By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®
Collaboration between cybersecurity and privacy/compliance teams is vital for safeguarding an organization’s sensitive data and maintaining regulatory compliance. Working together, these teams can effectively identify risks, implement appropriate security measures, and respond promptly to potential breaches. Their collaboration is crucial for the following areas:
- Comprehensive Risk Management. Cybersecurity teams focus on identifying and mitigating technical vulnerabilities and threats, while privacy/compliance teams assess risks related to data protection, privacy regulations, and legal compliance. These teams can develop a comprehensive risk management strategy that addresses technical and regulatory aspects by combining their expertise.
- Compliance Alignment. Privacy/compliance teams understand and adhere to relevant regulations, such as GDPR (General Data Protection Regulation) or CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act). Cybersecurity teams can assist in implementing security controls that align with these regulations, ensuring personal data protection and minimizing the risk of non-compliance.
- Data Classification and Handling. Privacy/compliance teams know data classification and handling requirements. They can guide cybersecurity teams in identifying sensitive data, determining appropriate security measures, and implementing necessary controls for its protection. Collaboration ensures that security measures are aligned with privacy requirements and that sensitive data is adequately safeguarded.
- Incident Response and Breach Management. In the unfortunate event of a breach, collaboration between cybersecurity and privacy/compliance teams becomes crucial. They must work together to investigate the breach, assess the impact, and implement appropriate measures to mitigate the damage. Privacy/compliance teams can assist in fulfilling legal obligations, such as notifying affected individuals or regulatory authorities, while cybersecurity teams focus on securing systems and preventing further attacks.
- Continuous Improvement. Collaboration allows ongoing team communication and knowledge sharing. Teams can learn from each other’s expertise, stay updated on emerging threats and regulatory changes, and continuously improve the organization’s security posture and compliance practices.
To facilitate effective collaboration, organizations should encourage regular meetings, establish clear lines of communication, foster a culture of mutual respect and trust, and provide opportunities for cross-team training and skill development.
Cybersecurity and privacy/compliance teams must work hand in hand to protect an organization’s sensitive data, ensure compliance with regulations, and effectively respond to potential breaches. Their collaboration is essential for maintaining a strong security posture and safeguarding the organization’s reputation.
Cybersecurity Best Practices
As a financial services company, having a plan and following best practices is crucial. Organizations in this sector must adopt robust data protection practices to comply with the Department of Labor (DOL) and privacy laws. The Employee Benefits Security Administration has released a set of best practices for use by recordkeepers and other services providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire. The document, called Cybersecurity Program Best Practices, provides a good starting point for any organization, financial or otherwise.
Here are some critical steps that any organization should review and implement as they strive to improve at protecting their valuable data:
- Data Inventory. Maintain a comprehensive inventory of the personal data you collect, store, and process. This includes identifying the types of data, its sources, and where it’s stored.
- Risk Assessment. Conduct regular risk assessments to identify vulnerabilities and potential threats to personal data. This evaluation helps in implementing appropriate security measures and safeguards.
- Security Measures. Implement appropriate technical and organizational measures to protect personal data. This includes encryption, access controls, secure storage, and regular security updates.
- Incident Response Plan. Develop an incident response plan that outlines the steps to be taken in case of a data breach. The plan should include containment, investigation, notification, and remediation procedures.
- Employee Training. Regularly train employees in data protection and privacy practices. This helps raise awareness about potential risks, encourages responsible data handling, and reduces the likelihood of human error.
- Data Minimization. Limit the collection and retention of personal data to what is necessary for legitimate business purposes. Minimizing the amount of data you collect reduces the risk of storing and managing sensitive information.
- Vendor Management. If you share personal data with third-party vendors or service providers, ensure they have appropriate privacy and security measures in place. Conduct due diligence when selecting vendors, and include contractual safeguards to protect personal data.
- Privacy Notices. Update your privacy notices to comply with applicable privacy law requirements, including providing clear information on data collection, sharing, and individual rights.
- Data Subject Rights. Establish processes to handle data subject requests, such as access, deletion, and correction rights, within the timelines specified by privacy laws.
- Regular Audits. Conduct internal audits and assessments to ensure ongoing compliance with privacy laws and identify areas for improvement.
Remember, staying compliant with privacy laws is an ongoing effort requiring a proactive approach to data protection. As it relates to our business sector, it is crucial to understand and follow what the DOL deems as best practices.
Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer with more than three decades of experience in the Information Technology and Data Security field. Roles in systems engineering/ architecture and technical management have enabled him to become a well-rounded information security specialist. Kevin holds a Master of Science in Cybersecurity from Liberty University and continues to approach cybersecurity objectives with Confidentiality, Integrity, and Availability (CIA) as the main tenants of how an organization handles data when it is stored, transmitted, and processed. Kevin is a regular contributor to our blog on topics having to do with cyber security and data protection.