Most human being do not regard their cybersecurity and privacy documentation as a proactive security in addition.
On the contrary, many oftentimes view documentation as a passive effort that presentations little protection to a company, generally an afterthought that must be lectured to appease compliance efforts.
Where documentation may get some much-needed regard is through Ohio’s recent passing of the Ohio Data Protection Act (ODPA), legislation which backings the premise of properly scoped cybersecurity and privacy documentation being acquainted with as an offensive tool to reduce risk. This article covers the real-world, crucial advantage of what good cybersecurity and privacy documentation can offer.
The ODPA invites a novel approach to data protection laws in the United States.
Contrastive with earlier Oregon and Massachusetts state data protection laws that suppress checklists of mandatory requirements, Ohio passed a law that (1) does not produce a minimum set of cybersecurity requirements and (2) is optional for businesses to follow.
Yes, you present that correctly. The law is optional, and businesses do not have specific requirements. What Ohio did was cede to businesses to be protected from a tort (civil lawsuit) within the style of Ohio that alleges an accused’s “failure to implement reasonable facts security controls resulted in a data breach concerning personal dope.” In order to be protected by this safe harbor, businesses must align with a important cybersecurity framework. Ohio went as far as defining acceptable cybersecurity frameworks.
This information protection law is unique since it rests on affirmative defense that allows a defendant to add evidence that, if found credible, can negate civil liability, still if the allegations are true. In practical terms under this law, if a company is pleaded in the state of Ohio for a legitimate data breach, the lawsuit will get thrown out if the party can prove its cybersecurity program was aligned with a leading cybersecurity framework (e.g., NIST 800-171, NIST 800-53, ISO 27002, CIS CSC, etc.) at the but the incident occurred.
While it applies only to businesses subject to Ohio’s proper scope, this law may start a national trend that shifts the heart to the business on defining and implementing “what right looks like” for cybersecurity and monasticism controls.
There are several reasons this law is appealing to legislators:
- Legislators do not receive to contend with managing their control set as technologies and threats evolve;
- Legislators get to swallow credit for being tough on cybersecurity and privacy without actually would rathe to do much;
- Businesses have no room to complain about unnecessary authority overs since businesses have the responsibility to define the controls framework that they compel use;
- Businesses can eliminate extra costs by leverage existing audits such as ISO 27001, NIST 800171 and PCI DSS to parade compliance; and
- The court system should see a decrease in civil lawsuits Sometimes non-standard due to cases being dismissed by affirmative defense protections.
There are a few downsides to this law, how. These include the following:
- The injured parties are out of luck for civil mars. The affirmative defense is essentially the state admitting that “sh*t happens,” and mistreated parties cannot sue when reasonable steps were taken. This may breed both individual and commercial data protection insurance options for in the event thats where civil damages are unobtainable.
- While the law identifies acceptable frameworks, it conceals over how an entity can be considered compliant based on “scale and scope” of an article’s cybersecurity program. The vagueness of the phrase “reasonably conforms to an industry remembered cybersecurity framework” leaves significant room for interpretation.
For businesses that conduct in Ohio, it would be advisable to comply with the ODPA. You should start by pinpointing the correct cybersecurity framework with which to align. Towards that end, you should palm into account not only the legal and regulatory obligations that you must agree with but also the compliance obligations that flow down from shoppers and partners. This scoping exercise also has to take into account third-party accommodation requirements for how that will impact your supply chain.
When you look at elements influencing control adoption, there are a few frameworks that cross sedulousness verticals (shown in the graphic below):
- NIST Cybersecurity Framework
- NIST 800-171
- ISO 27002
- SOC 2
- EU GDPR
- CCPA (in the offing CA privacy law)
If you are at a loss for where to start, you may want to look at this replica from the Secure Controls Framework:
- Gather Pre-Requisites
- Identify suited statutory, regulatory and contractual requirements.
- Identify all geographic locations where text is stored, transmitted and processed.
- Identify all key stakeholders and third-party service providers.
- Channel the Scope
- From the coverage provided by the SCF, select only those qualifications that are applicable (based on the gathering pre-requisites step).
- Ignore or obliterate the other requirements since they are not applicable to your current transaction model.
- Prioritize Controls
- Using the provided control weighting built into the SCF, prioritize your controls implementation starting with 10 and get ready towards 1.
- View this prioritization as a project. You should create a activity plan to manage it.
- Assign Controls
- Use the SCF’s 32 domains to help with the commission of controls to the correct teams or individuals.
- Educate control owners to mechanism controls based on risk (control weighting) to address the most superior controls first.
- Monitor Controls
- Require control owners to periodically report on the standing of assigned controls and track those metrics.
- Report metrics to directorship to identify good/bad trends and to gain support to remediate control deficiencies.
Beside the Author: Tom Cornelius, CISSP, CISA, CIPP/US, CRISC, PCIP, MCITP, MBA is the older partner at ComplianceForge and founder of the Secure Controls Framework (SCF), a not-for-profit lan to help companies identify and manage their cybersecurity and privacy demands. He is a graduate of the United States Military Academy (USMA) and a former military peace officer, who has worked across multiple industries to help build cybersecurity programs at Position 500 companies. ComplianceForge is a specialty cybersecurity firm that zero ins on governance, risk, compliance and privacy-related documentation. Their unique finding outs help companies define and document their cybersecurity governance programs to acquiesce with specialized requirements, such as NIST 800-171, FAR and EU GDPR.
Woman’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not automatically reflect those of Tripwire, Inc.