Cyber response planning: Identify framework and controls

window-peopleA cyber-response plan should start with a framework that’s relevant to your business. And depending on the industry your organization belongs to and the type of data you need to protect, your framework could already be set by outside standards. For instance, if you accept credit cards you must comply with PCI. For financial institutions, FFIEC is the ruling standard. If your organization handles medical information, HIPAA standards and oversight will help guide you.

What if you don’t follow a regulatory standard? Choose a general security framework like one these below to guide you:

  • ISO – International set of standards
  • NIST –US federal government agency standards
  • AICPA – Auditing standards for service organizations
  • CSA – A standard directed to cloud service organizations

Understanding regulations related to privacy of information is a special area, and a critical one, as there are a wide variety of privacy laws around the world. All but three of the United States (Alabama, New Mexico and South Dakota) currently have unique privacy laws. Others, like Washington D.C., Guam, Puerto Rico and U.S. Virgin Islands, have their own laws.

If your organization handles international data you need to be aware of General Data Protection Regulation (GDPR), which replaced the EU Data Privacy Directive, as well as the regulations of each international country, as each has its own version. You must also know about Privacy Shield, which replaces Safe Harbor.

Yes, it seems complicated. Know that all these different standards, regulations and provisions mean that if you have a breach of personal data, you will most likely need an attorney who specializes in privacy law.

And if that isn’t enough, how and when you notify those touched by the breach may be legislated as well. Some breach laws state individuals must be alerted as soon as unauthorized access to data is suspected. Other laws state you must wait until you are certain the unauthorized access has occurred. One law states that you include how the incident occurred; another states you must not. Again, it’s wise to have an attorney who specializes in such matters close at hand.