Tag Archives: compliance

California Consumer Privacy Act (CCPA)

California Consumer Privacy Act (CaCPA)

California Consumer Privacy Act (CCPA)

Compliance Management toolkit addresses California Consumer Privacy Act (CaCPA) and GDPR

CaCPA Goes into effect January 1, 2020 and places new burdens on companies that do business with California residents.  This includes both domestic and international organizations.  Who must comply with CaCPA?

  • Companies that serve California residents and have at least $25 million in annual revenue
  • Companies of any size that have personal data on at least 50,000 people
  • Companies that collect more than half of their revenues from the sale of personal data

Once California regulators notify a company that they are in violation of CaCPA, companies have 30 days to comply. If the issue isn’t resolved, there’s a fine of up to $7,500 per record. In addition, the law allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.

What must companies must do to comply

One of the first things they must do is add a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. One shortcut that companies can follow if they do not share data is to put a comment in a common footnote that data is not shared.

Data covered by CaCPA

The law originally covered employee data in addition to consumer data.  That was amended to exclude employee data.  Companies must allow consumers to choose not to have their data shared with third parties. That means that companies must be able to separate the data they collect according to the users’ privacy choices. A California consumer has the right to find out what information a company collects about them.

After the access request, a company has 45 days to provide them a comprehensive report about what type of information they have, was it sold, and to whom, and if it was sold to third parties over the past 12 months, it must give the names and addresses of the third parties the data is sold to.

The data covered by the law includes:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Professional or employment-related information
  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

Compliance Kit Options   Order Industry Standard Compliance Kit

See also

Please follow and like us
error

Depending on Goggle Risky

Depending on Goggle Risky

Depending on Goggle Risky

Independence is  a core requirement for IT Governance and Infrastructure definition.

Depending on Goggle Risky – Depending on Internet, hardware, and software companies is a mistake. Enterprises  are impacted as they drop product support, are purchased by other companies, and/or have security breaches and system failures of their own.

For example, Google – Customer who installed Haiku ceiling fans, which were supported  with the Nest thermostat device via the “Works with Nest” program were left out in the cold. This was driven by Google’s decision to end the program and go with the “Google Net”.  They said this was to focus on supporting its own hardware business.  As a result, there was a loss of support for any device on that program. Not a good omen for people who installed them in their homes.

Another similar situation occurred for Comcast email users. Users who had comcast.net email accounts were not made aware of the limitation of services that Comcast’s spam protection process effected. What happens is as an email is sent to a comcast user email account, if the email has multiple recipients, the email is placed on hold (based on the comcast user’s usage). The user is NOT notified that the email was held and not delivered. It is up to the sender to contact the user and re-send it with the email going to a single recipient.

The less that you depend on Internet companies for proprietary offerings, the more you can be assured that you can continue to operate when they change their corporate strategy.

How long will it be before a company like Goggle decides to charge for their free email services. Wait a minute they already do that with their offering G Suite.

Order IT Governance Infrastructure Strategy Download Selected Pages

Read on:

 

Please follow and like us
error

NETFLIX Breach

NETFLIX Breach – user account ID changed

Security Manual TemplateNETFLIX Breach on the user-id has occurred twice in one week, I have had an account with Netflix for several years. On Friday when I tried to log in to my account I could not.  I got a message that my account e-mail address had be CHANGED. Since that is the only way that I can access my account, I had no user ID to get in. I had to call and wait to be connected to an account rep. Once there, I asked how that could happen, and the answer I got was that someone had BREACHED my account and re-assigned my user-id (which was my account ID) with theirs.

Linked with that information was my credit card payment information. After the recent Citicorp breach, there is no assurance that my credit card information was not breached. The solution the account rep gave was to CANCEL my account. Which I did and created a new account with a DIFFERENT email address. I also added my mobile number for account verification.

That worked for a day and on Saturday evening someone else logged in to my NEW account, turned on the service for their account and changed the user-id again. The only thing that I got were two emails from Netflix. One saying that someone accessed my account and the second that told me my user id had been changed.

Nexflix breach

Poor design for changing the user ID. They only ask for a password NO 2nd level verification with the mobile phone number

When I talked to the agent at Netflix on the SECOND breach there was no sense of urgency.  I have my credit card associated with the account and now have a concern that the credit card information has been hacked.

NETFLIX Breach – Do they even care that they have a security issue?

In both cases with both email addresses, they were uniquie and the passwords were over 8 characters in length. In addition, they had one upper case letter, two numbers, and a special character.  Somehow they were able to get into the account, and change key information.  They also have the capability to change the seconday security mobile phone number.

The fact that the only concern they had was to get my account back on-line so I would pay is troubling. Netflix did not address the issue of managing the changing of my user-id. Nor did they address the core issue of how the account got breached and then not providing me with a soulution.  For example a solution could be, having a DOUBLE verification before they change key security and personal information or making it so the userid could not be changed. Either solution would work.

I forecast the Netflix will be the next major corporation that will have the public embarasement of a major security breach.

Read on Order Security Manual Template

See also;

 

 

 

 

Please follow and like us
error

HIPAA changes

HIPAA changes for 2019

HIPAA Compliance Management

Compliance Kit – head start on meeting all mandated requirements. Everything from an Industry-standard White Paper to a detail audit program.

HIPAA changes proposed for 2019 are getting closer. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has favored issuing HIPAA guidelines to clear up misunderstandings with HIPAA compliance requirements, but we are now at a point when changes to HIPAA Rules are about to be made.

OCR asked 54 different questions in its RFI. Some of the main aspects being considered are in relation to:

  • Patients’ right to access and obtain copies of their protected health information and the timeframe for responding to those requests (Currently 30 days)
  • Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
  • Promotion of parent and caregiver roles in care
  • Easing of restrictions on disclosures of PHI without authorization
  • Possible exceptions to the minimum necessary standard for disclosures of PHI
  • Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment and healthcare operations
  • Encouragement of information sharing for treatment and care coordination
  • Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
  • Expansion of healthcare clearinghouses’ access to PHI
  • Addressing the opioid crisis and serious mental illness

All if these are addressed in Janco’s Compliance Management toolkit.

Compliance Kit Options

Order Industry Standard Compliance Kit

See Also

Please follow and like us
error

Backup Policy Updated

Backup Policy Updated

Backup Policy

Backup Policy includes everthing that is need to be in full compliance with all mandated security requirement.

Backup Policy Updated as well as the CIO IT Infrastructure Policy Bundle. The policy has just been updated to take into account everything from GDPR to cloud storage and security implications.

The Backup Policy addresses the issues that you struggle with including:

  • How safe are your information assets in transit and at reset?
  • What protections are in place to prevent hacker access?
  • Does your backup and retention process meet all of your compliance requirements?
  • Who can gain access to your data?
  • What KPI metrics do you have in place?
  • Will the use of the data ensure successful recovery?

Managing backup and recovery in today’s environment is a multi-dimensional challenge with both near and long term business requirements. Recent technological developments in disk backup have had a positive impact on short term data retention requirements (see also BYOD policy). But these improvements do not replace the need to execute and deliver on a long term data retention strategy which includes:

  • Business and Regulatory Requirements Demand a Long-term Plan
  • Manage and Contain Your Total Cost of Ownership (TCO)
  • Encrypt Your Data for Secure Long-term Retention
  • Weigh the Environmental Impacts and Minimize Power and Cooling Costs
  • Simplify Management of the Entire Solution

Best of Breed solution

A “Best of Breed” backup policy and strategy considers how to:

  • Back up critical application data – across mixed operating systems and storage configurations
  • Restore desktops and mobile users quickly
  • Restore systems to dissimilar hardware or virtual systems
  • Back up data and system information to off site locations, so that you can quickly recover your business even from a total loss of your facility
  • Leverage new cloud based backup offerings to properly secure, back up,and archive critical data.

Order Backup Policy Backup Policy Download Selected Pages

See also:

Please follow and like us
error

Chief Experience Officer (CXO) Job Description

Chief Experience Officer (CXO) Job Description

CXO - Chief Experience Officer Job Description

The CX is one of the hottest jobs on the market

Chief Experience Officer (CXO) Job Description.  The Chief Experience Officer (CXO) drives the enterprise’s growth in the user experience arena.  They oversee operations in all user experience sectors like marketing, image setting, mobile applications, social media, related technologies, and virtual goods, as well as web-based management and marketing.

The CXO is not only a user experience expert but also a seasoned marketing, brand, and product manager. As the role is transformational, the CXOs is responsible for the adoption of consistent user interfaces across the entire business. As with most senior executive titles, the responsibilities are set by the organization’s board of directors or other authority, depending on the organization’s legal structure.

Order Chief Experience Officer Job Description

C-Level Job Description Bundle

Order

The C-Level job description bundle contains the top eight (8) IT job descriptions. Each is between 5 to 8 pages long and is at the level of detail that KPI performance metrics can be defined and related directly to both employment contracts and compensation/bonus levels.

  • Chief Information Officer(CIO)
  • Chief Information Officer (CIO) – Small Enterprise
  • Chief Experience Officer (CXO)
  • Chief Security Officer (CSO)
  • Chief Compliance Officer (CCO)
  • Chief Mobility Officer
  • Chief Technology Officer (CTO)
  • Chief Digital Officer (CDO)

See also:

Please follow and like us
error

What is Blockchain and why is it such a hot topic?

What is Blockchain?

What is Blockchain

Blockchain job description critical to making the right staffing decisions

Why and what is blockchain? Blockchain technology is the application of Internet transasction process and data base technology in a way to store and to verify integrity. It is, primarily, a technology that uses cryptocurrency. With that, it enhances the trustworthiness of the transactions. Transactions become unchangeable once they are entered in the blockchain database. This is valid for all the data that the users use and share.

Typically, the blockchain application works with the most popular cryptocurrency, known as Bitcoin. It is a virtual currency that application uses to keep track of all the transactions that take place on the blockchain network. The applications of a reliable database like this can be many, and they are not limited or restricted to finance only. Information Technology architects are actively engaged in working with the Blockchain Technology.  In addition, these professionals are optimistic about finding new products or applications with blockchain. For example, after the successful implementation of a blockchain system, in all likelihood the application can be extended to suppliers and customers alike.

Blockchain challenges

The Blockchain developer is responsible for developing innovative solutions to challenging problems, including command and control and high integrity solutions. Perform complex analysis, design, development, testing, and debugging of computer software for distinct product hardware or technical service lines of businesses. Perform software design, operating architecture integration, and computer system selection. Operate on multiple systems and apply knowledge of one or more platforms and programming languages.

The Blockchain developer is challenged with legacy infrastructure that will be the main obstacle to successful implementations. This is coupled with the challenges of technical understanding – the practicality of implementing decentralized cryptosystems that fall outside of the traditional IT development skill-set.

Order Blockchain developr job description

See also:

Please follow and like us
error

Chief Compliance Officer Job Description

Chief Compliance Officer Job Description Just Updated

CCO - Compliance ManagementChief Compliance Officer Job Description is critical in the recruiting process for an effective CCO.  The individual must have a broad vision and perspective. Additional skills enable him/her to function in the ‘global’ regulatory environment. This  requires that they consider many key factors to ensure the success of the compliance management processes.

C-Level executives are continuously looking for help in preventing fraud and protecting sensitive information. The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations.

Role of CCO

The Chief Compliance Officer oversees the Corporate Compliance Program, functioning as an independent and objective body that reviews and evaluates compliance issues/concerns within the organization. The position ensures the Board of Directors, management and employees are in compliance with the rules and regulations of regulatory agencies, that company policies and procedures are being followed, and that behavior in the organization meets the company’s Standards of Conduct.

Chief Compliance Officer Job DescriptionJanco’ detail CCO job description provides afocus on these key factors. It offers a strategic and top-down view of this important new function. It defines how the CCO can materially assist the enterprise in establishing a function with an aggregate view of Governance, Risk Management and Compliance. They need to replace the highly fractionated structure that was typical of previous risk and compliance functions that functioned at mainly the tactical and operational level.

The job description is 2,000 words in length and takes up six packed pages of job requiurements.

Order CCO Job Description

Compliance Management Team

The Compliance Management Team serves as the focal point for compliance activities. The team typically is composed of persons of high integrity, having other duties that are not in conflict with the compliance goals.

Coordination and communication are the key functions of the Compliance Management with regard to planning, implementing, and monitoring the compliance program.

Read Also:

Please follow and like us
error

Top 10 Reputation Management Rules

Top 10 Reputation Management Rules

Top 10 Security Management rules

Top 10 Security Management rules are defined in Janco’s Security Manual Template.

Top 10 Reputation Management Rules are defined in detail in Janco’s Security Manual Template.

Without constant vigilance, your company is vulnerable to attack. The first step to take is to assess your current security stance, then make a plan to increase security with proper best practices and technologies.

Top ten commandments of security management for CSOs, CIOs, and IT Managers

  1. Limit access to information to those who need to have it. People can’t misuse information that they don’t have.
  2. Conduct frequent and deep security audits. Identify who has access to what – and how their actions could weaken the protection of valuable data/information.
  3. Set limits to information access. Do not exclude all information from access – data exclusion locks down access. Limits set authorizations so specific people can do specific things under specific circumstances.
  4. Limit administrative rights to as few individuals as possible. Very few individuals need them to do their jobs.
  5. Ignore organizational hierarchy when setting access capabilities. Access and authorization should be based upon responsibilities, not position.
  6. Make Security Invisible. Minimize extra commands, screens, pop-ups for employees; if an action is allowed, just let it happen.
  7. Analyze Security End back doors. Compliance logs reveal threat patterns, and show how security steps are hurting productivity.
  8. Monitor information access and updates. User-initiated application information updates can invite vulnerabilities.
  9. Educate everyone on security policies and procedures. The more that people know about the rules the better
  10. Make security best practices the watch word for everyone. IT and the general workforce must address the constantly changing nature of security breaches.

Security Manual Template

Security Policies and Procedures Manual for the Internet and Information Technology is over over 230 pages in length. All versions of the Security Manual template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both were redesigned to address GDPR, CaCPA, ISO, Sarbanes Oxley and CobiT compliance).

Security Manual TemplateOrder Security ManualDownload Selected Security Manual Pages

See Also:

Please follow and like us
error

GDPR Compliance

GDPR Compliance is at risk with 3rd Party providers

GDPR Compliance

GDPR Compliance Management is more complex with the increased use of 3rd Party providers

Security and GDPR Compliance risks from third parties are on the rise. A security compliance study found that 56 percent of companies admitted to a security incident caused by a third party.

With GDPR now in place, security of third-party vendors and consultants is more important than ever. Their security failure will impact your company and could result in a breach of your data.

So how do you approach third-party security in a GDPR world? The first step is to know who your vendors are and other outsiders with access to your network. These tiers are based on the level and volume of data they have access to, determining which are the most critical. Companies need to know who has any access to their data and get an accurate understanding of exactly what information they can access, why, and how often. With this information in hand, you can then develop an accurate response plan.

GDPR compliance plans should also take into consideration all of your third-party vendors. Thus, when establishing a dedicated Data Privacy Officer (DPO), that person will help the company meet GDPR requirements and should keep tabs on third-party practices and data systems as they affect your business. Lunetta added:

To support the DPO with additional expertise on making decisions such as, “We need X solution to address Y compliance/security requirement,” it’s imperative for IT security teams to conduct regular self-assessments for uncovering gaps and determining options for remediating them.

GDPR Tips

Some tips for ensuring that your third parties are staying in GDPR compliance:

  • Address cybersecurity governance because while it’s one thing to invest in security solutions that help address personal data protection, it’s another to use them in a manner that is also GDPR-compliant.
  • Access Policy Governance – Having robust access controls isn’t good enough to comply with GDPR. Instead, you also need a set of policies that can be defined, implemented and enforced around how your enterprise controls access to personal data.
  • Pay attention to privileged.  Users, such as systems administrators, can circumvent standard controls inside of an application or a database. Identify those users, establish governance controls, and implement enforcement mechanisms through technology solutions such as network access control.

See also:

Please follow and like us
error