The FBI has updated its advice to companies to be more understanding when companies decide to pay their attackers for the key. The updated advice says it does not advocate the payment of ransoms, but understands that a company faced with no alternative to recreating their data are in a
Historically, Third Party Assurance meant evaluating the financial resilience of an organisation to determine whether they were viable enough to deliver what you needed. Today, the Third-Party Assurance landscape has moved on significantly. Like the expanding Universe, Third Party Assurance regulation, legislation and requirements seem to be accelerating. Anti-money laundering,
This initial investigation was triggered by guidance that was released by the ICO in the UK, that insists that processors must allow audit and inspection rights to their controllers in their contractual terms. In the GDPR , Article 28.3.h states: That contract or other legal act shall stipulate, in particular,
There is a lot to be said for the similarities between getting breach ready, and getting beach ready. Both require careful planning and a relentless focus. Both also ensure that you are not left with your arse hanging out. Effort Both require effort. Breach preparations requires a detailed understanding of
We left off last time out on Risk Treatment. The previous post is here. So following up using ISO 27001 as a base for our questions, the next section would be Performance Evaluation. Performance Evaluation In ISO 27001 speak, this is the monitoring of your security controls. You can understand
In my previous post, we left the GDPR review at Clause 74. This was quite a deliberate breakpoint, as Clause 75 and 76 take us straight into the meat of the DPIA (Data Protection Impact Assessment). Privacy Impact Assessment The ISO 27701 Standard refers to a Privacy Impact Assessment as
The US Department of Defense recently released version 0.4 of its CyberSecurity Maturity Model Certification (CMMC). This is supposed to make third parties more accountable for their security controls to the DoD for the sensitive information they handle. If you cannot follow the link, it is because you are not
On August 30th 2019, Judge Paul W. Grimm of the US District Court of Maryland set a precedent that could change the way forensic reports of data breaches are written. Marriott failed to block the release of the PCI Forensic Report that was conducted by external cyber specialists in November
Monitoring controls for ISO 27001 have been around for a while. Even back in the days of BS7799 (yes, I’m that old), there were well laid out plans for what should be monitored and why. I’m going to have a crack at monitoring controls for ISO 27701, for the additional
