Around six months have passed since the General Data Protection Regulation (GDPR) took effect. Among many unclear implication of GDPR, the vaguest might be how to ensure compliance with the security requirements, including data protection by design and by default. It has been a tough task for cybersecurity professionals to understand how to interpret the GDPR requirements and probably will be a continuous struggle over the next several years.
However, the interpretation of these GDPR provisions should not be the only aspect to command our attention. The increased penalties (up to 20 million Euros or 4 percent of the total annual turnover) made many companies think not only about how to ensure compliance, but also about what happens if the required measures are not implemented. Thus, the question for many companies is who will be liable for compliance failures regarding GDPR security rules: the company or cybersecurity manager?
The Health Insurance Portability and Accountability Act (HIPAA) has evolved considerably to keep up with the demands of our modern society. Now that protected health information (PHI) is kept via electronic records, healthcare organizations need to comply with the HIPAA Security Rule if they want to keep their patients’ data private (and avoid a hefty fine).
What’s Required for HIPAA Compliance? HIPAA compliance requirements can be complicated, but at a minimum, you’ll need to do the following:
Vendor lock-in. What is it? Vendor lock-in occurs when you adopt a product or service for your business, and then find yourself locked in, unable to easily transition to a competitor's product or service. Vendor lock-in is becoming more prevalent as we migrate from legacy IT models to the plethora of sophisticated cloud services offering rapid scalability and elasticity, while fueling creativity and minimizing costs.
However, as we rush to take advantage of what the cloud has to offer, we should plan strategically for vendor lock-in. What happens if you find another cloud provider that you prefer? How will you migrate your services? What are the costs, how disruptive will it be, and will you have the professional talent to transition successfully?
Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework. Today, the first two books of COBIT 2019 have been released, with additional publications to follow later this year.
I could go on for hours about the elements of COBIT 2019 that I believe will be well-received by our passionate global community of COBIT users (and considering I am one of those passionate COBIT users, if I catch you in person at an ISACA event, I might just do so). For the purposes of this blog post, I will put forward a list of five aspects of COBIT 2019 that I consider especially appealing.
For many organizations to have an effective cyber culture, they must also have a mature cyber culture. A recent cybersecurity culture study conducted by ISACA and CMMI Institute found that only 5 percent of organizations believe no gap exists between their current and desired cybersecurity culture. A full third see a significant gap. That’s why I found it so valuable to sit down with cybersecurity leaders across the public, private and non-profit sectors to have a discussion in the UK last week about cyber maturity, what it means to people and how we can help organizations value being more prepared.
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.