Response Planning and the Year of Data Privacy

By Sean Atkinson, Chief Information Security Officer, CIS

CISO blogSpectre, Meltdown, and response planning

As I start my third week here at CIS, we find multiple attack vectors at play (Spectre, Meltdown) and chip manufacturers recognizing a need to respond. Patches for Spectre and Meltdown are currently being deployed in environments around the world. Emergency management communication has also been a central focus of response planning. From stories of the mismanagement of an entire organization’s “distribution list” to public photos of passwords written on Post-it® notes, cases of bad cyber hygiene abound. Nevertheless, these cases make great examples for new employee security training and annual cybersecurity training refreshers.

2018: The Year of Data Privacy

As we look ahead, 2018 will be a year of ‘data privacy.” The EU General Data Protection Regulation (GDPR) coming into fruition at the end of May provides us with an opportunity to improve our data handling processes. As we progress and complete the impact analysis and measure of risk, we need to understand how data flows through our respective organizations. This opens up opportunities to audit and assess:

  1. Data classification
    1. Personal, organizational, “special”, etc.
  2. Records management
  3. Asset management
  4. Breach identification
  5. Incident response
  6. Breach notification

These are some of the areas around data handling which every organization will need to review and fine-tune. Some questions to start your investigation: “What data do we have?,” “How do we use it?,” and “Where is it stored and processed?” The answers to these questions will form a reference point for your organization to gain a controlled foothold over its data and information management processes. Given your specific industry and the type of data you have (payment information, customer data, health records, etc.), the type will obviously produce different answers – but still, the questions need to be asked, understood and documented in a Data Protection Plan (DPP). If you don’t have a DPP in place yet, now’s the time to start developing one.

Getting ready for the year ahead

No matter what 2018 holds, you can improve your cyber defenses by implementing critical patches (such as those for Spectre and Meltdown) immediately and ensuring systems are up-to-date. Developing a DPP is another great step to take since this plan can help with the day-to-day management of information as well as help prepare your organization for any future breach or incident which may occur.

For more on incident response and data management, check out these resources: