The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction 
Define terms used in the CCPA/CPRA and contrast to the GDPR 
Articulate the rights of consumers, and determine the duties of a business 
The associated risk management programs are also constantly evolving, and that’s likely due to outside influences such as client contract requirements, board requests and/or specific security incidents that require security teams to rethink and strengthen their strategy. Not surprisingly, CISO’s today face several dilemmas: How do I define the business impact of a cyber event? How much will it cost to protect our company’s most valuable assets? Which investments will make the business most secure? How do we avoid getting sidetracked by the latest cyber breach headline?
A mature risk analysis program can be thought of as a pyramid. Customer-driven framework compliance forms the base (PCI/ISO frameworks required for revenue generation); then incident-driven infrastructure security in the middle (system-focused security based on known common threats and vulnerabilities); with analysis-driven comprehensive coverage at the pinnacle (identification of assets, valuations, and assessment of threat/vulnerability risk).
How do you kickstart that program? Here are five steps that I’ve found effective for getting risk analysis off the ground.
Determine enterprise-specific assets
The first step is determining what is critical to protect. Unlike accounting assets (e.g., servers, laptops, etc.), in cybersecurity terms this would include things that are typically of broader business value. Often the quickest path is to talk with the leads for different departments. You need to understand what data is critical to the functioning of each group, what information they hold that would be valuable to competitors (pricing, customers, etc.) and what information disclosures would hurt customer relationships (contract data, for instance).
Also assess whether each department handles trade secrets, or holds patents, trademarks, and copyrights. Finally, assess who handles personally identifiable information (PII) and whether the group and its data are subject to regulatory requirements such as GDPR, PCI DSS, CCPA, Sarbanes Oxley, etc.
When making these assessments, keep three factors in mind: what needs to be safe and can’t be stolen, what must remain accessible for continued function of a given department or the organization, and what data/information must be reliable (i.e., that which can’t be altered without your knowledge) for people to do their jobs.
Value the assets
Once you’ve identified these assets, the next step is to attach a value. Again, I make three recommendations: keep it simple, make (informed) assumptions, and err on the side of overestimating. The reason for these recommendations is that completing a full asset valuation for an enterprise would take years and wouldn’t ever be finished (because assets constantly change).
Efficient risk analysis requires a more practical approach that uses broad categories, which can then be prioritized to understand where deeper analysis is needed. For instance, you might use the following categories, and assign values based on informed assumptions:
Competitive advantage – the items/processes/data that are unique to your company and based on experience. These are items that would be of value to a competitor to build on. To determine value, consider the cost of growing a legitimate competitor in your dominant market from scratch, including technology and overhead.
Client relationships – what directly impacts customer relationships, and therefore revenue. This includes “availability” impacts from outages, SLAs, etc. Value determination will likely be your annual EBIT goal, and impact could be adjusted by a Single Loss Exposure.
Third-party partnerships – relating to your ability to initiate, maintain or grow partner networks, such as contractors, ISPs or other providers. When valuing, consider the employee labor cost needed to recruit and maintain those partners.
Financial performance – items that impact your company’s ability to achieve financial goals. Again, valuation might equate to annual EBIT.
Employee relations – the assets that impact your ability to recruit and retain employees. Valuation should consider the volume of potential losses and associated backfill needs, including base salaries, bonuses, benefit equivalencies, etc.
Determine relevant threats, assess vulnerability, and identify exposures
When it comes to analyzing risk from threats, vulnerabilities and exposures, start with the common security triad model for information security. The three pillars – Confidentiality, Integrity and Availability (CIA) – help guide and focus security teams as they assess the different ways to address each concern.
Confidentiality touches on data security and privacy; it entails not only keeping data safe, but also making sure only those who need access, have it.
Integrity reflects the need to make sure data is trustworthy and tamper-free. While data accuracy can be compromised by simple mistakes, what the security team is more concerned with is intentional compromise that’s designed to harm the organization.
Availability is just what it sounds like – making sure that information can be accessed where and when needed. Availability is an aspect of the triad where security teams need to coordinate closely with IT on backup, redundancy, failover, etc. That said, it also involves everything from secure remote access to timely patches and updates to preventing acts of sabotage like denial of service or ransomware attacks.
In undertaking this part of the risk assessment, you’re using this security triad to determine threats, and then identifying exposure and assessing vulnerability to better estimate both the potential impact and probability of occurrence. Once these determinations are made, you’re ready for the next step.
Define risk
AV = assigned Asset Value (quantitative/qualitative) as identified above. EF = the Exposure Factor, a subjective assessment of the potential percentage loss to the asset if a specific threat is realized. For example, an asset may be degraded by half, giving an EF of 0.50.
From this we can calculate the Single Loss Expectancy (SLE) – the monetary value from one-time risk to an asset – by multiplying AV and EF. As an example, if the asset value is $1M, and the exposure factor from a threat is a 50% loss (0.50) then the SLE will be $500,000.
Risk definition also takes this one step further by using this SLE and multiplying it by a potential Annualized Rate of Occurrence (ARO) to come up with the Annualized Loss Expectancy (ALE). This helps us understand the potential risk over time.
When working through these figures, it’s important to recognize that potential loss and probability of occurrence are hard to define, and thus the potential for error is high. That’s why I encourage keeping it simple and overestimating when valuing assets – the goal is to broadly assess the likelihood and impact of risk so that we can better focus resources, not to get the equations themselves perfectly accurate.
Implement and monitor safeguards (controls)
Now that we have a better handle on the organizational risks, the final steps are more familiar territory for many security teams: implementing and monitoring the necessary and appropriate controls.
You’re likely already very familiar with these controls. They are the countermeasures – policies, procedures, plans, devices, etc. – to mitigate risk.
Controls fall into three categories: preventative (before an event), detective (during) and corrective (after). The goal is to try to stop an event before it happens, quickly react once it does, and efficiently get the organization back on its feet afterward.
Implementing and monitoring controls are where the rubber hits the road from a security standpoint. And that’s the whole point of the risk analysis, so that security professionals can best focus efforts where and how appropriate to mitigate overall organizational risk.
Cybersecurity experts would have you believe that your organization’s employees have a crucial role in bolstering or damaging your company’s security initiatives.
While you may disagree, data breach studies show that employees and negligence are the most typical causes of security breaches, yet these prevalent issues are least discussed.
According to a recent industry report from Shred-It, an information security provider, 47% of top business executives believe that employee error, such as the inadvertent loss of a device or document, has resulted in a data breach within their company. According to another study by CybSafe, human errors have been responsible for over 90% of data breaches in 2020.
It’s no secret that companies of all sizes increasingly feel the sting of cybercriminals exploiting vulnerabilities in remote and hybrid working environments. However, little to no effort is made toward strengthening defenses. Now is the moment to train your personnel on security best practices, if you haven’t already.
As a result of inadequate security measures, customers have long suffered the most. However, the stakes for employees and their businesses are higher than ever this year. Experian predicts 2022 will be a hangover from the “cyberdemic” of 2021, making it crucial to stay ahead by designing a cybersecurity training program for employees and strengthening defenses.
Developing a cybersecurity training program requires knowing where the blind spots are. While there are numerous approaches to promoting a more cyber secure workplace, here are the most common and effective ways:
Trick Employees via a Phishing Campaign
You can test your employees’ ability to distinguish authentic email content from fraudulent attachments by mass spear-phishing them. Employees who fall for the phishing email are the ones you need to be extra careful about.
They might be the ones that eventually end up disclosing a company’s valuable digital assets. Once you have the data, you may measure the entire risk to your network and build remedies from there using custom reporting metrics.
Customize Your Security Training
All employees, irrespective of their designation or job role, should be a part of the security training. However, employees who fell for the spear-phishing campaign are the ones you need to observe and invest your security training into.
When delivering cybersecurity training, stress the importance of the training as an exercise that can also be applied elsewhere. Employees will be more inclined to utilize secure procedures at work if they do so at home on their computers and phones.
Incentivize the Security Training
Nothing motivates an employee more than being rewarded for their performance. Set up metrics and determine the level of participation, enthusiasm, and cybersecurity knowledge an employee obtains via quizzes or cross-questions. Employees who follow best practices should be rewarded, and others should be encouraged to improve their cybersecurity habits.
Cover Cybersecurity Topics
Engage your employees by introducing cybersecurity topics and certifications. Employees new to the cybersecurity realm would greatly benefit from relevant courses and learnings that might augment their skills and shine bright on their resumes.
Social media platforms are riddled with short instructional videos, which can be a great source of learning for those struggling to complete cybersecurity courses and manage work simultaneously.
Introduce Data Privacy Laws
Data privacy laws have been here for a while. However, they have recently received recognition after the EU introduced the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018.
Most employees don’t know much about data protection laws or don’t know them altogether. It’s crucial to educate employees regarding existing and upcoming data protection laws and how they impact the business. According to MediaPro, a multimedia communications group, 62% of employees were unsure if their company must comply with the California Consumer Privacy Act (CCPA).
Integrating data privacy laws and regulations within cybersecurity training is crucial. While employees do not need to be compliance specialists, they should have a fundamental understanding of their company’s privacy policies, data handling procedures, and the impact of data privacy laws on their organization.
Address Security Misconceptions
Massive data breaches and ingenious hackers have muddied the waters of what is and isn’t possible when carrying out a cyberattack, making it challenging for novice security personnel to tell the difference between facts and made-up security misunderstandings.
Lack of understanding and misconceptions make matters worse as employees tend to become too concerned about non-existent or misunderstood risks while being less concerned about real ones. That begs the question: Are employees taking cybersecurity seriously, or will they be a liability rather than an asset?
To move forward, begin by designing a survey that starts with the basic cybersecurity knowledge and distributing it across the organization. The survey could contain questions such as:
What is cybersecurity,
Why is cybersecurity important,
Do employees lock their devices and keep strong alphanumeric passwords for online accounts,
Do employees connect to a secure WIFI network provided by the company, etc.
The results will demonstrate the current knowledge base within the organization and whether the employees take cybersecurity seriously.
While discovering the loopholes within your organization is one thing, developing a cybersecurity training program specifically tailored to patch those vulnerabilities might not be enough. Not only this, keep a strategy that focuses on zero-day attacks to avoid any damages. As an individual entrusted with developing a training program, you should know that you need a long-term solution to the existing problem.
Humans have always been the weakest link in the cybersecurity chain, and human errors will only escalate despite the depth of training given. That leaves organizations in a tough spot and struggling to meet compliance requirements.
Understand the Consequences of Inadequate Security Training
Training just for the sake of training will not benefit anyone. Employees need to dedicate their hearts and minds to the training, and continuous sessions should take place so that employees always stay current with the latest happenings and privacy frameworks. Poor training may further confuse employees, which may also draw additional dangers.
With Securiti data privacy automation tools, you can reduce or eliminate reliance on employees and move towards a more modern and error-free framework.
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
A user’s personal data can be anything from their user name and email address to their telephone name and physical address. Less obvious forms of sensitive data include IP addresses, log data and any information gathered through cookies, as well as users’ biometric data.
Any business whose mobile app collects personal information from users is required to have a Privacy Policy. Regardless of app geography or business domain, there are mandatory regulations such as the GDPR, the CCPA, and the PDPA, as well as Apple, Google and Android guidelines that ensure accountability and user data privacy. Some apps do not directly collect personal data but instead use a third-party tool like Google Analytics – they, too, need a Privacy Policy.
Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best – and nothing beats the simplicity of a book.
With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.
So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.
Let’s take a look at some of our most popular titles. Below are the four best books on Data Privacy.
This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.
It explains the Regulation’s requirements in terms you can understand and helps you understand data subjects’ rights and the way consent requests have changed.
You’ll also gain a deeper understanding of the GDPR’s technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.
Written by Alan Calder, IT Governance’s founder and executive chairman, this book is an essential introduction to the GDPR.
It’s ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.
It also provides invaluable advice on how you can meet the GDPR’s requirements.
This includes broad measures that your organisation should implement as well as tips on things you should and shouldn’t do when processing personal data.
If your organisation collects California residents’ personal data, you must comply with the CCPA (California Consumer Privacy Act).
The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.
Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the law’s scope and how to achieve compliance.
ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 #ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a #PIMS (privacy information management system).
Develop a privacy information management system as an extension to your ISO 27001-conformant ISMS with ISO/IEC 27701. Supports GDPR compliance.
SECURITY TECHNIQUES — EXTENSION TO ISO/IEC 27001 AND ISO/IEC 27002 FOR PRIVACY INFORMATION MANAGEMENT SYSTEM #PIMS
Key features:
* The Standard includes mapping to the GDPR, ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151
* Integrates with other management system standards, including the information security standard, ISO/IEC 27001
* Provides PIMS-specific guidance for ISO/IEC 27002
* Specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a PIMS
* Supports compliance with the GDPR and DPA 2018
* Provides guidance for data controllers and processors responsible for processing personal data
ISO 27701 Gap Analysis Tool
Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).
It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.
What does the tool do?
Contains a set of sample audit questions
Lists all ISO 27701:2019 requirements, identifying where documentation is mandatory for compliance
Provides a clear, colour-coded report on the state of compliance
The executive summary displays the results of compliance in a clear table so that you can report on your results and measure the closure of gaps.
The tool is designed to work in any Microsoft environment. It does not need to be installed like software, and it does not depend on complex databases; it relies on human involvement.
ISO 27701 The New Privacy Extension for ISO 27001
httpv://www.youtube.com/watch?v=-NUfTDXlv30
Quick Guide to ISO/IEC 27701 – The Newest Privacy Information Standard
httpv://www.youtube.com/watch?v=ilw4UmMSlU4
Big news is coming when NIST takes the wraps off a new privacy framework. Thanks to the General Data Privacy Regulation (GDPR) of the European Union, which took full effect in May 2018, privacy is at center stage worldwide. Penalties are being meted out for violations, and organizations of all kinds need to understand and comply with the law. In addition, the California Consumer Privacy Act (CCPA) was enacted in June 2018, with many other states working on similar bills.
Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:
Malware and Viruses
Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.
According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.
Security and Compliance
Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations. DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.
For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
Â
Protect Your TeensÂ
Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.
To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.
Â
Credit Freezes and Monitoring
Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.
According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.
DISC helps business owners in California to meet the new 2018 requirements of the CCPA and how to implement the National Institute of Standards and Technology’s (NIST) 800-171 cybersecurity framework. The roadmap is provided specifically to the CCPA either for a business, agency or organization that is required to meet this new State Law and describes both technical and administrative measures that will attain an acceptable level of compliance for State certifying officials. Assessment will include but not limited to compliance with policies and procedures, security strategy/plan, and plan of actions & milestones. The initial assessment will determine the as-is state of your data privacy program business, legal and regulatory requirements. DISC will provide a target state (to-be) which will include tech controls, mgmt. control, and ops control to build your data privacy program based on NIST 800-171. So basically the transition plan (roadmap) will enumerate the details of how to get from as-is state to to-be state.
DISC Cybersecurity consultant support business and agencies effectively to meet the 110 security controls in NIST 800-171 which has become the de facto standard for cybersecurity compliance. It ensures that security policies and practices of the framework meet the intent of CCPA. Adequate security is defined by ”compliance” with the 110 NIST 800-171 security controls.
  ⚖️ California is bringing law and order to big data ⚖️
California Expands Consumer Privacy Protections | The California Consumer Privacy Act, or CCPA, gives residents of California the ability to request the data that businesses collect on them, demand that it be deleted, and opt out of having that data sold to third parties, among other things.
The state’s attorney general wants to avoid a troubled rollout, à la Obamacare, when the far-reaching restrictions on user data go into effect on Jan. 1.
