Top Trends in Third-Party Risk Management for 2019
You’re a CEO. You’re standing in a room with the CEOs of your two top competitors. You look to your left, and you look to your right. Odds are, two of the three of you will suffer a security breach as a result of a third party.
According to recent research from the Ponemon Institute, which surveyed more than 1,000 CISOs and other security and risk leaders in 2018, roughly 61% (just shy of two-thirds) of U.S. companies have experienced a data breach caused by a third party. What’s more alarming, that number is growing – it’s up 5% over 2017 and up 12% over 2016.
What’s fueling the rise in third-party security and privacy incidents?
Implementing SailPoint’s IdentityIQ for an Industry Leading Gas & Electric Company
An industry leading energy transmission and distribution company, delivering electricity and natural gas to an expanding consumer base and serving approximately 302,000 electric customers and 80,000 natural gas customers throughout its service area, which covers one of the most populated geographical areas of the northeastern United States, engaged Focal Point for IAM services.
A CCPA Update: Preparing for Public Forums and the Look-Back Requirement
Since the California Consumer Privacy Act (CCPA) was signed in 2018, it has stirred up considerable controversy among tech companies, privacy advocates, and government officials. This regulation has fueled an increase in state laws and ushered in the possibility of a comprehensive federal privacy law. The road to implementation for the CCPA has been a winding one. Although we are still a year away from the deadline, public forums are underway, and many organizations have already begun preparing to meet the CCPA‘s 12-month “look-back” requirement. This post is an update on the current status of the regulation, the look-back requirement, and what you need to know about the CCPA public forums.
Data Privacy Day 2019: Privacy Trends to Watch in 2019
It's hard to believe it's already Data Privacy Day 2019. At this point last year, the data privacy world was in an all-consuming scramble to prepare for the GDPR. In some ways, we've come a long way since then - the GDPR is here, many companies have adjusted, and new laws and trends are beginning to edge into the spotlight.
But in other ways, much is still the same - organizations are still redesigning key privacy processes (thanks to the CCPA), we're still waiting on federal legislation in the U.S., and breaches and fines are still piling up.
A lot happened in 2018, and we could spend days reflecting on all the changes we saw. But on Data Privacy Day 2019, we'd like to take a few minutes to look ahead at what 2019 has in store for the world of data privacy.
2018 in Review: A Year of Internal Penetration Testing
I had a manager who liked to say, "There are no advanced techniques – only the basics, mastered." While I'm not sure that always applies to this field, I think the core lesson holds a lot of wisdom for information security professionals.
So, in the interest of getting better at the basics, I reviewed our 2018 penetration testing projects and reports to see what issues were at the heart of these engagements. Even though each assessment took place in a different environment, noteworthy trends became apparent as I looked at them side by side.
I focused on internal penetration testing engagements, which occur from within a client network and allows our team to identify security risks posed by an attacker who has bypassed the external defenses (through phishing, vulnerable applications, etc.) or gained physical access to the network as an employee, contractor, or visitor. These assessments give us a unique perspective on an organization's security posture.
During this process, I looked at the exploit chain (the discrete steps taken between gaining network access and achieving the assessment goals) for each engagement and identified the most prominent issues repeated across internal testing engagements. This allowed me to see what the most successful attacks have been and what the most effective mitigations might be.
In this post, I’ll examine five of the most common issues found in internal environments throughout 2018 that directly contributed to domain, system, and data compromise:
Prevention Is the Best Medicine: A Guide to SAP Security Health Checks
Preventative ongoing maintenance and monitoring of your users’ SAP security access is critical to avoiding significant deficiencies or control weaknesses. A governance, risk, and compliance (GRC) tool (such as SAP GRC, Control Panel, ComplianceNow, ERP Maestro) is a great start, but there is more to monitor! System parameters and client settings are also part of your audit but are outside the monitoring scope of most GRC applications.
Regular security health checks are key to (1) identifying these access issues before they spiral out of control, (2) mitigating the risk from control deficiencies, and (3) ensuring your security administrators are following best practices. In an SAP environment, security health checks are periodic assessments of key application-layer ITGC controls related to user access. They should cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC controls your external auditor may assess.
Understanding the Differences between PIAs and the GDPR’s DPIAs
Since May 25, 2018, organizations have been required to perform data protection impact assessments (DPIAs) under the General Data Protection Regulation (GDPR). Organizations use DPIAs to assess whether certain data processing activities are a risk to the rights and freedoms of individuals. However, because DPIAs are similar in name to the much more familiar PIA (privacy impact assessment), there has been some confusion among privacy and risk management teams, who have mistakenly considered them the same type of assessment. But DPIAs and PIAs are actually very different, helping teams achieve separate goals and assess different areas of privacy. This post focuses on the key differences between these two types of assessments and the roles they each play in a GDPR-compliant privacy program.