Are You Compliant?

Assess your GDPR Subject Rights Compliance According to Article 3, 5, 7, 12 – 21, and 39

November 2018

One of the primary goals of the General Data Protection Regulation, also referred to as GDPR, is to give control of personal data back to the individual (i.e, the “data-subject”). For companies trying to comply with these new laws, it is anything but simple — especially when it comes down to managing day-to-day privacy operations and consent.

However, it’s becoming more and more vital for organizations to pay attention to GDPR, not just for compliance reasons, but because privacy is impacting consumers decisions. For instance, the IBM Harris Poll discovered that "75% of consumers will not buy a product from a company — no matter how great the products are — if they don’t trust the company to protect their data ". Also, penalties and fines can be as high as 4% of annual revenue or €20 million, whichever is greater.

So what are the next steps for GDPR Compliance?

Among a long list of requirements included in the GDPR, companies must ensure sure that their data processing activities (i.e., third-party vendors) comply with the regulatory guidelines.

For the GDPR to apply, an organization has to simply offer its products or services to European Union subjects, or be established in the EU, or be engaged in widespread behavioral monitoring.

Because this affects so many businesses, most enterprise organizations and software vendors (SaaS companies) based in the US, Canada and elsewhere have to comply with GDPR regardless of where they are headquartered.

Below are 12 questions to guide through the initial applicability assessment process for GDPR compliance:

1. Are you processing personal data of EU data subjects? Are these processing activities related to monitoring of their behavior or offering of goods or services to residents of European Union directly by your company or on behalf of your customers? (As defined by GDPR Article 3)

2. How do you demonstrate compliance with Article 5 Principles of “Processing Personal Data”:

  • data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • processed lawfully, fairly and in a transparent manner; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

3. How do you demonstrate proof that data subject has consented to the processing of his or her personal data?

4. Can your data subjects withdraw his or her consent at any time as easily as they gave their consent? (i.e., if you have long legal document with multiple steps required to withdraw consent, this process will likely not be considered “as easily” as they gave their consent).

5. How do you facilitate the exercise of data subject rights under Articles 15 to 22?

6. How do you demonstrate that Data subject rights don’t diminish regardless of how many third-parties are involved in data processing?

7. How do you demonstrate a proof that, at the time when personal data are obtained, data subjects were provided with all of the following information as per Article 13, including:

  • the right to withdraw consent at any time
  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organizations.

8. How do you provide data subject or the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information as per Article 15:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

9. How do you enable data subjects to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds in Article 17 Paragraph 1 applies?

10. How do you enable data subjects to obtain from the controller “restriction of processing” where one of the grounds in Article 18 Paragraph 1 applies?

11. How do you communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed as mandated by Article 19?

12. How do you provide personal data to the data subject concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and facilitate the right to transmit data to another controller without hindrance from the controller to which the personal data have been provided as outlined in Article 20?

Next Steps: From Compliance, to Data Mapping, to Privacy Operations

If you went through the above questions and felt lost, confused or not sure of the answers, you’ll want to talk to a privacy experts, lawyers or consultancy services, like Deloitte, PwC or KPMG, as soon as possible. They can do an audit of your processes, show you where the gaps are and identify potential risks. From there, it’s a good idea to build a data map to see where your data flows. Once you’ve completed your data map, input the information into Feroot’s software and sit back and relax. Our software will make the ongoing management of third-party compliance, consent and access requests easy-peasy, and for the most part, automated. Plus, you can customize a beautiful privacy dashboard that tells your customers you’re taking their privacy seriously. This will help you gain their trust, increase market share and most importantly, make you feel at ease knowing that your privacy operations are in tip-top shape. If this latter part sounds good to you, feel free to contact our sales team for a quick conversation and demo.

Part 2: Fiduciary Duties of Officers & Directors

10 Best Practices for Privacy & Security Compliance

October 2018

In Part 1 of this series, we summarize a keynote presentation by John Beardwood, Partner at Fasken Martineau LLP & world-renowned cyber security legal expert, highlighting 3 Key Reasons Why Your Board Should Care About Privacy and Security.

In this follow-up post, we share John’s 10 best practices for reducing the risk of a derivative action lawsuit and share actionable tips for achieving security and privacy compliance at the board level.

John presented the following 10 Best Practices in his keynote presentation at the Smart Technology Privacy Summit 2018. Here they are below.

#1. Make Cyber Security an Agenda Item at Your Board Meetings

  • A board’s oversight of a corporation’s cyber security and privacy programs are incredibly important. In order to make sure that the board is getting full credit for doing this, make sure privacy and security are a regular agenda item at your meetings.
  • Board members should also be requesting management to provide briefings, so the board can say they've stayed up to speed on the issues.

#2. Take Minutes

Maintain written records of the board discussions regarding cyber security measures, data breaches and privacy policies (for example, include these notes in board minutes).

#3. Impose Record Requirements on Management

Require management in each of corporation’s departments to maintain written records re cyber breaches.

#4. Delegate to someone to have a specific committee

It is very important to delegate control of cyber security and privacy measures and data protection programs to a board committee. Task audit committees as part of your oversight of a corporation’s financial controls and procedures or create a data protection committee.

#5. Obtain External Advice

The rules and regulations surrounding security and privacy compliance are complex, ambiguous and evolving. If you don't have the expertise internally to make sense of them, hire third party consultants to audit the corporation’s cyber security systems and privacy policies and provide recommendations for improvements.

#6. Maintain Written Security Policies

Oversee managements drafting of legally compliant industry standard cyber security standards, programs and policies.

#7. Have a Breach Plan

To the extent there is a privacy breach, you may need to notify customers and notify the commissioner depending on the jurisdiction you're in. It’s wise to already have a plan in place, so that you’re not wasting time figuring out what to do. Alternatively, you should have a full crisis management plan in place. Don't leave it to the last minute, then find out you don't have any insurance coverage. The board should oversee management’s creation of a business-wide crisis management team and/or plan to manage breaches when they occur.

#8. Hire a Chief Information Security Officer (CISO)

Someone at your organization needs to be accountable for privacy. It’s best to hire a Chief Information Security Officer (CISO) who has significant experience in IT & Cyber Security.

#9. Implement Training

Policies aren’t enough. Make sure your company has a culture that is sensitive and aware that cyber security and privacy is important. The board should oversee management’s creation of a culture that views cyber security and privacy matters as everyone’s concern; review employee training and awareness programs on the topic. You may also want to consider if Privacy by Design processes should be implemented.

#10. Adequately Insure the Risk

Ensure your corporation is adequately insured against breaches, including checking that corporation’s director and officer indemnity insurance covers the same.

Conclusion

To avoid having a breach of cyber security become a breach of fiduciary duty, no matter what your size, make sure your company’s privacy and security policies are up-to-date and meet the regulatory standards. If you don’t know what these standards are, John highly recommends hiring an expert to help you do an audit of current privacy programs and security systems. It is also vital to keep a record of all your updates and regularly review these updates with your board. These simple acts will make all the difference should you encounter a data breach or lawsuit situation. Plus, promoting a culture of privacy, security and data protection is always a good idea!

What’s Next?

View John’s full power point presentation and hear his audio-recording of “Fiduciary Finesse: How New Laws, Scrutiny and Expectations have Raised the Stakes for Officers and Directors” in our Recap of the Smart Technology Privacy Summit 2018.

Part 1: Fiduciary Duties of Officers & Directors

3 Reasons Why Your Board Members Need to Care About Privacy and Security

November 2018

If there’s one topic on the mind of board members these days, it is the financial penalties incurred for failing to comply with the new security and privacy laws. That’s precisely why the topic of fiduciary duties of officers and directors was such a critical session at the Smart Technology Privacy Summit 2018.

In his keynote presentation, _“Fiduciary Finesse: How New Laws, Scrutiny and Expectations have Raised the Stakes for Officers and Directors”_, John Beardwood, Partner at Fasken Martineau LLP, explains three important reasons why board members need to step-up their fiduciary game and take existing privacy and security regulations more seriously. Here they are summarized below.

Reason #1: Avoid Harm to Shareholder Value

One of the primary directives of any board is preserving (and, of course increasing) shareholder value. In an era where privacy and security is on the forefront of consumers minds, more and more shareholders are taking a keen interest in the security and privacy policies of the companies in which they invest.

With new regulations demanding transparency from companies to their shareholders, it’s imperative that security and privacy compliance is achieved so shareholders can feel confident with their investment.

There’s a problem though. Privacy regulations are often amorphous and vague, and this applies both to North American and European legislature. For instance, Canada’s privacy regulation, PIPEDA, says that “you must have reasonable and appropriate security measures”. With such a vague definition, it’s tempting to leave the details to a company’s Chief Information Officer (CIO) or Privacy Officer. But it’s becoming clear that board members need to remain up-to-date on the evolving regulatory landscape in order to fulfill their fiduciary duties.

In other words, if a board of directors’ primary aim is to preserve shareholder value, it’s in the board members’ best interest to be familiar with the finer points of privacy and security legislation.

Reason #2: Privacy & Security Regulators Require Compliance

A lot of the current interest in consumer privacy stems from the growing number of news stories detailing the fallout from cataclysmic breaches. As John discussed at the Summit, one of the most notorious of these examples was retail store Target’s 2013 data hack, with over 40 million customers’ personal information exposed over a three week period.

The consequences for Target were dire. As John explained, even though the data breach was due to vulnerabilities from a third party vendor, Target was ultimately held liable, to the tune of a $10 million class action lawsuit and upwards of $250 million to close the breach. They also had to develop a whole new security program, hire a Chief Intelligence Officer and train employees on how to maintain privacy.

Another very famous example John mentioned was the Ashley Madison case, where users’ private data was breached, exposing numerous extramarital dalliances. Regulators found multiple gaps in security protocol, 80% of employees were completely untrained on security measures, and the necessary information security infrastructure to prevent breaches was simply not in place. Notably, regulators were prepared to hold the board responsible for their lack of due diligence.

The point is — with more and more cyber attacks threatening the security and privacy of consumers data, companies and the boards that govern them, need to take a serious look at their privacy programs and security policies and make sure they are compliant.

Reason #3: Self-preservation

A more recent trend in data breach cases is shareholders and regulators are holding the board accountable and taking legal action against individual members.

For example, in the case of Target, there were a number of derivative lawsuits made against the members of the board personally. Shareholders also published a recommendation to not re-elect a number of the board members specifically because of the cyber security breach.

Moreover, the costs of covering a data breach tend to be very expensive and it’s quite likely the company’s insurance policy will not cover the whole bill. For instance, Target had to pay $291 million in costs. Insurance covered $90 million. That left $201 million of damages, for which they didn’t have coverage. As John put it:

“It's enough to make any board member quiver in their boots.”

In short, directors and officers are facing more scrutiny and have more expectations to be diligent under the new privacy laws. While no successful lawsuit for a security or privacy breach has come against a board yet, John warns us it would be foolish to consider directors and officers immune from derivative risk. For self-preservation alone, security and privacy due diligence starts, and ends, with the board.

Conclusion

To protect the company, customers and shareholders from the fallout of a security breach, board of directors need to be aware of all company privacy and security processes, where the gaps remain and the risks involved for not complying. John summed it up well in three key points, but as data breaches and the demand for privacy controls grow, the fiduciary duties of officers and directors will continue to be scrutinized and expectations for due diligence will increase.

What’s Next?

Read Part 2 of this summary post to find out John’s 10 Best Practices for helping your board stay compliant with new security and privacy laws.

View John’s full power point presentation and recording of “Fiduciary Finesse: How New Laws, Scrutiny and Expectations have Raised the Stakes for Officers and Directors” on our Recap of the Smart Technology Privacy Summit 2018.

Top Six GDPR Takeaways: "What's New and What's Changed" and Data-centric security philosophy

March 2018

On March 1st, Chief Privacy Officers , Data Governance, CISO’s, Information Compliance and Risk Management executives from some of the largest US and Canadian organizations in banking, Insurance, and other regulated industries including CIBC Scotiabank Financial Services Commission of Ontario, CIBC, BMO, Canadian Credit Union Association, and other enterprises in a lively conversations about Lessons from the Security Trenches: Data Loss Incidents, Reputational Risks, Investigations, new Governance Obligations and Trends with the focus on GDPR compliance for enterprises in regulated industries:

Data Governance regulatory compliance became a Board-level priority for taming the risks in cybersecurity and regulatory enforcement. Preventing Privacy violations, meeting Cybersecurity and Data Governance challenges, Regulatory Obligations and being Investigation ready are front and center on the agenda of C-level Executives in Financial Services industry and other Federally Regulated industries.

John P. Beardwood a senior partner at Fasken Martineau, and the Chair of the Technology practice group was speaking about "Understanding the New GDPR: What’s New, and What’s the Same for Canadian Enterprises".

Three key takeaways form Johns presentations

  1. GDPR issues arise in non-EU companies as GDPR has an extended reach based either because companies have EU customers or provide services to companies with EU customers. The GDPR applies to both processors and controllers. GDPR now includes location data and “online identifiers” in the definition of “personal data”.
  2. Controller Obligations increased and now include a new definition of consent, broader rights of data subjects, a new definition of sensitive data and specific security and breach notification in addition to cross-border transfers.
  3. Consent: companies can only process personal data if there is a lawful basis to do so, of which consent must be “freely given, specific, informed, and unambiguous… by a statement or clear indication of affirmative action”. Consent will not be valid if:

The data subject has no genuine choice or is unable to refuse or withdraw consent.

There is a clear imbalance between the controller and the data subject (e.g. an employment relationship)

“Utmost account” must be given to whether the performance of a contract made conditional on the data subject consents to process activities that are not necessary for the performance of the contract.

The principle of data minimization also requires that that personal data be limited to what is necessary and the right to erasure is limited where there is another lawful basis other than consent to process personal data.

David Damo, a Senior Security Lead, and Architect at Long View Systems. David is responsible for resolving major data breaches. David talked about recent scenarios that caused data stewardship and compliance incidents and the new trends in Data-centric security philosophies for securing and preventing loss of sensitive data.

Three takeaways from David’s speech

  1. New patterns: almost nobody knows nor understand the flow of data. Organizations have no clear internal ownership of data passing through systems. Solutions are project focused and are rarely enterprise-wide programs. Enterprises don’t want to take responsibility for third parties as data controllers.
  2. Smartest companies are solving these issues: Data contains the meta-data on what to do, and key across a blockchain inline tokenization, masking, encryption
  3. Infrastructure is built to protect data, yet it is in the clear, that data is at risk as soon as it leaves its silo.

Key questions to ask your security and data governance groups:

  • What data do we have?
  • Who can see what?
  • Where is your data, and who owns it externally and internally?
  • Where is the perimeter, what is encrypted and where is it not?
  • What data is outside of the perimeter?

About Speakers:

John P. Beardwood, a senior partner at Fasken Martineau, and the Chair of the Technology practice group. John is nationally and internationally recognized "go-to expert in Canada for privacy and IT law" for his expertise by the Chambers Canada, Chambers Global, The Legal 500 Canada speaking about "Understanding the New GDPR: What’s New, and What’s the Same for Canadian Enterprises".

John often advises clients on privacy law and access to information matters and has been developing and implementing privacy compliance programs for more than twenty years. John is regularly listed in Who’s Who Legal- The International Who’s Who of Business Lawyers as one of the ten “most highly regarded individuals” globally; and is also listed as one of only five “Thought Leaders” in TMT- North America. He is listed in Chambers Global - The World’s Leading Lawyers for Business, for Information Technology, as “ very effective, efficient and remarkably accessible” and “a great lawyer”.

David Damo, a Senior Security Lead, and Architect at Long View Systems. David is responsible for resolving major data breaches, architecting and implementing security programs for a number of Fortune 500 companies, Telcos and HPE. David will talk about recent example scenarios that caused data stewardship, enforcement and compliance incidents and the new trends in Data-centric security philosophies for securing sensitive data.

About Feroot Security: ot Security is on a mission to Making World's Data Safer. Today's "stick your head in the sand" approach no longer works in the age of GDPR, PIPEDA, and other soon-to-be effective and increasingly stringent privacy regulations. Feroot platform monitors sensitive data that is handled by third-party AI and SaaS vendors and creates data-mapping and data-chaining for associating data with respective regulatory obligations.

Four Key Ingredients in a Responsible Enterprise AI Journey

February 2018

On February 28th, fifteen CDO’s, Data Governance, Digital Marketing, Innovation and Risk Management and other executives from some of the largest US and Canadian organizations, including Scotiabank, RBC, TD, BMO, Manulife Great West Life, TELUS, General Motors and other, joined our private breakfast event in Shangri-La Toronto to discuss Responsible AI - Opportunities and Challenges for Businesses in Regulated Industries.

Artificial Intelligence promises to turn your data into increased revenues and operational efficiencies by processing often sensitive customer data that is regulated by GDPR, PIPEDA and other soon-to-be effective and increasingly stringent privacy regulations.

Geoffrey Hunter talked about business opportunities with examples of successful AI initiatives. Stephanie Davis presented AI Governance framework and emerging "Top Tips" to help organizations procure and operate Artificial Intelligence-based products.

Major takeaways from Geoffrey’s talk:

JPMorgan Chase & Co successfully implemented a Contract Intelligence (COIN) technology that interprets commercial-loan agreements:

  • Executes 360,000 hours of manual labor each year

  • Reduces human error and, to automate mundane tasks granting access to software systems and responding to IT requests an AI-powered chat-bot system:
  • Handles 1.7 million requests in 2017 or an equivalent work of ~140 people

According to JPMorgan COO Matt Zames - “We’re starting to see the real fruits of our labor. This is not pie-in-the-sky stuff.” http://www.independent.co.uk/news/business/news/jp-morgan-software-lawyers-coin-contract-intelligence-parsing-financial-deals-seconds-legal-working-a7603256.html

Responsible AI Journey:

  1. Establishing common understanding and awareness of AI’s potential value increases awareness of AI value and makes first operationalization steps smoother.
  2. Point Solutions - investing in capabilities to solve narrow business problems with specific outcomes creates a better enterprise AI Journey with greater internal support.
  3. Differential privacy and Responsible AI frameworks that TribalScale uses address five key requirements: Data Security, Customer Privacy, AI Bias, Human Oversight, Human-centered Design.
  4. On-Device AI Model is a promising approach for addressing data privacy and ownership concerns by separating Training AI Model and production deployment of AI Model directly onto the handheld devices and eliminating the need for transferring PII data.

Key takeaways from Stephanie David talk about AI Governance:

  • Mature Data Governance framework helps shorten time-to-value stages and mitigating risks of AI technologies by ensuring consistent and transparent management, maintenance, and use of organizational data.
  • An effective Governance model includes AI, strategy, people, process, technology, and data must be working cohesively. The well-known PEOPLE, PROCESSES, TECHNOLOGY framework is maturing into STRATEGY, PEOPLE, PROCESS, TECHNOLOGY, AND DATA.
  • Best AI Governance should are addressing six governance layers: Information Model, Data Sources, Data Quality, Privacy & Security, Ethics & Sharing, Regulation & Compliance

Key slides of Geoffrey's presentation are attached to this email. Please feel free to contact him directly if you have any questions or need The AI Journey... and its Challenges; Responsible AI; Differential Privacy; and On-Device AI Model frameworks.

Tips from Stephanie:

  1. Start with an end goal in mind and focus on with business problems
  2. Have good communication and change management in place
  3. Validating AI solutions against ethical and privacy principles
  4. Treat data as an asset
  5. Collect data with a goal in mind

Responsible AI and Governance of AI speeches were followed by a fireside chat moderated by Ivan Tsarynny, founder & CEO of Feroot Security. AJ Khan, CCSK a cybersecurity practice lead and the founder of Cloud GRC joined Geoffrey Hunter and Stephanie Davis to discuss the newest AI use-case trends, streamlining internal stakeholder collaboration, and enhancing AI compliance & security.

About speakers:

Geoffrey Hunter Ph.D., a recognized AI expert, speaker, Data Scientist and the head of AI Strategy at TribalScale. Geoffrey leads the Artificial Intelligence and Machine Learning practice at TribalScale an innovation firm that creates digital products for web, mobile, and emerging platforms. Geoffrey served as a subject matter expert and thought the leader in data science, cognitive technologies, and robotic process automation at Deloitte and at Widgets and Digits: Data Science Consultants. Prior to consulting, he was a cancer researcher at the Ontario Institute for Cancer Research where he used machine learning to improve the prognosis of cancer patients. Geoffrey holds a Ph.D. and MS in Mathematical Physiology from the University of Utah and a BMath in Applied Math from the University of Waterloo.

Stephanie Davis, a Senior Cyber Risk Consultant from Deloitte and a frequent speaker on information risk strategies talk about new AI Opportunities for Businesses in Regulated Industries, operationalizing AI data sharing with third-party technologies. Stephanie has spent the last five years helping clients solve their privacy, data protection, and governance challenges. With a background in knowledge management and information science, Stephanie is using those skills as she builds Deloitte’s AI Governance practice. An active proponent of enterprise-wide change and innovation through the use of data-driven decision-making, Stephanie helps organizations gain value from their data and execute on strategy using effective governance mechanisms.

3 things CISOs, CPOs, CSOs and Risk Management Executives need to know about regulatory obligations changes, data security practices and enhanced sophistication of regulatory authorities in 2018

November 2017

12 CISO’s, CPO’s, and Risk Management Executives joined this lively discussion over a breakfast at Shan‍‍‍gri-La Toronto on Wednesday, November 1st for a discussion amongst industry leaders from some of the largest Canadian and US banks, Insurance, Credit Unions, Wealth Management and Telecom organization was held as a response to the ever-evolving threat landscape which translated to a tidal wave of data breaches, investigations, and increasing regulatory obligations.

The breakfast meeting featured an open talk by Adam Kardash, an acknowledged Canadian industry leader in privacy and data management and is leading national Privacy and Data Management practice at Osler, Hoskin & Harcourt LLP. Adam advises Fortune 500 clients on their business-critical data-protection issues, compliance initiatives, and data governance. He regularly represents clients on regulatory investigations and security breaches. Adam was followed by a presentation led by AJ Khan, CCSK,cybersecurity practice lead, and founder of Cloud GRC.

During his presentation, Adam addressed several data privacy and incident investigation topics.

Below are three major takeaways from Adam’s presentation:

  • 1. A concept of an alleged misuse. Being very careful using the word alleged ‍‍‍misuse, which is an allegation that somehow you’re doing something that is wrong. Meaning that organizations can collect, use or disclose data for a reasonable purpose or a reasonable person would actually consider appropriate.
  • 2. In 2018 a security breach notification requirement will change. Firstly, if there’s a breach of security safeguards or if there’s a failure to establish reasonable safeguards for sensitive data, organizations are going to have to notify the Office of The Privacy Commissioner of Canada and failure to notify is an offense. A verbal notice is not going to be sufficient anymore. Additionally, you’re also going to have to notify the affected individuals. And, a lesson learned here is there will usually be a series of classes and/or subclasses of affected parties in large-scale incidents.
  • 3. We are going to see an enhanced sophistication in regulatory authorities. More requests for a lot more details and higher expectations for the production of supporting documents and evidence of good security culture — narrative is the king. And the narrative has to be good governance; good company and bad things can happen to good companies. Producing the evidence of your excellent governance and showing that you have a continuous improvement loop is critical. Show your record keeping, your plans and history that is showing a continuous pattern of identifying and fixing issues. Because, there are more and more incidents, now more than half of incidents we are seeing occurred with a vendor context and your vendor management needs to be tied in. Showing evidence of a culture of securitymeans regular training, regular awareness and showing the evidence of compliance monitoring to show how you are monitoring compliance with terms of your policies and contracts.

AJ Khan in his talk addressed several topics and scenarios including a study result showing that more than 83% responders use unsanctioned cloud applications including Dropbox to store company information.

One of the scenarios demonstrated how a company’s marketing department had signed up for an email marketing solution and have been using it for two years. Information security became aware of this Unsanctioned App and finds that the marketing application provider has a low Cloud Confidence Rating. What should InfoSec do? Do you have Sanctioned Apps Onboarding process? One of the lessons was that an organization cannot transfer its Cyber Security Risks to a Cloud Service Providers Protection of Critical and/or regulated data: PII, PHI, Financial data Proprietary data or confidential data.

Some of the questions that need to be answered are: what is your vendor risk management process? Does it have a Cloud Service Provider component? What tools do you have for vendor risk management in the cloud? What security and GRC controls do you have in place for your Sanctioned Apps? Do you cover all “Cloud Apps”?

Join the CISO and CPO Community to be sure not to miss future events here