Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Differences?

The adoption of laws protecting the data of individuals and consumers is becoming a driving force to push organizations to revisit their security around client and personal data. In addition, with the rise of government legislated personal data protection laws such as GDPR, individuals in other jurisdictions are now looking for better personal data protection. In this presentation, we will examine two US laws as well as the ISO/IEC 27001 standard and we will look at commonalities and differences between these three and how data security is driven from each.

The webinar will covered:
• An overview of the state of data security/privacy today
• Current trends driving adoption of stronger data protection standards/laws
• An overview of data protection in ISO/IEC 27001, CCPA, and the NYC Shield Act
• A comparison of ISO/IEC 27001, CCPA and the NYC Shield Act
• Lessons to be applied

Recorded webinar:

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Differences?

  1. 1. ISO/IEC27001vs. CCPAvs.NYShieldAct: Whatarethe similaritiesand differences? • Overview of current state of data security/privacy • Current trends driving adoption of stronger data protection standards/laws • Data Protection in ISO/IEC 27001, CCPA, and NY Shield Act • Roundtable: Comparison of ISO/IEC 27001, CCPA and NY Shield Act • Roundtable: Lessons to be applied Agenda
  2. 2. Currentstateof data privacy/security • Privacy of Personally Identifiable Information (PII) and Patient Health Information (PHI) is becoming a focus of concern for governments, organizations, and individuals around the globe. • Cyberattacks are targeting data more than any other resource. • Ransomware and data breaches are making headlines globally and on a recurring and frequent basis.
  3. 3. DataProtectionEvolutions Underway • Block Chain driven data authenticity, integrity, and protection • Protective measures for cloud-hosted data • Fake news and deep fake detections are being matured • Artificial Intelligence is being used as both a weapon and a defensive measure
  4. 4. Threeexamplesofsecurity guidancefordataprotection.
  5. 5. ISO/IEC 27001
  6. 6. OverviewofData Protection/Privacyin ISO/IEC27001 ISO/IEC 27001 is: • An international standard that “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization” • Focused on information security overall from governance of an ISMS to secure development practices and more • Not a mandatory/legislated standard with which an organization must comply • A standard against which an individual or an organization can be certified • A baseline for many other standards, frameworks and even some legislations ISO/IEC 27001 specifically references privacy and protection of personally identifiable information in A.18.1.4: • “Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable” and generally covers the topic in section A.18 Compliance
  7. 7. Implementing ISO/IEC27001 • A.18 Compliance • A.18.1 Compliance with legal and contractual requirements • Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. A.18.1.1 Identification of applicable legislation and contractual requirements Control All relevant legislative statutory, regulatory, contractual require- ments and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.2 Intellectual property rights Control Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary soft- ware products. A.18.1.3 Protection of records Control Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. A.18.1.4 Privacy and protection of personally identifiable information Control Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. A.18.1.5 Regulation of cryptographic controls Control Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
  8. 8. Compliance Requirements for ISO/IEC 27001 Compliance with ISO/IEC 27001 is typically voluntary unless otherwise required in specific instances (e.g., in state lottery and gaming, compliance with ISO/IEC 27001 is often required). Certification of an organization against ISO/IEC 27001 is possible via a certified and authorized certification and audit entity.
  9. 9. “Gotchas”for ISO/IEC27001 Although only section A.18.1 specifically mentions privacy and protection of PII, the remainder of this standard include vital security controls for protecting data in its many states. For example, A.17 covers business continuity, A.16 covers information security incident management, etc. Adding ISO/IEC 27701:2019 to ISO/IEC 27001 will add privacy controls to your security compliance toolkit – highly recommended given today’s privacy regulation landscape. ISO/IEC 27002:2013 is often confused or conflated with ISO/IEC 27001 but 27002 is a set of best practice guidance to help an organization implement 27001 and is not a standard against which an organization can achieve certification (that is achieved against 27001).
  10. 10. California Consumer ProtectionAct (CCPA)
  11. 11. OverviewofData Protection/Privacyin CCPA • Inspired by the GDPR as a stronger privacy legislation for residents of California. • Emphasis on privacy rights for consumers. • Excludes employee data, “publicly available information”, de-identified and aggregate information. • Consumers may pursue civil action as “a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
  12. 12. ImplementingCCPA Determine what your organization is: are you a business, service provider, or third party? Have a Privacy Notice that includes: Categories of PI collected, how is collected and the purpose of use. Explains the user’s rights under CCPA, OR have separate page for California residents. If selling PI, provide a notice to the user about on the sale. This must include an option for the user to “opt out” of the sale of their information. Set up at least two methods for users to contact your business if they have privacy concerns. At minimum, have a website or toll- free number. Much of CCPA relies around recognizing ”categories” of data. Data classification is therefor your friend. Train staff: how do they direct consumers wishing to exercising their rights?
  13. 13. Compliance Requirements forCCPA • Update contracts • Specify organization’s definition under CCPA • Service provider contracts: must prohibit retention, use and disclosure of PI outside specific purposes of providing services. • Web page updates: • A section on website (Do Not Sell My Personal Information) that allows users to opt-out of information sales. Section should be easy to find from home page. • User rights: • The right to request a business delete information collected on the consumer (exemptions may apply) • The right to request what information is collected, processed, why, and when PI is shared or disclosed • The right to request, when PI is sold, the categories of PI sold and categories to whom it was sold • The right to request a business not sell their information (the right to opt-out) • The right not to be discriminated against for exercising privacy rights
  14. 14. “Gotchas”for CCPA • ALWAYS verify requests for data, per the law. Unverified requests are a gold-mine for attackers. • Very little advice for data protection implementation. However, makes references to “unencrypted” information as insecure. • Exemptions for other laws: if your business is a “covered entity” or “business associate” that deals with protected health information under the Health Insurance Portability and Accountability Act (HIPAA) it may be exempt. • Admittedly lots of confusion, even among industry pros, on implementation. • CCPA 2.0 is already on the ballot for November, 2020. • If passed CCPA 2.0 will be in force in 2023.
  15. 15. NewYork (NY) SHIELDAct
  16. 16. OverviewofData Protection/Privacy inNYSHIELDAct • "Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)" • The SHIELD Act requires "any person or business that owns or licenses computerized data which includes private information of a resident of New York [state]" to implement the Act's Data Security Program. • This applies to companies across the entire world, regardless of whether they have any presence in New York or even the United States. • This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. • It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security and provides standards tailored to the size of a business.
  17. 17. Implementing NYSHIELDAct • Reasonable administrative safeguards, such as the following: • designates one or more employees to coordinate the security program • identifies reasonably foreseeable internal and external risks • assesses the sufficiency of safeguards in place to control the identified risks • trains and manages employees in the security program practices and procedures • selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract; and adjusts the security program in light of business changes or new circumstances. • Reasonable technical safeguards, such as the following: • assesses risks in network and software design • assesses risks in information processing, transmission, and storage • detects, prevents, and responds to attacks or system failures • regularly tests and monitors the effectiveness of key controls, systems, and procedures. • Reasonable physical safeguards, such as the following: • assesses risks of information storage and disposal • detects, prevents, and responds to intrusions • protects against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
  18. 18. ComplianceRequirements forNYSHIELDAct • The SHIELD Act requires organizations to adopt “reasonable” security practices, policies and procedures to safeguard sensitive data in three critical ways: administrative safeguards, technical safeguards and physical safeguards. • Taking into account differing sizes and resources of businesses, the SHIELD Act emphasizes that the programs should be reasonable. At a minimum, requires ongoing monitoring of the implemented policies and procedures, regular risk assessment of the business’s technical infrastructure and physical premises, training personnel, reasonable vendor due diligence, as well as designating an individual responsible for the required policies, practices, assessment and maintenance. • Small business exemptions do exist, however, still require a security program that is modifiable and scaled in accordance with: Size and complexity of the business, Nature and scope of activities, and the sensitivity of the personal information collected • You are automatically considered compliant if your business is regulated by and compliant with the Health Information Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), the Gramm-Leach Bliley Act, New York’s Cybersecurity Requirements for Financial Services Companies, and any other federal or New York cybersecurity legislation.
  19. 19. “Gotchas”forNY SHIELDAct • Similar to the CCPA and the GDPR, the SHIELD Act expands liability to any organization that collects private information of New York residents, regardless of where it was collected. This means that an organization does not necessarily have to conduct business in New York in order to come under the purview of the SHIELD Act • New York’s data and privacy laws require that in the event of a breach, the business must notify any and all New York residents whose private information may have been compromised. Now, with the expanded definitions of breach and private information, there is the potential for more events that will trigger New York’s breach notification requirements. Further, with these laws applying to any business that has New York residents’ information regardless of where the business is located, such breach notifications will apply to far more businesses and any breaches they may experience. • “Private information” is a subset of personal information – under the SHIELD Act, private information has been expanded to include any account information, biometric data (like iris scans, fingerprints, voiceprints, images, etc.) used to authenticate someone’s identity, and usernames or emails in combination with passwords, security questions or passcodes.
  20. 20. Round Table
  21. 21. Commonalities • Similar to the CCPA and the GDPR, the NY SHIELD Act expands liability to any organization that collects private information of New York residents, regardless of where it was collected. This means that an organization does not necessarily have to conduct business in New York in order to come under the purview of the NY SHIELD Act. • At a minimum, the NY SHIELD Act requires ongoing monitoring of the implemented policies and procedures, regular risk assessment of the business’s technical infrastructure and physical premises, training personnel, reasonable vendor due diligence, as well as designating an individual responsible for the required policies, practices, assessment and maintenance. CCPA is similar in these requirements and ISO/IEC 27001 would have similar requirements as well.
  22. 22. Differences • Whereas CCPA and the NY SHIELD Act require compliance from the entities to which they apply, ISO/IEC 27001 is not a mandatory standard. • CCPA and NY SHIELD Act focus on protecting the data of the person while ISO/IEC 27001 focuses on protecting all types of critical data, infrastructure, applications and the organization itself.
  23. 23. Takeaways • One standard/legislation can be used to support compliance with another • When implementing compliance with a standard or legislation, it is important to maintain evidence of your compliance and to self-audit as well • No one security standard or legislation should ever be relied upon as your only elements in your security program • Designate a Privacy Officer or security team to manage your privacy/data protection (note that a Privacy Officer is required in many cases!) • Complete an organizational risk assessment and ensure you have also classified your data as part of this exercise prior to implementing any security or privacy controls
  24. 24. ISO/IEC 27001 Training Courses • ISO/IEC 27001 Introduction 1 Day Course • ISO/IEC 27001 Foundation 2 Days Course • ISO/IEC 27001 Lead Implementer 5 Days Course • ISO/IEC 27001 Lead Auditor 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 www.pecb.com/events
  25. 25. THANK YOU ? bloom@victoriamcintosh.com linkedin.com/in/victoriamcintosh/ asenglish@hotmail.com derekrs@gmail.com linkedin.com/in/englishtony linkedin.com/in/derek-stephenson-90628b113

    Sé el primero en comentar

The adoption of laws protecting the data of individuals and consumers is becoming a driving force to push organizations to revisit their security around client and personal data. In addition, with the rise of government legislated personal data protection laws such as GDPR, individuals in other jurisdictions are now looking for better personal data protection. In this presentation, we will examine two US laws as well as the ISO/IEC 27001 standard and we will look at commonalities and differences between these three and how data security is driven from each. The webinar will covered: • An overview of the state of data security/privacy today • Current trends driving adoption of stronger data protection standards/laws • An overview of data protection in ISO/IEC 27001, CCPA, and the NYC Shield Act • A comparison of ISO/IEC 27001, CCPA and the NYC Shield Act • Lessons to be applied Recorded webinar:

Vistas

Total de vistas

929

En Slideshare

0

De embebidos

0

Número de embebidos

380

Acciones

Descargas

35

Compartidos

0

Comentarios

0

Me gusta

0

×