Last year was a big year in the world of information security with data privacy issues, new regulations and several high-profile data breaches. Now that 2019 has arrived, what should corporations be doing to comply with the various data security and privacy regulations?
First and foremost, businesses must manage and mitigate risk, and in the digital world order this entails keeping information secure, ensuring proper controls are in place, and policies and roles are set. Having these in order makes it easier to meet the pertinent regulatory requirements.
The key attributes of information security are Confidentiality, Integrity and Availability.
- Confidentiality means ensuring that information is only disclosed to authorized users. Disclosing the information to unauthorized users leads to loss of confidentiality. Confidentiality is an important attribute for sensitive information.
- Integrity ensures that the information is accurate and has not been tampered with either inadvertently or maliciously, or modified by an unauthorized source. If the integrity of information has been compromised it can result in wrong decisions being made and consequently increase the risk to the business.
- Information can be erased or inaccessible leading to a lack of availability. Lack of availability increases the risk of a business impact. For example, a denial-of-service attack on an airline reservation service results in customers not being able to use the service and, as a result, impact the airline’s revenues. Availability is often the most important attribute in service-oriented businesses that depend on information.
Ensuring that these key security attributes are never compromised is foundational to managing risk and being compliant.
What resolutions should be made in 2019 to make it easier to comply?
- Adhere to security attributes: Learn and enforce the information security attributes: Confidentiality, Integrity and Availability. Create a cross-functional governance team, chaired by the Chief Information Security Officer and regularly monitor threats and enforce information security practices.
- Comply with privacy laws and regulations:
- If you are a business dealing with the European countries make sure you comply with the Global Data Privacy Regulation Act (GDPR) that became law in May 2018. Failing to comply can result in steep fines in the event of a data breach.
- The California Consumer Privacy Act (CCPA) is now in the “public consultation” period, the new law will take effect on January 1, 2020. If you are based in or have any business with California, you better plan for this new regulation and comply!
- Think globally: If you are operating your business globally, make sure you conform to the trade compliance and export control laws. Also, consider creating a trade and export compliance officer role for your corporation.
- Be proactive: Comply with industry and state-specific data and customer privacy regulations (e.g. PCI data security standard for financial data, HIPPA).
- Mind the cloud: If your data is hosted in the public or private cloud, remember that data security is a shared responsibility! While your service provider will provide security at the various levels of the infrastructure they are responsible for, you should audit and ensure that the service provider controls meet your requirements AND you must implement your own data protection, authentication and authorization policies to keep your information secure at all times.
Modern businesses must be ready to meet data security regulations wherever they do business. Please click here to see if your organization is Fit for Compliance. You can also leave a comment below or follow Thales eSecurity on Twitter, LinkedIn and Facebook.
*** This is a Security Bloggers Network syndicated blog from Data Security Blog | Thales eSecurity authored by Ashvin Kamaraju. Read the original post at: https://blog.thalesesecurity.com/2019/01/10/resolve-to-comply-in-2019/