Managing GDPR with CISO: and Other Cyber Security Acronyms

Jun. 15, 2018

Updated: Nov. 7, 2018

Cyber-attacks are a national emergency — national regulations are being implemented.

Way back in 2015, former President Barack Obama publically stated that cyber-attacks are a “national emergency,” passing a data-sharing bill the same year in an effort to implement federal mandates to protect the U.S. against cybercrime. Many state governments have also taken measures against cybercrime, developing compliances that need to be met by CISOs who work across multiple states.

December 31st, 2017 brought with it a slew of new federally mandated cybersecurity regulations that need to be met by businesses.

December 31st, 2017 brought with it a slew of new federally mandated cybersecurity regulations that need to be met by all businesses, as well as their teams and subcontractors. In February of 2018, the Department of Energy (D.O.E.) announced the establishment of the Office of Cybersecurity, Energy Security and Emergency Response (CESER), which the D.O.E. states will focus on “energy infrastructure security, support the expanded national security responsibilities assigned to the Department, and report to the Under Secretary of Energy.” For a breakdown of the different cybersecurity acts and description of what they regulate and who they affect, this article by TCDI summarizes the information perfectly.

Domain Computer Services | IT SUPPORT NJ NY PA

Kris Laskarzewski, the Director of Engineering, of Domain Computer Services, understands that not every business is affected by every single regulation. He ensures not only that Domain is abiding by the regulations that apply to us, but that all of Domain’s clients are made aware of what regulations apply to them, and what they need to do to meet those regulations. To streamline this process, Kris has determined the three cybersecurity acts that Domain’s clients most commonly fall under, and have the most impact on the changes companies need to make to bring their cybersecurity strategies up to scratch.

HIPAA

#1:  Health Insurance Portability and Accountability Act (HIPAA)

Since April 2003, the Health Insurance Portability and Accountability Act (HIPAA) affects all health care providers, health plans and health insurance companies, and health care clearinghouses in the United States who electronically transmit any information under a US Health and Human Services (HHS) standard. Organizations cooperating in anyway with companies affected by HIPAA need to comply with HIPAA terms as well when conducting business with said affected companies. To find out of your company needs to comply with HIPAA regulations, please see HIPAA’s Covered Entities page or use their question-and-answer decision tool to find out if you or an individual is considered to be a covered entity.

HIPAA gives end users rights over their health information, setting rules and limits on who can access and send/receive your information and in what circumstances. These regulations apply to all forms of an individual’s medical documentation, regardless of whether this information has been recorded or transmitted electronically, orally, or has been written down by hand. For a more detailed list of individuals’ rights regarding their personal medical information, please see the HIPAA website page for an overview of each section this act applies to.

Regarding entities affected by HIPAA, the following strategies must be implemented in order for companies to meet regulations:

  • Utilize safeguards to protect end users’ health information as well as to ensure they do not improperly disclose your information
  • Reasonably limit the amount of information disclosures needed to accomplish their intended purpose in doing so
  • Implement procedures limiting who can view and access an end user’s medical information
  • Implement mandatory training programs for employees about how to properly handle and protect end users’ medical information
  • Business associates of entities under HIPAA regulations must utilize safeguards to protect end users’ health information to ensure that they also do not misuse or improperly disclose end users’ health information.
Limit the amount of information disclosures need to accomplish their purpose
Implement mandatory training programs for employees about how to handle and protect end user's information
Implement procedures limiting who can access end user's medical information
Domain Computer Services | IT SUPPORT NJ NY PA

For more detailed information about HIPPA regulations as of March 31, 2018, please see this HIPPA Enforcement Highlights page, or use HIPPA’s FAQ search page to find exact answers to any questions you may have.

NYDFS

#2:  NYDFS Cybersecurity Regulations

The New York Department of Financial Services (NYDFS) cybersecurity regulations, as you might have guessed, only apply to businesses with operating locations in the state of New York.

Effective since August 28, 2017, this act affects all banks, insurance companies, and other financial services institutions that are required to comply with NYDFS regulations. The following requirements need to be met by all institutions affected by this act:

Regarding entities affected by HIPAA, the following strategies must be implemented in order for companies to meet regulations:

  • Utilize safeguards to protect end users’ health information as well as to ensure they do not improperly disclose your information
  • Reasonably limit the amount of information disclosures needed to accomplish their intended purpose in doing so
  • Implement procedures limiting who can view and access an end user’s medical information
  • Implement mandatory training programs for employees about how to properly handle and protect end users’ medical information
  • Business associates of entities under HIPAA regulations must utilize safeguards to protect end users’ health information to ensure that they also do not misuse or improperly disclose end users’ health information.

For more detailed information about HIPAA regulations as of March 31, 2018, please see this HIPAA Enforcement Highlights page, or use HIPAA’s FAQ search page to find exact answers to any questions you may have.

EU GDPR

#3: EU GDPR

The European Union General Data Protection Regulation (EU GDPR), which will take effect on and must be complied to by May 25, 2018, applies to all European organizations within the European Union (EU), as well as all outside organizations whom do business with or process the data of data subjects within the EU regardless of their location.

This act was created for “the protection of individuals with regard to processing of personal data and on the free movement of such data,” according to EUGDPR.org, which hosts all information pertaining to this act. A few of the key regulations under this act are as follows:

  • Terms and Conditions agreement pages must be written intelligibly and in a manner that is easily understood by all users. Companies are no longer able to use high-level legal or technical jargon to dissuade end users from thoroughly reading and understanding terms of use.
  • Parental consent is required for the collection of data of children under the age of 16.
  • Mandatory breach notifications must be sent to all data subjects from the data controller when a breach may result in end users’ personal data being obtained by an outside entity.
  • Data subjects have the right to receive information from the data controller confirming if, why and where their personal data is being processed at any given time.
  • Data subjects are entitled to be “forgotten” by a data controller, meaning all of their personal data must be erased from that controller’s database per a subject’s request.

For more detailed information about these regulations, see this EUGDPR summary, or refer to this FAQ webpage for other concerns.

Believe it or not, that’s only three of the cybersecurity acts your business may need to comply with.

Believe it or not, that’s only three of the cybersecurity acts your business may need to comply with. That’s a lot for any business to manage, let alone small-scale businesses with limited numbers of employees. In this situation, a Chief Information Security Officer, or CISO, is often the one-stop-shop solution dedicated specifically to monitoring and managing you business’s cybersecurity and ensuring that it properly complies with all necessary regulations. Hiring an on-site CISO, however, may be out of budget for some, or may be to bid of a commitment for others. For businesses in need of a more flexible, customizable and budget-friendly alternative, you’re in luck: Domain’s CISO-as-a-service (CISOaaS) solution provides a full arsenal of information security policies and programs developed to manage and assess risk, vulnerability and network testing, providing you with exactly the services you want out of a CISO at the price point you need.

Here are just a few of the services offered in our CISOaaS solution that can immediately improve your business’s cybersecurity standing and compliance:

  • Policies and Procedures Development

  • — We help you develop custom cybersecurity policies and procedures tailor-made for your business, and ensure that these procedures are implemented and met accordingly
  • Third Party Risk Assessment

  • — We help you protect your business against potential incoming threats via third-party vendors, requiring that vendors complete security assessments and/or confirm that they are compliant with necessary cybersecurity regulations
  • Quarterly Business Reviews

  • — To ensure that you know exactly what’s going on with your business’s cybersecurity, our team will meet with you to review your security posture and gap analysis report in order to keep all executives informed.

The most influential component of a successful cyber security program to ensure your business maintains regulatory compliance for EU GDPA, NYDFS and HIPAA are effective policies and procedures designed for your business. With our CISOaaS solution, you can rest assured that your cybersecurity situation not only meets, but exceeds expectations.

Was this article helpful?

For more information about how Domain Computer Services can benefit you.

Risky Business: Defining 3rd Party Vendor Risk

Hiring third-party vendors to provide services at an affordable rate has gained traction as a major trend among businesses, and exponentially so for businesses in need of IT support. Here’s the catch: “risk” is a pretty broad umbrella term, with no two vendors or regulators defining risk in the same way. To effectively create assessments for third-party vendors, let’s break “risk” down.

Getting SaaSy with SECaaS

Updated: Nov. 5, 2018Your business is at major risk of cyber-attacks, malware infection, and ransomware. So, why not switch on that old firewall you never configured?An astonishingly large group of people will deactivate their firewall shortly after activation. Why,...