Overlap of GRC in relation to Cybersecurity and Privacy

and totally sane factory all day best right here my job is to announce the speakers keep us on time so I'd like to introduce Joshua Joshua Widener is currently information assurance our pets of engage in information assurance from the 48th state university believe you are a baker now right which is my peoples every security certification there is a list of all I will turn it over you can watch out

thank you my name is Joshua but I go by JJ because there's a lot of jobs out in the world so my first grade class or three Joshua's so to get myself assaulted me I would like JJ I I haven't been in the space as long as a lot of other professionals without three or four years but I've been in nineteen fourteen years and has just been an IT and information security bit of a better than IT everything I've done it's just over the past three years I really focused on getting certifications second that goal we're studying as hard as I can taking the test achieving the goal and what's the next rectification so I didn't kind

of a sign for the certification junkie of the CISSP yes see I think EE which is the GPR scientist I'm going after AWS security next I have really enjoyed that in case you didn't know my privacy alias is golden cheetah so in case you're one of the search behalf other Americans was my next choice the father Kravitz doesn't really have a good ring to it so so my talk alone my progress of getting certification of certification I wanted to go out through this guys to speak first and then I just I kept trying to find and I really enjoyed the eye socket certification process I've seen squared so great as well and then I just naturally

progressed through information privacy and there was a great segue in the keynote and I wanted to thank you Leslie after being in here I don't want a shot of the latter you've got thank you for sharing that because that was a great segue to privacy and what we're seeing from a legislator since and what we're seeing coming down the pipe we are being ready to embark on one of the most legislative pieces of the cyber security information privacy that I mean the history Adam you this is unprecedented how many regulations are going to be coming out so I'm going to share on that a little bit share a little bit on the GPR CCPA the

New York cybersecurity law the NAIC information data security law also my biggest thing is security doesn't equal privacy but we can't have privacy without security it's just most of us understand internet and know that but I have the case for that even though we secure things that doesn't necessarily mean they're private and whenever less oversharing about you know how does this data going to be managed who's going to be on me who has control but it's being resold you know who knows that's even though the data might be secure but one of those policies and procedures that were implementing as an organization to make sure that the data is is being processed in accordance with

law and accordance to what them you know whether for the end user for the the user of our services what's best for them great quad I've read the presentation in preparation that you need to have a quote in your presentation so here's my quote when it comes to privacy accountability people always demand the former for themselves in the latter's for everyone else so you know I want privacy but I don't people would be accountable for it so new privacy everybody has probably heard of the GPR was anybody in here like a data privacy officer or works solely in privacy part of my second half to my my hat will probably start seeing if anybody was in the session prior of adding stuff

more stuff to our plate it's a 90 burn have a feeling information security professionals are going to have privacy embedded making sure that we have our privacy principles in that stuff engrained inside as well I could be wrong your organization's large you might be able to have one of those that are solely focused on privacy CCPA I'm sure if you've been reading up on any privacy regulations see CPAs coming down the pipe where it's actually going to be a force January 2020 and for any cloud provider or anybody using cloud services that means our data is going through California most of it there they're located in California again I don't know how that's going to play out but I

believe a lot of us are going to be in effect I believe over 500,000 businesses across the United States and it's a u.s. federal privacy law you know there's not a whole bunch of information on this but it is coming but we can see that I don't think us as US citizens that are going to allow huge law that we have to abide by if we're not going to hold ourselves accountable to a certain degree for the private information that we have so there's a lot of senators a lot of bills in the House and Congress trying to get more privacy regulation put out there the Government Accountability Office they provide automating evaluation investigative service for the United States Congress

they just released a record in February you know 56 page report about the need for more privacy legislation so there's going to be something coming out I don't know so so in my building of this presentation I want to provide something that that might be helpful I don't know how helpful it is after writing up the description of what I was going to talk about and then the research I was doing I don't know if it's actually going to be a beautiful picture of how this is going to look I don't think it's going to be very beautiful I think there's going to be a lot of a lot more legislation a lot more figuring out what

we're going to do with this but the GDP our citizens transparency being transparent with their policies what is that who has control over the data

assessment performed you know on and on and on what where to sustain of going who's governing it who's accountable for it are your board or your your board are they going to be on the hook if there's a breach or if there's an issue with with a private data you know those types of things that we need to understand that I believe us as consumers we need to make a push for if we're not already purpose limitations how long we're going to keep the data and actually stick to that and not say we're going to have a retention of seven years and keep it forever dated organization so that needs to of an organization it's to

government's suit colonization force anonymizing David you're you're trying to remove any of the personally identifiable pieces of the data but the data is still intact you just taken away the personal element but if you were to infer to data sources you could still make an identifying the case of who that person might be here or maybe what gender race and this be they are as well to you so it is interesting on the rights of Californians it's very similar on what the CCPA in GBP are are trying to do here those privacy principles are going to be the same across you know a lot of these regulations I think the CC came with the sale of

personal information they took a little bit partner to actually base it on what are you selling my information for the GTR also has that but the way that the CCP call that very interesting so then each one of these privacy regulations there's a security element so each one of them has a section on acceptable or reasonable security but there's no prescription of what the reasonable likewhat's reasons to a small business or SME to a corporation you know what's reasonable for the controls that we have to have in place is for a reasonable security that we need to have yes of course but there's no prescription to say hey you need to follow in this cybersecurity

framework and hey you need to go bid 2019 I had I was that I saw his lunch two months ago and there's a speaker there that actually was going to Israel and they want to be to Knight Cove in 2019 compliant for the whole banking industry in Israel and for those of us that know Israel I mean they're like the number two cyber zucchini of a cyber powerhouse in the world and they're staying size Missouri their country's the size of Missouri so it's very interesting that they want to be Kovac 2019 compliant if anybody's looking at co-ed that is unbelievable it would be like five so GPR is not prescriptive a they say appropriate security the personal data

you know they mention encryption in there multiple times there's no real prescription so what what is reasonable to one of might not be reasonable to another in the CCPA has a little bit more in there the California Office of Attorney General said the CIA s top twenty are reason so is that reasonable to all entities all the organizations to get every CIA s control and implemented it might be you know that's the law that we're gonna have to figure out a way to do and that might be what some of us need to make sure that we have the power to go to our border to our cabinet and say hey you know this is a lot we gotta we got to

have funding to be able to get to see I desktop for you know we get the top six in the red Sun wherever we need the top six we can reduce up to 85% I don't know what what organizations are looking at I find that very interesting alright so the security laws I'm just I was looking at the MIT FS Oh so the GE PRC CPA is anybody read those top to bottom yeah they're they're fun they're fun challenge to read through with great information actually have an app on my phone that whenever I was studying for the certification test I'll just go through the app on my phone just look over all the read all articles

read all the comments there's a lot of comments anybody read the New York DFS cybersecurity regulations in the house

I haven't read them all mine for life that I may go through multiple take notes on all of whom you know I did some some commonalities on what the prescription was for security but still there was it was no semi prescriptive okay need to do a lot of manger analogies and some of their room they had like control groups we need to have so what are those controllers we need to have you know the auditing you make sure we have proper processes processes technology you know I don't want to get to all the controls there's a NIST framework you know we go to new 853 look at all the controls that we need to do there and

this I found very interesting so there's the cybersecurity Disclosure Act that's it was kind of a one-off I was just researching new bills or new regulations that are being submitted and that one is the new one and then this is in 2018 there's more than 265 bills or resolutions related to cybersecurity their House or Congress so that's that's a lot I believe each state is submitting I don't know County and local municipal don't risk or submitting you know so it's really interesting the landscape on how we're going to see regulations come down and how many of them they're going to be so as I was saying it's a little bit more prescriptive for the for the New York cybersecurity

law and you can read those scary game governments acid inventory access controls I bet if we look at a lot of these there's

so in NAIC insurance the security wah-wah a semi prescriptive so it's saying let's implement these controls based on a risk assessment who would agree that you would want to make sure control of something risk assessment yeah it makes sense but most of them if they're not in the field or or some would say risk assessments might cost too much you know let's just I welcome comments to or questions why can't you do your own internal forces

a small pigeon really written for small or small businesses and doctors offices more but you can in the body yeah I don't think that says it needs to be a third party risk assessment so if we're doing our own internal risk assessment you know what model it will be using is that is that the best practice model that we use yes that's that's great information you're right can we internally assess how often should we get at their party assessment I was listening to the speaker's talk last night and and I'm not as deeply technical as you know sitting around the tables but they were talking about you know why we spend all this money to do

full-blown risk assessments and just have been testing done in our application I believe I don't know if that was a conversation you are having but you know there's so there's different ways that we can go around assessing the risk for applications assessing the risk for human health challenges there so what is the correct prescription I don't know I I didn't know what doctor put up on here something funny and I don't want this to be a negative connotation we have legislators hopefully they're reaching out to professionals I believe they are

so what is the prescription there's no if anybody was to answer this it's going to depend on what your business what you know what's your risk element what do you want to spend the money when you have resources do you think is anybody here think that we will see a prescription from regulations saying you need to implement miss TSM you need to implement I know like FedRAMP and some of the physical rules we need you know a this 853 some of them are doing that but do you think at a federal level for all businesses you think that'll be possible I know they weren't summative everything I want everything and then some of the financials gonna be tires because DCIM

so each business is different so the privacy and I believe we all should believe this privacy is an inalienable right and is something that we should take ownership of and I was I was kicking out whatever here sharing this is my data whatever glass of sharing about this is my data I don't know so if we're not taking ownership of that and advocating for our own consumer rights because then you know what's going to stop anybody from selling make money off of it and you know if somebody's criminally acting on that data whatever they want to do situation so will these regulations and this is something I read in a blog post or article I don't know how much way to

has but evening some of these GE PRC CPA other regulations will prevail because let's say we prescribe a whole bunch of controls and a whole bunch of security they go for bit small businesses when we never come to market I think the big business or regulation because it prohibits competition how would you be able to come to market if you have to not only develop and deploy an application but also have a full-blown security staff I mean of course we wanted security invented but but you're right I mean if you have all those prescriptive stuff but you can have to do before the release application the risk yeah trying to build as a company and you

look at just if you're measuring how much can I possibly make in this field and what is the risk of associated holding the data my systems yeah we need to touch on home board members account or executives accountable than going to jail for you know for negligence yeah that's a bigger risk is huge you know especially if you're mining data reselling data so and I think this is so answer boy I don't think there's a prescriptive model that would hit all small businesses and fortune 500 I always see how possible now should there be as a big leap putting it the appropriate safeguards in place to protect our data I believe so but you know who are they

so if anybody here right now attracted a lot of GRC documentation in the system I'm sure there's a lot if we're starting to comply with these regulations by documentation policies priests procedures training mechanisms it was all this documentation that if you're tracking it for New York security law and attractive for GPR and attracting the first CPA you know on and on and on haven't you in each one of these regulations might need different pieces of documentation so I I currently don't have a system but I do believe there's a big market for right now I think pharmacy archers this CSM 837 r2 those are to the 1 so 837 are to justice last year who

included privacy of the risk management framework so if you haven't reread 837 in the vision to adjust at least I believe 18 but it actually included privacy inside of the mismanagement 30 work so there's controls in there things you cannot begin Cove in 2018 very it's the framework to manage all the framework so whatever I said and however you want to manage all the documentation and how what maps to what so I know this compliance regulation says I've even had this CSF and I have this compliance I need to have the New York cybersecurity law and it will actually have those mappings I don't know if cyber security wasn't there yet but it'll have all those

mappings for the COBIT framework so you can say well I have this control objective in place for my business it maps to all these different frameworks those the pretty worked anybody here using Kovac 2019 it's a thing it's a sunk all they under kind of gorilla it's huge I mean there's there's a lot of controls in there but it's not prescriptive it's you make it for your business so that's all I have a big time over time thank you for the feedback any questions I'll be up here for a little bit I'm not an expert but yeah you can find a link to an email address I appreciate your attention yes do you feel like so deep you obviously

read through the whole regulation and a lot of it as you said it's like very broad lots of generalizations so do you think that that we've gained any clarity from some of the examples of enforcement that have happened most recently like Facebook's yes yeah yeah I think we're gonna see its legislation so it's going to be litigated there's not be changes me to do it right but there's a lot

so they say if you're going to try to comply with you EPRI lawyer yeah no I mean I think it's just Marva just trying to get your feel on because it's because it is so wide open it's like okay you know let's try and do what we can with their own interpretation of this and then hopefully as more cases of enforcement coming to come in and become you know the case that the information is released to the public guy that more clarity this game yeah how they're in enforce that case basis

but there's an authority in the EU that will take the request from anybody that might be a consumer of the state oh yeah I don't remember I know we're talking about it the only other thing I was gonna say is that there yes there's a platform I mean I don't like specifically condone or deny it or whatever but it's an online cookie comply and they've come up with what I thought was a pretty intuitive way for mostly like medium to small companies we want to like have some help stepping through GE PR and it basically asks you information about the company and helps you build out the forms like the data processing agreements and everything kind of builds

them for you with information that you can easily put in that you know about the company and helps you kind of start to work towards compliance and it's really inexpensive I think the other referral link somewhere but

you

you