need one, and what one entails.

What it is

Essentially, a PIA is a tool that enables organizations to identify, categorize, and ultimately remediate privacy risks present in their data systems in accordance with relevant legislative standards. The objectives of these assessments are a few: to verify the data system’s privacy conformity with organizational and legal requirements, to determine the privacy risks present in the data system, and to evaluate solutions to mitigate identified risks. 

Who Needs it

Understanding what constitutes a PIA and its goals, a natural follow-up question would be who needs one. The necessity of one largely depends on the requirements of whatever regulations your business must abide by – different frameworks require these assessments at different stages of data handling. Odds are, however, that if you are bound to privacy legislation and handle customer Personally Identifiable Information (PII) you will at minimum be required to conduct a PIA when said data is newly processed or sold. Additionally, whenever significant changes/additions are made to the data system’s structure or its processes, then a PIA is typically highly-advised, if not required outright. 

Even past the explicitly-required cases, most any organization that handles PII should heavily consider conducting these assessments at least every three years. Remember that these assessments aren’t just a box to tick for compliance’s sake – they exist to help protect consumer information from undue exposure and thus protect the company who would be held liable. At its core, a PIA is a tool to mitigate risk and should be considered as such.

How it Works

So – if you decide upon conducting a PIA, what exactly does it involve? Generally, the assessment takes the form of both an analysis process and a report document. The process itself will vary again depending on the regulatory requirements an organization faces, but will typically include steps like the following:

  • An identification of the scope of the assessment along with the staff and stakeholders associated with in-scope systems
  • A categorization of data should take place, categorizing them according to their sensitivity 
  • A technical mapping of where and how information flows throughout its system: from acquisition to storage to transfer to use to disposal
  • An analysis and cataloging of privacy risks based on the data system’s state – take note to consider non-technical privacy impacts as well, an example being how easily communicable an otherwise safe process is to concerned consumers
  • A determination of whether or not the risk of holding different types of PII is proportional and reasonable to its business purpose
  • A consideration of mitigatory measures that could be taken to further protect the data system’s privacy as well as potential future data gathered

At the conclusion of the above steps a PIA report should be prepared documenting the results. The report should be easily interpreted and comprehensive of the steps and considerations taken – aid to this end can be found from online templates and/or privacy consultants. After the report’s completion, ensure that it’s published and sent where necessary by regulation. Ultimately, the PIA report is a living document. Ongoing reviews of the report should take place where there is any progress toward implementing the identified PIA recommendations or if any changes to the system are documented. 

With the PIA’s goals, use-case, and process in mind, hopefully you’re left with a clearer picture of these assessments going forward. Like many system assessments, the process can seem daunting at first, but with some practice it will become a tremendously helpful tool in your GRC toolbox, helping you adapt and thrive in our privacy-conscious future.

Need some help conducting your Privacy Impact Assessment? Let CyberData Pros carry one out for you, from scoping to publication. Contact us now for a free consultation and to learn more about our services.

read more

What Makes a Good Privacy Policy?

Seen clearly in the near-constant expansions and revisions of privacy regulations, it’s no secret that privacy demands are rapidly expanding.This leads to privacy documents previously left to the wayside gaining newfound legal prominence – chief amongst them currently being Privacy Policies. Whether it’s a new business, or an established one, privacy regulations are evolving and Privacy Policies need to adapt to keep relevancy. With that in mind, now is a great time to consider thoroughly evaluating your company’s privacy policy; in that interest, here are some considerations for forming a policy fit to modern criteria

Before we dive too deep into the weeds of what constitutes a solid Privacy Policy, let’s take a moment to define what exactly a Privacy Policy is and the purpose it serves to businesses. Essentially, a Privacy Policy is a legal document that details the information you collect on users, the purpose and methods of that collection, and the means by which that information will be processed or sold. What constitutes “personal” information varies by regulation, but a nice rule-of-thumb is that if the data can be used to personally identify an individual (things like names, addresses, emails, or age) it’s safe to consider it personal data. In terms of purpose, these policies primarily exist to protect customer privacy rights and to encourage transparency and consumer trust in businesses. And past these conceptual benefits lies one critical, tangible one for businesses – reducing legal liability in an increasingly privacy-concerned world. Crucial in seeing those benefits, however, is the comprehensiveness of the policy. Let’s touch on what it takes to get a Privacy Policy to that standard.

To meet the growing demands for quick Privacy Policy generation, a number of Privacy Policy generators have seen heavy use. As regulations require increasing amounts of specificity from the policies, however, consider ditching generic generators. A privacy policy should be specifically crafted for your company. It should be an intricate and intentional guide for how you agree to not only protect your clients, but ultimately how you will protect your company as well. Generators can help you become compliant with general state laws, but many fail to generate a policy that’s designed to meet the individual needs of a company.  Where these generated policies start to struggle are in meeting the specialized, evolving requirements of developing international Privacy Laws, like GDPR or ADPPA. Even if a generator could produce policies at such a specific level, it would require entering in a boatload of proprietary information to a potentially unscreened vendor – which is generally not a good idea.

Quite a few factors go into forming a solid Privacy Policy today – here are a few general areas to look at when forming yours:

  • Identify What’s Collected: Conduct an audit to determine what type of personal data is collected, where it rests and moves, how it’s protected, and what’s ultimately done with it. This stage is critical and should be conducted with care; you can only report what you know.
  • Identify Relevant Regulations: To follow the rules you need to know what they are – take a look at any regulations that might apply to you based on your areas/means of operation. Pay special attention to evolving regulations – standards like ADPPA, CPRA, GDPR, or PIPEDA. 
  • Adaptability: Both your business and regulations evolve over time, and requirements will shift as this occurs. A solid privacy policy needs to be able to be quickly adapted to meet these requirements as they come – this often requires some forethought into the design of data handling as well as the organization of the policy itself.
  • Comprehensive yet Comprehensible Rights: The policy should outline the rights and allowances provided to consumers. Consider their options for opting out of collection, requesting deletions of existing data, viewing how they’re tracked, and what the implications of exercising these rights are and aren’t. An important quality to keep in mind, however, is that the policy should be written in a way typical users can understand and placed in a place they can find it. Avoid legalese for the sake of clarity, where possible – it’s hard to justify rights provided to customers if their means to exercise them is obfuscated.

Following those general guidelines above will go a long way in defining the specific technical and organizational components of drafting a solid, modern Privacy Policy. If the process sounds tricky that’s because it typically is – modern compliance is a moving target, and a good deal of care is required to stay on track. This makes it a great time to build strong privacy foundations, and don’t hesitate to seek help from consultancies or privacy experts if needed – investments in a robust Privacy Policy now will pay dividends in risk control and compliance efforts to come.

Need help building a Privacy Policy for your business? Let CyberData Pros conduct a privacy assessment and tailor a Privacy Policy to fit your privacy posture. Contact us now for a free consultation and to learn more about our services.

read more

Simplifying Remote Security with Mobile Device Management (MDM)

For all its believers and detractors, the remote workforce appears to be here to stay. The most recent McKinsey American Opportunity Survey indicates that 58 percent of Americans report having the opportunity to work remotely at least once a week, and that of those offered remote-flexibility 87 percent will take it. To many, this may be no surprise – remote work offers a variety of conveniences – but this shift of environment does, inevitably, open up new risks and roadblocks. During the 2020 pandemic many organizations accepted these risks as a temporary measure, but as this industry trend appears to be solidifying into a permanent shift, a more permanent solution should be considered to reinforce this new, broader attack surface. One tool that’s stellar for this application is a Mobile Device Management solution.

A Mobile Device Management solution (or MDM) is a package of software that aims to allow for centralized management of mobile devices (like cell phones, laptops, or other devices that move) in what is inherently a decentralized environment. The value of this capability is higher than ever before, as previously many endpoints were static, being used exclusively in a controlled network within a controlled location allowing for simplified administration, configuration, and security. MDM provides a means to reclaim these benefits by establishing a connection from the device, or client, to the MDM server, through which said devices may be remotely monitored and managed. If this description of MDM capabilities sounds broad, that’s because its utility truly is. Here are some specifics to explain how the right MDM solution can simplify the organization, boost the security, and ultimately reduce the expenses of your remote workforce.

Simplify Organization

One notoriously tricky aspect of remote workforce management is accounting for the statuses of company devices in an environment where IT personnel don’t have direct access to them. This can make processes like maintaining hardware/software inventory and pushing new software or updates challenging. A MDM solution can make these organizational tasks a cinch – the devices registered within it can be centrally viewed and audited for their status, assigned user, and software versions amongst other factors. In the event an update needs to be pushed to many devices the MDM can be used to easily select the devices to update along with a scheduled time for it. These features come together to make the maintenance and standardization of remote devices exponentially more efficient, and thus also help keep IT infrastructure scalable.

Bolster Security

Delving more into the benefits of simplified auditing and standardization of MDM reveals the impressive extent to which it improves remote security. A chain is only as strong as its weakest link, and so an organization can have a painstakingly manicured security policy and exhaustive controls but still be highly vulnerable if these security measures are not enforced universally. MDM provides a means to ensure that all devices connected are abiding by a defined secure configuration (think firewall settings, VPNs, and enforced encryption) with the capability to adjust said configuration en-masse, leaving no room for weak links to slip by unnoticed. 

An additional concern with remote work is that with the lack of a controlled environment comes an increased risk of device loss or theft. To compensate for this an MDM offers capability for GPS tracking on devices to boost odds of recovery, as well as capability for a remote-lock and data wipe in the event recovery is not possible. The deletion of data in these circumstances is of small consequence thanks to another common feature of MDM – automated data backups, with capability of easy device restorations. These features as a package make MDM a highly valuable component of a remote security posture, and as such are commonly recommended for compliance as well as in remediating risk assessment findings.

Reduce Expenses

Understanding that implementing MDM represents an investment in the IT infrastructure of an organization, an all-important point to address is how that investment recoups its cost. To this end MDM can provide value in a number of ways, but two categories stand out as the most significant:

One major source of value MDM generates is present in the sheer reduction of time costs its proper use entails. The fact that MDM streamlines the organization and standardization of the remote workforce means that IT personnel can far more efficiently identify, troubleshoot, and remediate issues, notably with an increased ability to do so remotely. This saves not only the premium-priced time of IT staff but also reduces downtime for non-technical staff, as devices won’t require as much time to be fixed or shipped. Even in the event of a device requiring replacement MDM confers time savings through its considerable increase in deployment speed, made possible through automated configuration and restoration of data backups. This decrease in downtime leads to an increase in productivity, and this benefit only scales upward with your organization.

The second and possibly more significant way MDM generates value is through cost avoidance, specifically through its ability to mitigate information security risks. It’s widely reported just how cripplingly expensive a data breach can be for businesses of any size, and with mobile devices containing sensitive data these breaches can oftentimes be no more than a security misconfiguration or phone swipe away. MDM can help mitigate this risk through the enhanced security baselining, monitoring, and remote remediation capabilities it brings. Even one prevented breach can justify an MDM’s cost multiple times over – not to mention the near-priceless benefits of sparing your brand’s image and reputation.

Considering the value proposition MDM brings to the table it becomes clear why these solutions are so attractive to remote workforces. The adoption numbers back this up – MDM market growth is growing quickly alongside remote workforce/Bring Your Own Device (BYOD) utilization, with a MarketsandMarkets report forecasting the MDM market to quadruple its current size to $20.4 billion by 2026. As with any investment the purchase of an MDM tool warrants thoughtful consideration – but for the value it brings, it’s a consideration most any remote workforce should be making.

Need help securing your remote environment? Let CyberData Pros perform a risk assessment and walk you through the process of finding a solution that fits your posture. Contact us now for a free consultation and to learn more about our services.

read more

Risk Controls: What Are They and Do You Have Them?

So what are Risk Controls? Put simply, they’re a defined set of proactive steps or strategies that entities use to address risks to their business. These risks can include anything from technical and compliance concerns like data privacy and cybersecurity all the way to natural disasters and financial losses. These controls are an integral part of the larger risk management process that all businesses have to consider. While this process as a whole encompasses the identification, evaluation, prioritization, and remediation of risks, these controls serve as the answer to that all-important question at the end of the day; How do we fix it? Let’s take a look at the 5 typical classifications of risk controls- Remediation, Avoidance, Transference, Mitigation, and Acceptance- to see exactly how they answer that question, and how you might be able to use them within your own organization. 

Starting off, we have Remediation. This is a control that, when implemented, eliminates most if not all of an identified risk. This is a great strategy to adopt in instances like a software vulnerability where a patch or update can be applied. It’s quick, effective, and inexpensive to implement. While remediation may seem like an obvious strategy for a number of risks, there can often be a number of factors that prevent it from being a viable solution. Another control, Avoidance, can be a great way to fill some of those gaps. Rather than saying, ‘If there is an issue, we will fix it”, the concept of Risk Avoidance focuses on eliminating non-critical systems or processes entirely, preventing the proliferation of risk before it can occur at all. This strategy can offer some fantastic benefits like cost savings and reduced organizational complexity, but like remediation it’s no catch-all solution. There are plenty of risks that are simply inherent to the core of many businesses and are thus inevitable. So what can we do about it?

Mitigation, also referred to as Reduction, is a great strategy to apply in situations with inherent risk, as it seeks to lessen the likelihood of the risk being exploited. This type of control is typically most viable in unavoidable situations where there are steps that can be taken that will greatly diminish the risk but none that can remediate it completely. Scenarios like this often occur when there are known vulnerabilities within critical systems that are too important to be removed, so an organization tries to lessen the likelihood of that risk being realized through additional controls such as firewalls or antivirus software.

So what if you’re a small business and these strategies are too expensive or complex for your organization to implement with its limited resources? Well, Transference could be just the thing for you. This control essentially passes risks to a third party, like a service vendor or insurance company. By utilizing vendors for high-risk business functions, like servers and physical security, an organization can push the assessed risk to the vendor to manage. In the case of insurance, transferring risks materializes with the recovery of the costs associated with them, should an incident occur. 

Now, let’s face it; in the real world, there just isn’t always a simple, easy, or inexpensive solution for everything. In these cases, Acceptance is a risk control that doesn’t try to reduce the risk at all. Rather, Acceptance takes the cost and complexities of the other risk controls and weighs that against the costs and consequences of the risk itself. If the cost and complexity of controlling the risk outweigh that of the risk itself being realized, the most pertinent control may be to simply accept the risk as it stands. Typically, this option is only considered when the consequences of the risk are relatively low. For example, Acceptance would not be a viable strategy for business critical systems. Understanding the differences in these situations and how to apply the proper control is critical to effective risk management and governance. The modern business landscape is ever changing, which is why risk management should be a continuous, evolving part of an organization’s infrastructure. By continuously monitoring and assessing new and even previously identified risks and controls, you can rest easy knowing that your organization is managing its risks to the best of its ability.

CyberData Pros can run a risk assessment to determine your company’s risks. We will then classify them and help you put together an action plan. Contact us now for a free consultation and to learn more about our services.

read more

Proactivity Pays – Why Wait for Clients to Request ISO 27001 or SOC 2?

In a rapidly evolving digital world, the bar for an effective security posture seems to keep rising higher and higher. New threats are emerging constantly, and new policies and controls are required to keep them at bay. Secure practices are unfailingly an expectation of clients and authorities alike, but maintaining them is growing increasingly difficult. Already there are so many best practices to abide by that the task of organizing and accounting for them alone becomes overwhelming. Given these considerations, it’s no surprise that businesses around the world are increasingly looking toward implementing security frameworks like ISO 27001 and SOC 2. 

Not only do these standards provide organizations a guide to forming a current and robust information security system and controls, but the attestations they provide can be a tremendous asset for attracting business. There’s no need to wait for a client’s prompting – by jumping on these frameworks early, you maximize the benefits you can reap from them. Here’s a look at the industry’s most recognized frameworks, and what implementing them can do for your organization right now.

ISO 27001

When speaking about any sort of business standards internationally, ISO is a name you’ll see often. Its parent organization is the International Organization for Standardization, and 27001 is their standard for Information Security Management Systems. It outlines a thorough set of criteria an organization should meet when constructing and refining a water-tight security framework, and a certification can be received affirming this after an audit. ISO 27001 certifications are coveted across the globe, with ISO’s latest survey showing a global 24.7% increase in certificates active over 2020 alone. If you’re looking to build or reinforce your ISMS and/or operate overseas and under GDPR, look to ISO 27001.

SOC 2

Narrowing the scope to North American operations, SOC 2 serves as a substantial boon for strengthening controls. Its parent organization is the American Institute of Certified Public Accountants, and SOC 2 is their method of validating the security of various business controls under five major Trust Services: Confidentiality, Processing Integrity, Availability, Privacy, and Security. Of these criteria, only Security is mandatory when filing for attestation, leaving this process flexible and more form-fitting, giving users room to choose which controls to demonstrate compliance in. If you’re wishing to reinforce your operational business controls and prove your compliance in your industry, consider SOC 2.

What Compliance Can Do for You

With a better understanding of what these frameworks are, you might be left to wonder what pursuing one might do for your business. Compliance is great, but why not just wait until someone asks for it? Well, for starters, you may well be too late at that point. From preparation to attestation, SOC 2 typically takes over three months and ISO 27001 often takes north of nine months to a year to attain. Past that, simply preparing for and holding these frameworks generates value for your business in a myriad of ways. Here are some to consider:

  • Attract clients with well-regarded attestations, stand out from competitors and win more business.
  • Bolster your security posture to exacting modern standards, reducing your risk of costly incidents, fines, and breaches.
  • Create an efficient information security structure that streamlines workflows and can scale with your growth.
  • Demonstrate a consciousness toward data privacy and security, boosting your organization’s reputation.

The benefits outlined above can be seen not just after receiving attestation for the standards, but begin to form as soon as progress towards the criteria begins. Building and refining better frameworks and controls is a gradual process, but you will undoubtedly benefit from the improvements made along the way. By beginning your ISO 27001 or SOC 2 process now, you will not only find yourself far better equipped to withstand threats to your business, but more attractive to prospective partners and clients.

Let CyberData Pros help you understand where your data sits, access control, and how to protect that data. Contact us now for a free consultation and to learn more about our services.

read more

Risk Assessments: What Are They and Do I Need One

As businesses grow, both in size and organizational complexity, so should the scope of their privacy and security efforts. This is an important lesson which many companies have had to unfortunately learn the hard way. But who among us can honestly blame them? The cybersecurity landscape can be VERY complicated. Penetration testing, data encryption, password management, user access controls, firewalls, domain administration, cloud servers, international data and privacy laws; these are just a fraction of things you have to consider when you start looking at your security posture. Heck, these days even your printer could be considered a cybersecurity risk!

So where do you start? You know you have to do something, but finding a place to start in such a vast and overwhelming space can be a barrier in and of itself. More often than not, simply understanding what you have that is at risk, and the factors that are putting you at risk, are the best first steps to put your company on the right path. Luckily the industry has a solution for this very scenario. Enter the cybersecurity risk assessment.

A risk assessment is a fantastic tool that takes a broad, contextual look into the privacy and security of your business, which can be simplified into three major objectives. The first objective is identifying information assets that could be targets of, or affected by a security breach. By understanding what assets are at risk to begin with, you can more easily focus on plans and important objectives for protecting them. This can also help you understand more about your privacy and security needs in general. Do you really need that expensive IPS your IT manager asked for? Should you be looking at ISO 270001 certification? Risk assessments can help answer those questions for you.

After identifying your assets, the second objective is identifying the risks to, or associated with, those assets. In other words, what risks do those assets come with, and what aspects of your company infrastructure could be putting those assets at risk. This can range from very technical things like firewall misconfigurations, or vulnerable software running on company servers, to less technical things like unlocked doors, and misplaced camera systems. This is the part of the assessment where you can start to see the work that needs to be done, and you can start prioritizing findings by criticality. This will tell you what findings are important and must be remedied immediately, or what might be considered minor and worth accepting if there are more important gaps to remedy first.

Once you understand your risks, the last major objective is of course, remediation. Starting with the most critical findings, a risk assessment will assign responsibility for these risks within the organization, as well as goals and guidance for mitigating them. Sometimes referred to as a ‘Treatment Plan’, having clear and concise documentation of the issues at hand drastically reduces the time it can take to alleviate them. Assigning responsibility for these risks also creates a sense of ownership and accountability within the organization to ensure these are not only fixed quickly, but are maintained over time. 

While risk assessments are phenomenal for newer businesses just getting started on building their cybersecurity infrastructure, they are also incredibly important for established security teams as well. Regular risk assessments allow your company to track progress, quantify improvements made, and continue to identify new opportunities for improvement as you change and grow. This ensures that as new clients join, or new services are offered, you can maintain a comfortable footing within your risk management structure, as well as a potential competitive advantage over others in your space. As the data privacy and security requirements for the biggest companies in the world continues to grow, due diligence and proactive tactics that show your organization is committed to handling their data responsibly and securely can make all the difference when they are deciding who gets that next big contract.

Let CyberData Pros conduct a Risk Assessment for your business and help identify any data privacy/security gaps that may exist. Contact us now for a free consultation and to learn more about our services.

read more

Why Do I Need Privacy and Security Documentation for My Business?

Documenting important processes for your business and employees is critical to the overall success of the business. This is no different than privacy and security documentation for your business. Having the proper documentation for your business will help with client/vendor questionnaires, insurance for your business, and knowing how secure data is.

There are multiple pieces of data privacy and security documentation that your business needs. Documentation does differ from industry to industry, but many of the critical documents are universal across the board. I’ve outlined some of these critical documents below:

IT Security Policy

Document that lays out the internal security policies of how the business uses, stores, and processes data. May include other policies such as Clean Desk, Remote Working, Responsible Parties, etc.

Disaster Recovery Plan

Set of policies and procedures on how to enable the recovery of vital infrastructure and systems following a disaster. The important portion of this document should outline critical processes and how long each process can be down in order for your business to recover.

Business Continuity Plan

Documented plan and process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations during the execution of disaster recovery.

Data Classification Policy

Policy document to classify different types of data into separate categories in order to understand “sensitivity”. These classifications could include levels such as Public, Sensitive, Private, Top Secret, etc.

Incident Response Plan

A planned set of instructions to help IT detect, respond to, and recover from data privacy or security incidents. These types of plans address issues like cybercrime, data loss, and service outages.

Risk Management Policy

Policy document that aims to provide guidance regarding the management of risk to support the achievement of corporate objectives.

Keeping your documentation current is essential so that critical pieces of the business are known to all. The worst thing that can happen is an employee walks out the door and nothing is documented. Consider this a major issue to the data privacy and security documentation.

If you feel you don’t have the proper documentation or where to start, contact CyberData Pros and we can help. It is not only important to have the proper documentation for the business, but to also keep it updated. Let us help put together a plan and carry out it out to keep your business in full compliance.

read more

Painful Experiences – Client and Vendor Security Questionnaires

It happens all the time. A client or vendor sends over a security questionnaire and you don’t know where to start. How do you fill this out? What if I make a mistake? What if I can’t answer their questions? These are just a few questions that may come to mind. In today’s world of strict compliance, these security questionnaires are becoming the norm. Being prepared and having answers is critical to ongoing business. Let’s break these down and how to approach them.

A typical security questionnaire is going to cover areas of your business that range from documentation of disaster recovery to physical security mechanisms in your business. On average, these questionnaires can be “hundreds” of questions long! Yes, you read that right and many of these require answers within a few weeks.

Start with the privacy and security documentation that you have written and know that you may need to provide some of this. We recently wrote a blog about the kinds of documentation to have and why is it important. Creating a document and data bank of answers will help you get through these questionnaires faster in the long run.

Understand the “technical” data privacy and security areas of your organization. You may have a department at your company that can help fill out the technical questions. This is great, but make sure you understand the answers in case there is any need for justification.

If this all sounds daunting and you don’t have time for it, let CyberData Pros assist you with these questionnaires. We have over 20 years of filling these out for our clients and we will help you better understand the details. Contact CyberData Pros now to see how we can help your business with this and many other data privacy and security solutions.

read more