Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On May 11, 2017, President Trump signed Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The intention was to reduce cybersecurity risks to national security by improving federal agencies’ cybersecurity and information technology (IT) systems. The executive order holds the heads of federal agencies accountable for their agencies’ risk management practices.

On July 7, 2021, Colorado became the third U.S. state to establish regional data privacy legislation. Colorado included the legislation in Senate Bill 21-190, which was signed into action by Governor Polis. The Colorado Privacy Act (CPA), also called the Colorado Privacy Law, became effective on July 1, 2023.

On July 10th, the EU Commission adopted an adequacy decision for the proposed EU-U.S. Data Privacy Framework. This is exciting news for organizations, as many have been stuck in privacy "limbo" since the annulment of the previous EU-U.S. Data transfer mechanism, Privacy Shield, which was annulled due to challenges in court by privacy activist Max Schrems.

Have you heard of the NIS Directive? The full name is quite a mouthful, "DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union". The informal name has been shortened to the Network and Information Security (NIS) Directive. The aim of the directive was to develop a common level of cybersecurity across the Member States that could be applied to entities of critical national importance.

Australia officially launched their National Anti-Scam Centre this week. With more than AUD $3.1 billion lost each year, Australians need support. With representatives from the banks, telecommunications industries and digital platforms, the intent of the center is to identify methods to disrupt all kinds of scams and reduce scam losses. While I completely support this initiative, it would be remiss of me not to highlight that the prevention of scams is perhaps as important as the cure.

In 2019, the UK Government (NSCS) conducted The UK Telecoms Supply Chain Review, to assess and address potential risks associated with the supply chain of telecommunications infrastructure in the country. The review highlighted the risks associated with reliance on certain vendors, particularly those with high-risk profiles. It also recommended increased oversight and regulation to mitigate security risks and protect critical national infrastructure.

The Cyber Intelligence Sharing and Protection Act (CISPA) was first introduced in 2011 by Representative Mike Rogers, the chairman of the House Select Committee on Intelligence Committee), and 111 co-sponsors. Although the House of Representatives originally passed the bill on April 25, 2012, it was later rejected by the US Senate. Since then, it has been reintroduced several times, but Congress has not passed the bill despite amendments made in good faith following criticism of some propositions.

Often regarded as the Californian version of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) aims to protect the personal information rights of Californian-based employees, contractors, customers, and vendors. The inclusion of third-party vendors means your Vendor Risk Management program needs to be updated to include CCPA compliance tracking, not only during due diligence but through the entire vendor security posture management process.

The Gramm-Leach Bliley Act (GLBA or GLB Act), or financial modernization act, is a bi-partisan federal regulation passed in 1999 to modernize the financial industry. It repealed vast swathes of the Glass-Steagall Act of 1933 and the Bank Holding Act of 1956, allowing commercial banks to offer financial services such as investments or insurance. It also controls how financial institutions deal with their customer's private information.

At the turn of the most recent century, the financial world was in a moment of unregulated growth, which lead to some serious corporate misdeeds in the United States. This presented the opportunity for two senators to enact a new law to ensure accurate and reliable financial reporting for public companies in the US. The result was the Sarbanes-Oxley Act (SOX) of 2002. But what does financial reporting have to do with cybersecurity and IT compliance?