With the California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, the need for businesses to implement a comprehensive data security strategy that ensures “reasonable security” is no longer just a good idea — it’s a legal requirement.
What’s the rationale behind the new law? In today’s tech-focused business environment, data breaches aren’t just likely — they’re inevitable. As such, every business is required to have, or to be able to demonstrate that it’s developing, a fully realized strategy to avoid breaches, and to deal with the fallout should those precautions fail. In other words, your business is now required to have a data protection plan that’s both preventive and reactive.
The requirements of the CCPA can be broken down into three main categories. To achieve compliance with the new mandate for “reasonable security,” businesses must be able to demonstrate:
- A formal, fully-documented, company-wide information security program
- A system for training and testing employees, as well as keeping their access points secure
- The ability to handle consumer data requests without compromising security
In the past, cybersecurity has too often been regarded as responsibility of the IT department. But what these new regulations make clear is that compliance with the CCPA — and, likely, other state-specific and potential federal regulations to follow — is no longer simply an issue for IT, but a company-wide priority.
9 Steps for Achieving ‘Reasonable Security’
Breaking down these “reasonable security” requirements even further, legal experts have defined nine action items for companies to achieve compliance.
1. Implement an InfoSec Program
This involves creating a formal, fully documented Information security management program to protect the confidentiality, integrity and availability of your information and that of your customers and clients. Complete with comprehensive written policies and procedures, this plan should follow established cybersecurity guidelines like NIST 7621r1 or NIST CSF.
Your InfoSec program should be overseen by an information security manager with senior leadership credentials, such as a C-Suite executive or upper management figure, or a high-level IT professional like your CIO or IT Director. This individual should have the power to leverage company resources and subject matter experts as needed, while directing a cross-functional steering committee. In other words, a mid-level IT team member is NOT sufficient!
After you’ve appointed your information security manager, your next step is undertaking an information risk assessment to get an idea of the specific, and sometimes unique, risks threatening you and your clients. From there, you can document the criteria needed to maintain the security of your business at all touch-points, both internal and external, and formulate a plan with the help of a SME specialist.
2. Hire or Consult a SME Security Specialist
Your information security manager — the individual responsible for leading your InfoSec program and all related efforts to meet the demands of “reasonable compliance” — will be the leader of your company-wide efforts to achieve compliance with the new cybersecurity laws. And this role should be supported by an expert in data security.
This expert should be someone who can optimize data security in a technical sense — someone with a career dedication to information security, such as a Certified Information Systems Security Professional (CISSP). This professional should be either hired specifically for the role, or a consultant who can dedicate the time you need to ensure compliance with the key points of the new security regulations.
3. Hold Regular InfoSec Meetings
On at least a quarterly basis, your information security manager must meet with executive management to review your company’s information security profile, as well as all efforts being made to meet the “reasonable security” regulations.
These meetings are necessary to keep the entire organization apprised of material cybersecurity events that may have occurred since the last report, as well as changes in the threat environment or the client’s risk exposure. It’s important to remember that these are elements that are continuously flux, and which can never be considered as static. As such, they require consistent diligence and regular updates.
4. Formalize Management Processes for Sensitive Data
This involves implementing a formal program to protect the sensitive information of customers, patients and/or any other external parties that your company comes into contact with, including (but not limited to) credit card and payment information, personally identifiable information (PHI) like age and address, HIPAA data and information of minors.
In addition, this plan should include a strategy for ensuring that your company’s internal data is protected, including intellectual property, trade secrets, operational reports, proprietary data and other applicable information.
5. Set Up Protection for Your IT Interface
Your data protection strategy must include a plan for protecting potentially sensitive outsider touch-points, such as network and password access protocols. This includes setting up a system to document every instance of access, as well as achieving personally identifiable indicators and comprehensive audit logs that are recorded and securely maintained.
This step also entails the elimination of the use of shared accounts and ensuring that all remote network access is done through a virtual private network (VPN) with two-factor authentication. A list of authorized and unauthorized hardware and software must also be maintained, and the use of vetted and approved systems strictly enforced and documented.
6. Ongoing IT Infrastructure Management
From data servers to employee mobile phones, all IT infrastructure must be used in a way that’s consistent with security best practices. This means following formal documented standards, processes and procedures for managing the security in accordance with the Center for Internet Security (CIS) Critical Security Controls.
Again, these are standards that aren’t static but continuously updated, reinforcing the need for your information security manager to hold regular audits and updates to ensure that the procedures used are always in accordance with the latest data security regulations.
7. Security Vendor Management
To comply with the new “reasonable security” regulations, your business must also implement formal and fully documented standards for ensuring that the third parties with whom you share information are equally in accordance with applicable standards.
These third parties can include vendors related to your IT efforts, like data centers, cloud service providers and disaster recovery providers, as well as those who aren’t, like temp agencies or on-demand customer service providers. Their compliance should be reported to your information security manager on a regular basis, and included in your company’s reports and overall assessments.
8. Implement a Business Recovery Plan
Incident response and business continuity plans are an integral part of data security. Essential to ensuring that sensitive data isn’t compromised by acts of nature or foreign intervention, a business recovery plan involves not just data security but an actual disaster response plan — an increasing necessity in an era of heightened weather events and global unrest.
9. Secure the Human Elements
Creating a system of training and testing, not just for regular employees but temp and peripheral workers, is not only one of the key elements of a data security plan, but also potentially the one that reaches farthest beyond your IT department.
This includes making sure that all staff members receive information security awareness training at the time of hire or assignment commencement, and at least annually thereafter. In addition, all technical staff should receive specific training regarding IT information security continuing education, including topics like privacy management, asset controls and security and software development security.
And for best results, this training should go above and beyond on-site sessions to include attending off-site educational courses, conferences or seminars, university-level education, volunteer work, and membership to security-oriented organizations like ISSA, ISACA or CompTIA.
We understand that these “reasonable security” requirements can be intimidating, particularly for organizations that haven’t yet created a data security plan that surpasses basic IT best practices to encompass a company-wide strategy. That’s a larger group than you may think, including a share of billion-dollar companies that have yet to confront the realities of truly comprehensive cybersecurity.
To achieve each of these nine factors — or to receive guidance in how to do so — it’s essential to have a partner with the specific expertise to ensure compliance at each and every step of the process.
As California’s premier provider of cybersecurity solutions, Omnistruct is the smart choice to help you assemble all the elements listed above into one comprehensive strategy in a way that not only meets these new
requirements, but does so in a way that minimizes your operational expenditures and ensures harmony across all the affected departments. Contact us today or register for our free webinar on this topic!