If your organization has a presence in California or does business with California residents, then it probably needs to comply with the California Consumer Privacy Act (CCPA). CCPA compliance is no easy task but never fear: Using this checklist and our CCPA audit guide can help smooth the way.
The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework.
For decision making, “reactive” tends to be frowned upon in the business world. “Proactive” is the preferred mode and has been pretty much since the word was coined (in 1933).
When it comes to building a security program, one of the most frequently overlooked areas is that of vendor management. Organizations focus significant resources on internal security, such as vulnerability scans, centralized log management, or user training, while not extending the same diligence towards their third-parties. Organizations end up trusting the security of their network and data to an unknown and untested third-party. As we all know, a chain is only as strong as its weakest link.
A formal, written vendor or third-party risk management policy is the first step in developing your vendor risk management program, and essential to that program’s success. Vendor risk management encompasses third-party risks as well as that of your vendors’ vendors — fourth-party risks — and is an important component of any cybersecurity program.
A change is coming for privacy protection. Are you ready? For the past twenty years, most financial services businesses fell under the requirements of the Gramm-Leach-Bliley Act (GLB Act or GLBA). This law federally governed the collection and disclosure of customers’ personal financial information. However, on January 1st, 2020, a new privacy rule—the California Consumer Privacy Act (CCPA)—wentis going into effect.
Engaging with third-party vendors for the provision of goods and services isn't new. The level of digital transformation, paired with the number of third-party relationships and business partners the average organization has is. Third-party risk management programs need to evolve the manage this ever evolving type of risk exposure. Enterprise-wide organizations rely on third and fourth-party vendors. And many of them have access to sensitive data.
Cyber supply chain risk management touches all aspects of a business. Supply chain risk management (SCRM) is not solely the responsibility of cybersecurity, but instead a partnership between sourcing, vendor management, cybersecurity, and transportation. The National Institute of Standards and Technology (NIST) released a set of best practices for cyber supply chain risk management in 2016.
Strategic risk and operational risk are both valuable to organizations and are critical in managing an organization’s overall risk management program. Organizations are finding that strategic risk management is something that can’t be done the same old way and requires new creative thinking in order to execute successfully. Operational Risk Management is important to make sure there are plans in place to remove roadblocks in order for organizations to execute against their strategic plans.
