by Lori Smith on November 21, 2018
2 minute read
12 CISO’s, CPO’s, and Risk Management Executives joined this lively discussion over a breakfast at Shangri-La Toronto on Wednesday, November 1st for a discussion amongst industry leaders from some of the largest Canadian and US banks, Insurance, Credit Unions, Wealth Management and Telecom organization was held as a response to the ever-evolving threat landscape which translated to a tidal wave of data breaches, investigations, and increasing regulatory obligations.
The breakfast meeting featured an open talk by Adam Kardash, an acknowledged Canadian industry leader in privacy and data management and is leading national Privacy and Data Management practice at Osler, Hoskin & Harcourt LLP. Adam advises Fortune 500 clients on their business-critical data-protection issues, compliance initiatives, and data governance. He regularly represents clients on regulatory investigations and security breaches. Adam was followed by a presentation led by AJ Khan, CCSK,cybersecurity practice lead, and founder of Cloud GRC.
During his presentation, Adam addressed several data privacy and incident investigation topics.
Below are three major takeaways from Adam’s presentation:
- A concept of an alleged misuse. Being very careful using the word alleged misuse, which is an allegation that somehow you’re doing something that is wrong. Meaning that organizations can collect, use or disclose data for a reasonable purpose or a reasonable person would actually consider appropriate.
- In 2018 a security breach notification requirement will change. Firstly, if there’s a breach of security safeguards or if there’s a failure to establish reasonable safeguards for sensitive data, organizations are going to have to notify the Office of The Privacy Commissioner of Canada and failure to notify is an offense. A verbal notice is not going to be sufficient anymore. Additionally, you’re also going to have to notify the affected individuals. And, a lesson learned here is there will usually be a series of classes and/or subclasses of affected parties in large-scale incidents.
- We are going to see an enhanced sophistication in regulatory authorities. More requests for a lot more details and higher expectations for the production of supporting documents and evidence of good security culture — narrative is the king. And the narrative has to be good governance; good company and bad things can happen to good companies. Producing the evidence of your excellent governance and showing that you have a continuous improvement loop is critical. Show your record keeping, your plans and history that is showing a continuous pattern of identifying and fixing issues. Because, there are more and more incidents, now more than half of incidents we are seeing occurred with a vendor context and your vendor management needs to be tied in. Showing evidence of a culture of securitymeans regular training, regular awareness and showing the evidence of compliance monitoring to show how you are monitoring compliance with terms of your policies and contracts.
AJ Khan in his talk addressed several topics and scenarios including a study result showing that more than 83% responders use unsanctioned cloud applications including Dropbox to store company information.
One of the scenarios demonstrated how a company’s marketing department had signed up for an email marketing solution and have been using it for two years. Information security became aware of this Unsanctioned App and finds that the marketing application provider has a low Cloud Confidence Rating. What should InfoSec do? Do you have Sanctioned Apps Onboarding process? One of the lessons was that an organization cannot transfer its Cyber Security Risks to a Cloud Service Providers Protection of Critical and/or regulated data: PII, PHI, Financial data Proprietary data or confidential data.
Some of the questions that need to be answered are: what is your vendor risk management process? Does it have a Cloud Service Provider component? What tools do you have for vendor risk management in the cloud? What security and GRC controls do you have in place for your Sanctioned Apps? Do you cover all “Cloud Apps”?
Join the CISO and CPO Community to be sure not to miss future events here