A few days ago, in between catching flights and dozing off in an airport terminal, I read an article about the recently published findings from the 2017 Global Information Security Workforce Study.
There were a few obvious conclusions that I expected to come out of this report, such as the ever-widening cybersecurity talent gap (hence the title), but there was one item in particular I found to be quite intriguing. In the third paragraph of the introduction, the GISWS asserts, “This year’s Study reveals we are on pace to reach a cybersecurity workforce gap of 1.8 million by 2022, a 20% increase over the forecast made in the 2015.”
Of course, it is. The threat landscape continues to change, so it should come as no surprise that as companies experience breaches or (for whatever reason) are shown to be in possession of or disseminating private information, that lawmakers continue to push for increased regulation. This regulation and enforcement then contributes directly to that shortage while creating jobs. If you think that not doing business in the EU will save your business from having to comply with GDPR (or something like it), think again. Facebook CEO Mark Zuckerberg’s congressional hearings are setting the US up to have similar regulation put in place.
What I did find most surprising from the report was that some of the top skills that hiring managers are looking for from applicants is to possess high degrees of communication and analytical skills. This finding is in line with both the 2013 and 2015 reports that had also highlighted these as being just as important as possession of technical ability.
The report goes on to identify that 87% of the global cybersecurity workforce started in another career entirely. This convergence of career paths provides a tremendous opportunity for unique perspectives and skills for any organization.
How often have we seen marketing or sales material that promotes the non-technical professional? And how can we possibly expect that all cybersecurity professionals are experts in the same ways? We certainly wouldn't expect that all IT professionals are experts in everything IT. Or would we?
The underlying issue, however, appears to be from some self-perpetuated misconceptions. The misconception is that to have a career in cybersecurity (or to be seen as a professional), one must first possess some advanced level of technical skill. Technical expertise is essential and in-demand for many positions in cybersecurity, but ultimately may not be a good predictor of the value that a candidate might bring. Technical knowledge can be learned, and in some ways may be easier to acquire, then, say, learning to be an active listener.
If anything, this report helps to solidify that what we are communicating in discussing the global shortfall in cybersecurity talent is ineffective. We aren't reaching the right target talent areas who might be highly effective in many other ways (such as driving governance through leadership and influence), which are of equal importance to technical ability.
The message should be that there is plenty of opportunity for both non-technical and technical analytical cybersecurity professionals, provided they know how to communicate.
Compliance and security professionals are regularly challenged with unique security situations. However, the harder the challenge, the more rewarding it is for those who successfully solve the problem—part of what makes the profession so fulfilling. The difference between success and failure depends on individual skills and experience to deconstruct a complex security environment into individual elements that can be mitigated with a standard set of security controls.
Perhaps one of the more complex security issues for security and compliance professionals is protecting biomedical devices. There are several factors that make securing biomedical devices so difficult, including their close interaction with patients, lack of individual accountability, fragmented regulatory oversight and very long operational life-cycles.
Healthcare organizations keep biomedical devices in service longer than any other endpoints, sometimes for 15 years or longer. Using devices this old means that CISOs need to secure legacy operating systems, including Windows 95, 98, or XP. To complicate the issue, device manufacturers are reluctant to disclose the software bill of materials, so the security team might not even know what operating system it needs to protect, or the inherent vulnerabilities in each device. To further complicate matters, patch management and the application of third-party security controls, such as anti-virus, may not possible for the majority of biomedical devices. Security teams are also hampered because biomedical devices cannot be scanned like traditional IT systems. Devices may potentially not be able to be turned on (booted) except when they are connected to patients; active vulnerability scans present a real risk of causing a device to malfunction and cause patient harm.
Configuration management also presents challenges, as the biomedical department may not be integrated with the IT management. There are few tools that can detect patch levels and no tools that will automatically deploy updates because of patient safety issues.
From a physical security perspective, biomedical devices are generally issued to departments or facilities, rather than individuals. They also are highly mobile and treated like commodities. Unlike traditional IT assets, which will generate a lost or missing report within hours, lost biomedical equipment may not be reported for months or even a year.
Quickly Assess the Health of a Biomedical Security and Compliance Program
Healthcare executives need a quick way to evaluate the effectiveness of their biomedical device security and compliance program. Fortunately, some of the highest risk areas can be identified with four simple questions:
- What are the last 25 biomedical devices that have been added to the “Could Not Locate (CNL)” list?
- Which of those devices on the CNL list store Protected Health Information, or PHI?
- Of the missing devices with PHI, how many of those instances have either been reported to the Office for Civil Rights (OCR) as a breach of PHI?
- For all remaining devices, what percentage have technical vulnerabilities that cannot be remediated?
These four questions will provide insight into biomedical devices’ four common high-risk areas. The first question will determine the effectiveness of the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) asset management control ID-AM-1. If an organization is not actively tracking missing devices, it has failed in asset management.
The second question addresses risk assessment control ID.RA-4. If an organization can’t identify which devices have the highest business impact to the organization, then it has not performed a complete risk assessment.
The third question will determine if the governance control ID.GV-3 is effective. Organizations that do not report breaches of ePHI are at risk of fines and loss of patient confidence.
Finally, question four will determine if the information protection processes and procedures PR.IP-1 are effective. Due to the nature of biomedical devices, there always will be devices that have legacy operating systems, cannot be patched, don’t have anti-virus software, or otherwise cannot have all the technical vulnerabilities remediated. The CISO should track these devices and grant waivers that are periodically reviewed. Strong configuration control procedures facilitate timely preventative maintenance and compliance with product recalls.
Medical device security challenges can be overcome
Managing the security and compliance of biomedical devices can appear to be very challenging. This challenge is not difficult when the appropriate control points are measured and the resulting metrics are routinely reviewed. In the example above, it only takes four simple questions to quickly identify a well-tuned biomedical device security and compliance program, or if not answered, provide healthcare executives with another incentive to pay closer attention to the issues.
I was recently very fortunate to attend the biggest cybersecurity conference of its kind, the 27th annual RSA Conference (RSAC) in San Francisco, USA. The first thing that struck me when I arrived at registration was the scale of the event. Spread across three huge conference venues in the center of the city, it was clear that they were preparing for a lot of people – more than 50,000 attendees, it turns out, with a choice of more than 500 different sessions and an expo housed across the venues filled with more than 650 exhibitors from 27 different countries.
The theme for RSAC 2018 was “Now Matters,” based on the recognition that with cyber threats looming larger than ever, finding solutions cannot wait till tomorrow. No surprise, then, that the Internet of Things (IoT) and artificial intelligence (AI) were hot topics this year, as well as blockchain and GDPR.
The program was packed, starting over the weekend with training courses from ISACA, SANS, (ISC)2 and CSA. Monday comprised full and half-day seminars covering security foundations, ransomware and destructive attacks, GDPR, blockchain and bitcoin, cloud security, and security diversity. The opening keynote was on Tuesday morning, followed by 16 further keynote sessions over the next four days that included more than 30 keynote speakers and panelists. Tuesday also was the start of the 500-plus educational sessions running through to midday on Friday, including an ISACA and CMMI panel addressing cyber maturity and readiness.
The program also covered many side events, including one in which the top 10 finalists in the RSAC Innovation Sandbox Contest grabbed the spotlight for a three-minute pitch while demonstrating groundbreaking security technologies to the broader RSAC community. In addition, there were other “hands-on sandboxes” offering experiences that discussed and simulated threats and vulnerabilities in IoT devices, automobiles and industrial control systems. It also featured the SANS Netwars experience, where participants could challenge and demonstrate their information security skills. Other side events included Birds of Feather sessions, Peer2Peer sessions and learning labs that enabled smaller groups to focus on specific security topics.
RSAC succeeded in bringing together the best and the brightest in cybersecurity to highlight the issues that are at the forefront of concern and importance in our field today. One of my favorite sessions was the closing keynote where Dr. Sebastian Thrun, Udacity president and founder, and also GoogleX founder, shared his vision of the workplace where AI takes over repetitive and mundane tasks to free up people to do much cooler things.
RSAC 2018 was overall a very impressive event, and hopefully a lot of the learning, sharing and networking stimulated the attendees to return to their places of work with renewed energy and inspiration to face the cyber challenges of today.
You can read more about my experience at RSAC in this conference recap report.
Firewalls have been a mainstay for cybersecurity for many years, but they aren’t perfect tools. Despite advances in internet and device technology, basic firewalls haven’t changed much since their inception. But researchers and IT experts are working tirelessly to improve the foundational model and provide a better layer of protection for firewall users.
The firewall basics
Firewalls aren’t especially complicated, but they can work in a few different ways. All firewalls can be customized with specific criteria, allowing certain types of data to pass through while stopping others from passing into the network. Packet-based firewalls allow or deny specific packets entry to the network based on those protocols. Other types of firewalls retrieve the packets themselves as a kind of poison tester, before passing them onto the network. Most firewalls exist as an appliance or application, used in conjunction with your network.
How firewalls are evolving
So, how is this basic model starting to evolve?
- FWaaS. One major development in the firewall space has been the popularization of firewall as a service (FWaaS). FWaaS is cloud-based.Working much like a cloud storage system or similar cloud platform, FWaaS provides a layer of firewall protection to your network, no matter how remotely located it is or how many new links you add to the network. According to Cato Networks, this is advantageous because it means the firewall is more reliable, and covers a wider distance. In most cases, it’s more cost-effective as well. Plus, cloud-based firewalls are often updated automatically by providers, allowing for a mode of constant improvement.
- Lower costs. Firewalls are also getting less expensive. The tools necessary to create and maintain firewalls are becoming open-source and more available, and firewall management is becoming more intuitive thanks to better user interfaces. Overall, this means companies have to spend less time managing firewalls and less money getting the physical accessories necessary to maintain it.
- Higher throughput speeds. Throughput speeds are getting faster, which is good, because internet speeds are getting faster, and users won’t tolerate a slowdown just because the firewall needs extra time to kick in. Because the firewall takes action on data packets before passing them along (no matter what type of firewall is in effect), the time between requesting and receiving data is increased significantly under normal circumstances. Modern firewalls are becoming more advanced, enabling them to complete this process faster, and reduce lag in retrieving information.
- Awareness of users and applications. Traditional firewalls operate almost exclusively in layers 2 and 3 of the OSI model, in the network and data link, dealing with packets and frames. But modern firewalls are taking things a step further, according to findings by NSS Labs, improving awareness of applications and users. This gives firewalls more options in terms of blocking and allowing access to data, and gives organizations a wider berth of coverage to protect their systems. For organizations with hundreds of users and dozens of core applications, this functionality is indispensable.
- Third-party and multi-factor authentication systems. Authentication is a pivotal step for most firewalls, verifying that data has come from a trusted source and that the users attempting to access that data have the authorization to do so. Newer firewalls have more advanced means of authenticating; for example, they might partner with third-party authentication systems to define and/or allow certain groups of users access to specific information, while denying others. Multi-factor authentication can also use multiple protocols to ensure the validity of a given user (or packet of information).
Your cybersecurity should be one of your biggest priorities, so your firewall demands your attention and investment. Despite advances in other areas of cybersecurity, your firewall is still the first line of defense you have against the cybercriminals who would compromise your data, and the malware that could otherwise infiltrate your systems. Pay attention to these keystone developments, and make sure your firewall is upgraded enough to provide the best protection.
Information security and privacy careers are expanding. There is more need for such professionals than ever before, as more technologies emerge and are used by businesses, government, healthcare and other types of organizations; as more personal data is constantly being collected through the technologies; and as more laws and legal requirements are enacted to protect that exponentially growing digital ocean of personal data. Certainly, the number of entities that see this endless tsunami of generated personal data as profit opportunities, through malicious or surreptitious use, also is increasing.
Information security and privacy opportunities will continue to become more numerous. Despite this, many trying to break into the fields, or trying to advance, lament that they don't know how to find these job openings or are not getting the opportunities they had hoped for.
One way to resolve these frustrations and career bottlenecks is to join professional associations, such as (of course) ISACA. These can help you leverage your abilities and experiences to get the positions that you want the most and have helped us throughout our careers.
Here are a few ways we have experienced career development benefits with ISACA throughout the years, as well as how you can expand your skillset and knowledge in the areas of information security and privacy.
Local ISACA Chapters
There are many benefits for being active in your local ISACA chapter. For example, consider the ILLOWA ISACA chapter in the US (where Jaret Pfluger is chapter president), which serves eastern Iowa and western Illinois.
The ILLOWA ISACA Chapter exemplifies many of the ways that a local ISACA chapter is providing career development and networking opportunities for their members. Here is an example of some of its activities that might provide ideas to energize your members:
- Monthly Cyber-Chats. ISACA Cyber-Chats, which debuted in January of 2018, provide a spicy, modern, online interactive learning format. It was recently discussed on the international radio show, "Data Security & Privacy with the Privacy Professor.” The connection to radio was coincidently apropos since the ILLOWA chapter members discussed the ISACA Cyber-Chats as a 21st-century “fireside chat,” reminiscent of those addresses that former President Franklin D. Roosevelt delivered via radio to Americans in the 1930s. The ISACA Cyber-Chat conversations focus on addressing important cyber events from the prior month, in addition to covering predefined mini-presentations. Everyone, whether or not they are ISACA members, are welcome to listen to the monthly broadcasts and register online for free. Those attending will get 1 CPE. See our events page for updated Cyber-Chats links each month.
What other online offerings might other chapters offer in your area?
- Online events are relatively common but not necessarily consistent. Moreover, these events typically are a deep-dive into a single topic as opposed to a smorgasbord of current events. The event may or may not have a cost associated with it. Check which events are offered by your local chapter – your mileage may vary.
- ILLOWA welcomes members from other chapters to join our Cyber-Chats. Our website is updated monthly with new event information.
- 1-Day Seminars. ILLOWA offers two full-day seminars per year. The Spring Seminar will be 25 April, focused on “Building a Privacy Management Program & Performing Privacy Impact Assessments,” taught by Rebecca Herold. The class participants will receive 8 CPEs, and four people will have the opportunity to win two copies of the ISACA Privacy Principles and Program Management Guide and two copies of Implementing a Privacy Protection Program: Using COBIT 5 Enablers with the ISACA Privacy Principles as door prizes. These books will also support the privacy impact assessment case studies that will be provided during the class.
What may chapters offer in your locale?
- Full or half-day events are common at larger chapters. For example, the Detroit chapter offers a multi-day, multi-track format each spring.
- If you are a smaller chapter spread out over a large territory that makes it difficult to get together often, consider offering a 1-Day Seminar once or twice a year and supplementing with monthly online learning opportunities.
- If a large city is nearby or if you happen to be visiting a large city, check out that local chapter’s website to see what is being offered.
- Monthly (or Weekly) Meetings/Socials. The ILLOWA ISACA chapter board meets monthly for planning purposes but squeezes in full-member meetings during the end of its spring and fall seminars. Because of its large territory coverage, ILLOWA encourages volunteers in their immediate vicinity to provide local meetups at cafes or micro-breweries. Small chapters may not have enough interest to maintain a crowd from month-to-month. Reach out to other groups in the area and invite them to participate.
What are other chapters doing for monthly meetings/socials?
- In large chapters, monthly or even weekly meetups are quite common.
- For example, the Atlanta chapter’s event page has a Twitter feed where it advertises monthly meetings.
- The Minnesota chapter offers social events that may include a presentation once a week. These events are offered in the Twin Cities area and will hop from location to location to make them more accessible to members throughout the month.
- If you are in a chapter that lacks monthly meetings or social events, contact your chapter’s leadership. Who knows? If nothing is going on, maybe an opportunity awaits you to spearhead a meetup – and don’t worry if initial turnout is small. Over time, persistence will yield more participation.
While these are just a few examples, we are providing them with the goal of giving you a good boost to your own brainstorming for what you can do within your own local ISACA chapters. We view them all as great opportunities for networking, as well as professional development.
Connect with ISACA International
ISACA has been working for the past several years on building its privacy management resources and expertise. So, if you want to move into a privacy career, or are interested in learning or beefing up your privacy management knowledge, and getting more privacy management tools, using the ISACA privacy research and tools will provide you with a great amount of practical resources.
In 2017, ISACA published two privacy books to provide information assurance professionals with information about the key privacy and data protection concepts they need to establish their own privacy management programs and to support privacy audits. ISACA has also provided several privacy management webinars and tools to members as well. Some of these publications and tools include:
Then, of course, there are the many ISACA education offerings. These include opportunities such as conferences, held globally throughout the year, along with a large number of online events. All of these can help ISACA members obtain the information necessary to support their career development goals, including in the areas of security and privacy.
There are many opportunities for advancing your information security, privacy and/or compliance careers. One effective pathway is through a very wide range of existing professional and career associations, and by actively participating in your local association chapters and networking with members. You can also advance your career by learning about information security and privacy news, pivotal events, and careers, such as on Data Security & Privacy and other radio shows that give such advice.
If you want to take your career forward, proactively take advantage of the opportunities that are waiting for you to seize them.
By now, most practitioners have heard (probably from a few different sources) that organizations struggle when it comes to finding, hiring and retaining the right resources for information security and/or cybersecurity professionals. There has been quite a bit written about this trend: the impact that it has on security efforts within enterprise, advice and guidance about how to staff and manage your security team in light of the talent challenges, strategies for working around it, etc. However, there is another potential angle that is comparatively less analyzed: the impact to existing practitioners – both in the short and long term – in light of the shortage.
Understanding this is important for practitioners as preparation now translates directly to continued success down the road. In knowing what we do about the workforce dynamics, we can make sure that we’re optimally positioned when the time comes for us to change jobs and continue to be in demand down the line.
Skills gap characteristics
The first thing to note is that the skills gap has characteristics that can be measured. We know that it exists from numerous research reports and surveys, specifically findings citing the lengths of time required to fill open positions, perceived difficulty in finding qualified candidates and challenges in retaining existing staff. ISACA’s 2018 State of Cybersecurity research was no exception in pointing this out. Findings from previous years of ISACA research, as well as studies from other organizations, suggest that these challenges are persistent.
However, the actual areas of need have been comparatively less thoroughly analyzed, including which positions are most problematic to staff and retain, which skills are in more demand, where the most hiring activity occurs, etc. Much like the skills gap itself can be measured, so, too, can these other characteristics. This year, we attempted to gather more information about these secondary characteristics of the skills gap.
What we learned was that individual contributors are in higher demand than managers. We also learned that there is a higher demand for technical resources, relative to non-technical ones. While that may not be a complete surprise to anyone who has tried to staff a security team, it is an interesting data point because it informs organizational staffing and retention strategies. The report data can also be useful for practitioners – i.e., those on the other end of the staffing equation. Meaning, individuals wishing to position themselves optimally for their future career growth can use this information as part of the “career strategy.”
Career “Future Proofing”
We as practitioners can maximize our competitiveness in the short term and ensure that we continue to be marketable over the long term by taking this information into account. For example, the information indicating that technical resources are harder to find relative to non-technical ones can help motivate us to stand out in the workforce by taking active measures to invest in our personal technical acumen. There are a number of ways to do this, of course, but ensuring that we remain abreast of new technologies, that we diversify the set of technologies with which we are conversant and keeping abreast of new attack methods is a good way to start.
In fact, there are many resources available to ISACA members to assist; for example, our partnership with Wapack Labs can help ensure that members stay abreast of attacker tradecraft; ISACA webinars (particularly those of a technical nature) and publications like the ISACA Journal can keep technical skills honed; and chapter activities can provide opportunities to learn new technical skills. This is potentially advantageous even for those that are more senior in their careers. For example, if a hiring decision came down to two resources – if all other things are equal, but one is more “current” in their technical understanding – who would you hire? See what I mean?
Over the long term, this information about the skills gap is likewise important for practitioners as it can inform their future career planning. Why? Because logic dictates that the dynamics will change over time in a few specific ways. For those with a decade or more before retirement, planning accordingly is valuable.
First, current challenges in obtaining qualified technical staff mean that it is most likely that organizations (and, in fact, the market at large) are likely to innovate toward automation strategies for technical work being done by human analysts today. Will this mean the existing workforce will be left high and dry? Not necessarily … but it does mean that technical acumen, while useful to help differentiate you among candidates in the short to intermediate term, isn’t a guaranteed way to future-proof your career over the long haul. This in turn means that establishing a diverse set of skills – as well as building a strong professional network – are important in the long term, in addition to building technical skills.
Second, the fact that there is increased demand for individual contributors relative to managers means that (again, thinking long-term), those who desire to move into manager positions should be looking to differentiate themselves as well from a competitive point of view. They might, for example, consider taking on management responsibilities now to give them skills that, down the road, will be important to their overall competitiveness.
As with most things, there’s no “one-size-fits-all” advice – there are as many viable career tracks as there are practitioners themselves. That said, one thing that’s probably universally true is that having a “career plan” that accounts for both near-term and longer-term changes is a good idea. The findings from this research can help accomplish that.
Many may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.
The basic concept of personal data breaches was not introduced first by the GDPR, and there are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to provide notification of breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands).
GDPR contains several provisions relating to personal data breaches that data controllers (and processors) must also be aware of. Additional information can be found in ISACA’s Implementing the General Data Protection Regulation publication; however, I’ve outlined some key highlights on breaches below.
So first, what is a personal data breach?
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
What type of personal data breaches exist?
- Confidentiality breach
- Availability breach
- Integrity breach
It is also apparent from above that the concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR). Therefore, a wide variety of personal data breaches may occur, such as losing a laptop or USB drive that contains personal data, attacking an IT system, or even sending a letter or an email to wrong recipient.
Four years earlier, WP29, in its Opinion issued in 2014 (Opinion No. 03/2014), presented a number of practical examples of what is considered to be a personal data breach and the consequences it may have.
Why is it so important that the personal data breach is handled as soon as possible?
The Preamble to the GDPR (Point 85) states that "a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons,” such as:
- Loss of control over their personal data or limitation of their rights
- Identity theft or fraud
- Financial loss
What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach is noticed:
- The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
- The controller shall document any personal data breaches.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.
How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller, and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.
First, every actor must prepare a data breach response plan, for which there may be internal rules as well. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.
Below is a data breach response plan quick checklist to help with this preparation:
|Information to be included
|What a data breach is and how staff can identify one
|Clear escalation procedures and reporting lines for suspected data breaches
|Members of the data breach response team, including roles, reporting lines and responsibilities
|Details of any external expertise that should be engaged in particular circumstances
|How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions
|An approach for conducting assessments
|Processes that outline when and how individuals are notified
|Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted
|Processes for responding to incidents that involve another entity
|A record-keeping policy to ensure that breaches are documented
|Requirements under agreements with third parties such as insurance policies or service agreements
|A strategy identifying and addressing any weaknesses in data handling that contributed to the breach
|Regular reviewing and testing of the plan
|A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan
Recommendations on next steps:
An effective data breach response generally follows a four-step process — contain, assess, notify and review:
- Contain the data breach to prevent any further compromise of personal information.
- Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, take action to remediate any risk of harm.
- Notify individuals and the Commissioner if required. If the breach is an "eligible data breach" under the NDB scheme, it may be mandatory for the entity to notify.
- Review the incident and consider what actions can be taken to prevent future breaches.
How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available information from the Hungarian DPA, there is a separate department within the Hungarian DPA’s organization that addresses receiving and managing the personal data breach notifications. It is also expected that data breach notification must be made on the authority’s website, or there will be an online interface which the notifications can be sent to the authority.
Editor’s note: ISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.
For all of the benefits remote working offers businesses, it’s hard to ignore the security risks and threats.
According to a Gallup survey, more US employees are working remotely than ever before (and for longer periods of time). In 2016, 43 percent of employed Americans said they spent at least some time working remotely. Of these employees, 42 percent of survey respondents report working remotely 60-100 percent of the time.
As remote working becomes more popular, there is more and more pressure on employers to offer remote working opportunities to employees. And while your organization would be wise to adjust to the preferences of their workforce, prematurely deciding to allow for remote working without thinking about safety will leave your company vulnerable to considerable security risks.
Whether you already have a remote working policy in place or are just now considering the feasibility of it, here are some practical ways, from an information security perspective that, you can keep your remote employees safe.
Switch to cloud-based storage. If you haven’t already, switch your organization to cloud-based storage. Not only does this improve the data integrity of your entire company, but it gives remote workers the ability to access files and programs without needing to store sensitive information on their devices. Providers offer encrypted cloud storage at very affordable rates.
Require regular password changes. While it might seem obvious, poor password hygiene remains one of the single biggest risk factors for remote workers. Whether it’s simple passwords or passwords that never get changed, inadequate passwords increase the risk of being compromised by hackers and other cybercriminals. For best results, encourage your employees to select passwords that contain at least 12 characters (with numbers, symbols, uppercase letters, and lowercase letters). They should then be prompted to change passwords every six to nine weeks.
Limit as much access as possible. Just because you can give an employee access to a program or file doesn’t mean you should. Each employee and/or device that has access to confidential data increases the risk of being compromised. To enhance security, limit access on an as-needed basis.
Have remote support systems in place. When something goes wrong with a computer or system in the office, all it takes is a quick call to the IT department and somebody can be quickly dispatched to deal with the issue and, ideally, neutralize any security risk.
While not quite as convenient, you can have the same sort of control and responsiveness with remote devices if you have the right support systems in place. Tools like Dameware Remote Support make it possible to log into a remote worker’s computer and troubleshoot problems in real-time to limit issues or security threats.
Keep software and programs up to date. When it comes to security risk factors, outdated software and programs are high on the list. Vendors don’t pay much attention to outdated versions and this often means there are vulnerable loopholes that could leave you out to dry. For best results, enable automatic updates on all employee devices.
Give your remote team a chance to succeed. If you genuinely want remote working to be a viable option for your organization, then you have to give your employees a chance to be successful. This means – among other things – paying close attention to security. If need be, meet with an outside security analyst or consultant to get some feedback on your setup. You can never be too safe.
Everyone is talking about blockchain and is curious to know more. In addition to blockchain conversations among cybersecurity and IT professionals, TV programs are discussing the topic, investors are clamoring about it and many people are asking just what the heck it is. Blockchain is the trending topic in seemingly every technology conference, journal and summit.
I recently spoke at one of the famous technical universities in India on digital payments and their impact on the global economy. We explored various technologies around digital payments, including USSD payments, mobile banking/payments, e-wallets and payment devices to debit/credit card with biometrics. I also discussed cryptocurrencies and blockchain technologies. Though the topics were diverse, most of my Q&A session ended up focusing on blockchain, security risks around it, use cases and how to secure it. People want to know!
There are many initiatives in the US, Europe, and APAC driven by governments and technology companies to enable blockchain in multiple use cases covering healthcare, banking and finance, manufacturing, utilities and civil identity programs.
Blockchain in banking
Blockchain is adding value in a bank’s technology stack through enabling efficiency and faster execution, along with secure and robust features. Most banks are preferring private blockchain to implementing these use cases. Private blockchain has its own set of benefits – faster, restricted and authenticated user access control, centralized, and capable of controlling and monitoring transactions.
Blockchain adoption in the banking and finance industry has grown significantly in the past two years. Three use cases are gaining wide acceptance in this industry – international remittance, eKYC (Know Your Customer) and smart contracting:
- International remittance. Due to the P2P nature of blockchain, remittance platforms based on blockchain offer fast, cheap and substantially SECURE alternatives to the current banking mechanisms (ATMs, wire transfers).
- eKYC. As blockchain is a distributed ledger with the copy of data available at multiple nodes, the KYC requirements of multiple entities, such as cross-institution client verification capability, can be fulfilled without the delay caused by the KYC done with a more traditional approach.
- Smart Contracting. Smart contracts help in exchanging assets in a conflict-free way as the transactions are recorded in a distributed fashion, avoiding the middle man. Furthermore, once a transaction or “smart contract” has completed and made its way onto the blockchain or distributed ledger, it is immutable.
4 things that disrupt the blockchain party
- Improper Key Management. As blockchain applies the concept where private keys (identities) are directly mapped or tokenized to assets (currencies), improper handling may lead to irreversible loss of assets or ownership inconsistency.
- Third-party payment applications and API integrations issues. Multiple parties’ involvement leads to trust issues and data exposure, whether intended or unintended. As a whole, blockchain infrastructure is dependent on keys and certificates. Invalid chains of trust can lead to data leakage.
- Improper security controls in blockchain nodes, ledgers and smart contracts. Maliciously or unintended permissions to modify blockchain (add nodes), engage in unauthorized forking, etc., can lead to breached chains of trust.
- Security governance around keys, access control, networks and data security. Traditional governance issues like improper access control management (role management in private blockchain), unauthorized data access/modification and insufficient network protection measures lead to nullifying the protection measures provided by blockchain.
Top 3 security practices for secure governance around private blockchain
- Secure key distribution and management policies. Policies and processes around crypto keys and their distribution during blockchain implementation helps to manage cryptography functions, key access control, key rotation methods and validations of crypto algorithms’ implementation.
- Secure nodes, ledgers and smart contracting implementation and governance. During private blockchain implementations, organizations prefer to host blockchain networks and components at their premises. Security controls validations for security configurations in nodes, ledgers and smart contracts help to strengthen the security. Security frameworks and libraries used in these implementations should undergo detailed audits to verify controls at each layer of the ecosystem.
- Secure APIs and Integrations. Third-party remittances, eKYC and smart contracting applications are integrated with blockchain platforms. APIs exposed to third parties should not reveal any sensitive data to hackers. APIs and its integrations should handle authentications, payload security, session management and design security risks.
Author’s note: Ameya Jhawar, Consultant – Digital Security at Aujas, contributed to this blog post.
The China Cybersecurity Law demonstrates China’s determination to take a more effective and coordinated approach to safeguard cyberspace as part of China’s National Security Initiative. The law applies to the construction, operation, maintenance and use of information networks, and the supervision and administration of cybersecurity in China.
Many of the obligations under the law apply to “network operators,” which are widely defined to include owners, administrators and network service providers who use networks owned or administered by others to provide relevant services. This includes, but is not limited to, telecommunication operators, network information service providers and important information system operators.
Also subject to stringent requirements under the law are “critical information infrastructure operators,” which include critical industries such as public communication, media, energy, transportation, financial services, public utilities, medical, social welfare, military and government affairs, as well as network service providers with a significant number of users.
Since the Cybersecurity Law took effect on 1 June 2017, the regulators have not hesitated or delayed enforcement efforts across China, although certain important implementing rules are still in the pipeline.
Enterprises will face more challenges to comply with the law and the detailed regulations, especially as the scope was widened to span network operation security, content security, network monitoring and incident response reporting to authorities. Some initial challenges include:
- Increased obligations to adhere to the law, including safeguarding network security, cooperating with inspections, and related social responsibilities and business ethics.
- More stringent regulations and requirements. For instance, security assessment is required before the cross-border transfer of personal sensitive data.
- Additional consequences. Organizations and individuals (including those from foreign countries) found guilty of attacking China’s critical infrastructure are subject to punishment specified by the law.
- Government authorities will have the right to shut down or limit network communications in the event of security emergencies.
In view of these developments, ISACA has published the Guide to China’s Regulatory Cybersecurity Implementation Framework to enable practitioners and enterprises to gain an understanding of the China Cybersecurity Law and its implementation.
This guide summarizes the structure and content of the China Cybersecurity Law, the key points for implementation and a recommended approach for gap analysis. A structured step-by-step approach would enable practitioners and enterprises to determine whether their organization is part of the critical information infrastructure as defined by the law. Furthermore, the guide offers the necessary security controls measures for both network operators and critical information infrastructure operators, including suggested management and technical controls illustrations.
The National Institute of Standards and Technology (NIST) and ISACA have accumulated extensive experience in promoting the implementation of the NIST Cybersecurity Framework. Therefore, this guide also uses the NIST Cybersecurity Framework implementation process and the ISACA implementation process based on COBIT 5 as references for practitioners and enterprises to implement cybersecurity systems. Users can create new cybersecurity plans or improve existing plans by referencing the NIST framework when implementing the China Cybersecurity Law – and ultimately, establish a healthy cybersecurity system marked by continuous improvement.