On this webcast, we’ll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. Download slides: https://www.activecountermeasures.com/presentations/ 0:45 Introducing what a kill chain is and general background you need for this webcast 15:53 Getting into group policies, best practices, group policies that we’re not covering […]
It was only a matter of time before US created their own version of the EU’S General Data Protection Regulation (GDPR). However, unlike the EU who addresses digital privacy protection on a national level, the US is handling online privacy on the state level. California has led the charge with the California Consumer Privacy Act (CCPA) that was passed into law in 2018.
3 main takeaways from the California Consumer Privacy Act of 2018
CCPA is designed with consumers in mind and gives California residents some of the strongest online privacy protections in the country. Here are three main takeaways of the California Consumer Privacy Act of 2018:
Smart selections when starting small can ease the pain as you scale up your company’s privacy infrastructure
The post 5 personal (and cheap) data privacy tools that scale for business appeared first on WeLiveSecurity
If you’re planning to implement an ISMS (information security management system), you’ll need to document the scope of your project – or, in other words, define what information needs to be protected.
There will almost certainly be more information and more locations where information is kept than you initially think of, so it’s essential that you take the time to scope your organisation. However, this involves more than simply identifying the data stored on your systems.
Benefits of defining the scope of your ISMS
Organisations that define the scope of their ISMS will have a much better understanding of their information security environment – where their data resides, where their data is safe, what format the data is held in, and so on.
Knowing this helps you complete information security audits, particularly when it comes to understand how to approach specific risks and which controls are most suitable.
Similarly, by defining the scope of their ISMS, organisations also define what’s out of scope. Having a firm grasp of what doesn’t need to be addressed provides assurances that key parts of the business aren’t being overlooked.
For example, you might identify a third-party data processor that collects information on your behalf – like a payroll service.
You will probably have a contractual agreement with the third-party outlining mandatory information security controls, but you have no control over how these are operated, so you can’t consider it within your scope.
You should instead document the organisation and its processing under Annex A control A.15 – supplier relationships.
Defining your scope
There are three steps to defining the scope of your ISMS. First, you need to identify every location where information is stored.
This includes physical and digital files, the latter of which might be kept locally or in the Cloud.
Second, you need to identify the ways in which information can be accessed. Any entry point, be it a drawer full of files or an employee’s work-issued laptop, should be noted.
Third, you need to determine what is out of scope. These are elements that your organisation either has no control over (such as third-party products) or that don’t give access to or house sensitive information.
For example, your organisation’s foyer probably won’t need security controls. If for some reason you do keep sensitive information there, it would be worth relocating it to put the foyer out of scope.
A well-defined scope ensures that every area of your organisation receives adequate attention when it comes to implementing security controls.
Documenting your scope is also a requirement of ISO 27001, the international standard that describes best practices for an ISMS.
What should the ISO 27001 scoping document look like?
Organisations often get tripped up by how to document the scope of their ISMS, either guessing or spending an inordinate amount of time researching how much detail to go into and the best way to lay out the information.
However, you can avoid that hassle by using our ISO 27001 ISMS Documentation Toolkit.
Developed by expert ISO 27001 practitioners and enhanced by more than ten years of customer feedback and continual improvement, it contains a customisable scope statement as well as templates for every document you need to implement an effective ISMS and comply with the Standard.
The toolkit contains:
- A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
- Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.
A version of this blog was originally published on 24 May 2018.
With the number and sophistication of cyber attacks increasing significantly, organisations have had to become aware and adapt to new and evolving digital threats. Yet, many would still consider the simple error of sending an email to the wrong contact trivial, at most embarrassing, but not of concern when it comes to data security. However, misaddressed emails have far-reaching consequences that can seriously impact an organisation, especially in highly regulated industries such as healthcare and finance. From fines to data breaches, what are the potential ramifications of sending an email to the wrong address?
Reputational and Financial Damage
BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. While the company maintains that customer privacy remains a top priority, its customers were left wondering how they could trust BitMEX with huge personal assets in the aftermath of this data protection failure.
A similar incident in 2018 led to the Independent Inquiry into Child Sexual Abuse (IICSA) being fined £200,000 by the Information Commissioner’s Office (ICO) for failing to protect the identity of possible victims of child abuse after a human error accidentally exposed victim identities to third parties, when they included their email addresses in the ‘To’ rather than ‘BCC’ field. In the age of increased data protection regulations, this example demonstrates just how seriously the ICO takes these types of data breaches. The pain of embarrassment from sending an email to the wrong contact pales in comparison to the business pain from financial penalties.
Intellectual Property Loss
Should confidential corporate information fall into the wrong hands, the consequences could be devastating. Crucial company information such as trade secrets or blueprints of an unpatented new product leaking into the public domain could easily be intercepted by the competition, resulting in a lost competitive advantage.
All it takes is a simple missed or added character in the email address, autocorrect taking over, or simply pressing send too soon and the information that was once confidential is sitting in the wrong inbox. It could be that of an unknown individual, competitor, or even a cyber-criminal.
In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘cba.com.au’. This data leak occurred over a long period without anyone noticing, so could have potentially exposed sensitive company data or private customer information to competitors, putting the company at serious risk. However, luckily on this occasion, the company confirmed that no customer data had been compromised.
Hackers can capitalise on this complacent email culture by cleverly disguising emails to look like they are coming from inside the company, but actually, have a similar spoofed domain name that the employee would probably fail to spot on a first glance. Potentially opening the organisation up to a devastating hacking, malware or ransomware attack and a clear reason why Business Email Compromise (BEC) scams continue to be popular with cybercriminals.