With the upcoming onset of the GDPR, many companies are seeking to leverage their cloud services for GDPR compliance. The Microsoft Office Modern Workplace episode, ‘GDPR: What You Need to Know’ includes outlines to make this process painless.  Companies want to ensure that those cloud services in use are compliant.  The GDPR places a higher burden on companies storing data on Europeans, and for many businesses, this data resides in the cloud.  Some important GDPR compliance considerations include building support for the consent requirement, rights to erasure and data portability,…

Continue reading

The General Data Protection Regulation (GDPR) is the latest in a host of rules designed to protect privacy.  It is significant because it affects companies that do business in Europe or collect data on Europeans.  GDPR’s wide-ranging scope ranks it right at the top of significant regulations, sitting beside well-known requirements such as HIPAA and PCI. Your business may be doing quite a few things required by GDPR already because GDPR has similar goals to other regulations.  While HIPAA is designed to protect patient information in covered entities and business…

Continue reading

The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data.  The study looked at the following six security policy and practice areas related to how the company responds to requests for user information. Does the company require a warrant before releasing information? Does the company inform users of requests for data? Are statistics published on how often data is provided to requesting agencies? Does the company have a policy outlining how they respond to information requests? Does the company stand firm when information…

Continue reading

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013, designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI).  The rule went into effect on March 26, 2013, and it includes some changes to data breach response requirements. HIPAA required covered entities to conduct a risk assessment when a data breach occurs.  The risk assessment would determine whether the breach impacted an individual enough to require notification.  If the…

Continue reading

PCI applies to a wide range of corporations and companies that deal with credit card transactions, and it can be a useful tool for other organizations as well.  The PCI specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information.  Similar to ISO standards, PCI is not a government regulation full of fines for non-compliance.  Rather, the rule thrives under positive reinforcement…

Continue reading

HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI).  The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in their definition of a covered entity. Health and Human Services (HHS) lists a covered entity as follows: A Health Care Provider A Health Plan A Health Care Clearinghouse This includes providers such as: Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies ...but only if they transmit any information in an electronic form in connection with a transaction…

Continue reading

Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another. Many major companies within…

Continue reading

An information security risk assessment is the process of identifying vulnerabilities, threats, and risks associated with organizational assets and the controls that can mitigate these threats. Risk managers and organizational decision makers use risk assessments to determine which risks to mitigate using controls and which to accept or transfer. There are two prevailing methodologies for performing a risk assessment. These are the qualitative and quantitative approaches. A third method termed mixed or hybrid combines elements of the qualitative and quantitative approaches. Quantitative Information Security Risk Assessment Quantitative information security risk…

Continue reading

Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone's desk. Information security policies find value when they are understood, adhered to, and enforced. To do this, employees must be made aware of the policy, the policy's reason for being, and how it impacts them. This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment. The problem with policies alone…

Continue reading

Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a general fear of removing data lest it be needed some day but this practice is quickly becoming a problem that creates privacy and compliance risk. Some call it "data hoarding" and I am here to help you clean your closet of unnecessary bits and bytes. The news is full of examples of companies losing data. These companies incur significant cost to shore up their information security and their reputations. In…

Continue reading