I would like to preface this article with a disclaimer: I am not now, nor have I ever been, nor am I likely to ever be a lawyer. I haven’t even played one on TV so, take what I say with a grain of salt with regards to the legal matters. That said, I am writing from the perspective of what should be rather than what necessarily is.
Security & Risk
On Friday May 22nd, at 3 pm, Impact Maker’s Chris Tignor, CISO & Practice Lead of Cybersecurity & Risk Management, will be speaking in a panel discussion on Cybersecurity in the Age of COVID-19: Working from Home. Don’t miss this chance to learn what cybersecurity professionals are most concerned about in the Next Normal.
We have been discussing System and Organization Controls (SOC) reports and how they can be a used to establish and maintain trust between service providers and their customers. In our first blog, we covered a basic understanding of the benefits of SOC reporting. In our second blog, we covered the various kinds and types of SOC reports as well as how they are used to support compliance requirements. In this blog, we will tackle one of the most important questions: What information is most important when reviewing a SOC report?
As noted in our earlier blog, System and Organization Controls (SOC) can be helpful tool in establishing and maintaining trust between service providers and their customers. Yet there are still a lot of questions around SOC reporting: Which SOC report is right for my organization?
The rise in cloud-based technology and third-party solutions increases both the complexity and uncertainty of security and compliance responsibilities. Service providers and their customers need to understand how responsibilities are shared and split. This includes Software as a Service (SaaS), Infrastructure as a Service (IaaS), as well as operational solutions, such as credit card processing and billing, and IT, such as security monitoring and hosting services.
There are hundreds of monitoring products in the marketplace that cover monitoring from enterprise scale to small and medium businesses. How can a monitoring system help your team? It is imperative that an IT team know the state of the environment and quickly respond to issues.
Most IT teams have a monitoring system, or several monitoring systems. These systems monitor applications, services, operating systems, network devices, and technology infrastructure.
If you’ve been a privacy professional at any point in the last few decades, your head is spinning with the myriad of privacy laws and regulations in the U.S. and abroad. Some examples are the European Data Protection Directive of 1995, the strengthening of that directive in 2012, the French Data Privacy Law of 1978, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) of 2001, and last but not least, the U.S. Gramm-Leach-Bliley Act (GLBA) of 1999.
Ever heard the saying, “The Cloud is just someone else’s computer”? This is one of the many arguments I encountered as I became an early adopter in 2010. While it is technically true, it misses the point: the inherent flexibility and benefits of the “Cloud” maximize the chances of differentiating your company from its competitors, especially in financial services.
Information Security can sometimes feel like death by documentation, like a bunch of red tape just to keep regulators and auditors at bay. Throw in differences in lexicon, and seeing how all the many pieces fit together can be quite difficult.
Getting everyone, practitioner and leadership alike, on the same page when it comes to terminology in the information security space is key. If everyone can speak the same language, a well-understood and well-orchestrated information security governance structure won’t be far off.
As data collection has increased, so has controversy. Most of this data has been willingly given by us users in the form of our computers, smart phones, and more recently, smart home devices, cars, and even refrigerators. International regulatory eyes have turned their gazes to some of these massive organizations collecting our data.