NIST conducted a workshop on 16 October in Austin, Texas, USA, to discuss plans for a voluntary privacy framework, and attendees had the opportunity to have a robust discussion about what such a framework should entail. The workshop was attended by individuals from industry, academia, and government.
The need for a framework, according to NIST, is because we live in an “increasingly connected and complex environment with cutting-edge technologies such as the Internet of Things and artificial intelligence raising further concerns about an individual’s privacy. A framework that could be used across industries would be valuable in helping organizations identify and manage their privacy risks.” It would also assist an organization in preparing and maintaining a comprehensive privacy plan.
You’ve been hacked, and electronic protected health information (ePHI) has been exposed. You have certain compliance requirements, and there are also (intertwined with the needs of compliance) reasonable steps to take to halt the compromise and protect your patients. You may be working with managed service partners who want you to think that everything is fine, but due diligence demands you trust no one and assume the worst (even if you are not yet convinced that ePHI was actually exposed). You must start moving – but what are your first steps? You need to stop the immediate breach, recover your data, follow the law, bolster your security, and consider hiring an incident response company.
I recently discovered a fascinating C-suite report that used an apt metaphor to capture why culture is so challenging for businesses: Organizational culture is like an iceberg. That was Deloitte’s take, and it resonates with me. The relatively small portion you see above the waves represents isolated, highly visible problems—like the employee who opens the door to an attacker by clicking on a link in a phishing email. But the bulk of the culture iceberg is submerged: the shared, but often hidden, beliefs and assumptions that ultimately allow those major security problems to occur.
Everyone doing business today shares an unfortunate truth: no matter how strong your cybersecurity program, your employees are your biggest potential source of failure.
It’s not that you’ve hired bad people, but there simply isn’t enough understanding around the issues that are important to keep the company safe. This leads to increased vulnerability to social engineering and phishing attacks at a minimum, which can cause the potential for a greater incursion.
When it comes to cybersecurity, though, businesses are faced with a classic conundrum: How much money and resources should be spent on something that hasn’t – and may never have – happened? It’s easy to blame your employees for being susceptible to spear phishing attempts, but if they weren’t given proper training to spot them, then the fault lies elsewhere.
Fighting poverty and achieving a high economic growth rate are two key priorities for developing countries.
Achieving both of these goals is reliant on financial inclusion. Developing a national digital transformation strategy that focuses on transforming the traditional economy to a digitized economy is the best way to accelerate the run rate in achieving this end goal.
The journey to financial inclusion is reliant on fintechs; disruptors in the financial sector, driving innovative transformation and changing the way financial services are delivered, the medium of transactions and the approach to business analysis.
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.