It’s 8 p.m., and you suspect your corporate system has been hacked. Do you know what to do?
“That’s the nightmare scenario for the company that doesn’t have a policy in place,” said IT World Canada (ITWC) CIO Jim Love at a recent webinar. Indeed, a recent survey by Canada’s Privacy Commissioner found that four in 10 companies don’t have policies to deal with a security breach.
That’s a problem given the new regulations coming into effect in Canada. As of November 1st, the Personal Information Protection and Electronics Documents Act (PIPEDA) will require companies to report breaches involving personal information that might cause significant harm. They will also have to keep records of all breaches.
“You need to show you’ve done due diligence, that you know where your information is and that you took steps to mitigate the breach,” said Michael Ball, a virtual Chief Information Security Officer who works with Performance Advantage. “If you can’t do that, heads will roll.”
Hiring a virtual Chief Information Security Officer (vCISO) may be the answer, especially for small to mid-sized companies that can’t afford to hire a full-time expert, said Ball.
What your security plan needs to cover
To comply with the regulations, the first thing a company needs to do is to find and classify all of the personal data it keeps. The company must also have mechanisms in place to detect and record breaches.
The most fundamental requirement is to ensure that there are policies and procedures in place to spell out the steps to be taken if a breach occurs, said Love. That should include a plan on how to handle the initial discovery and reporting of the breach, the evaluation as to whether the breach affects personal information, steps to contain and eradicate the threat, plans for recovery and a post-mortem to learn from the situation. A detailed communications plan is another vital component.
Finally, companies need to test and update their plans on a regular basis, as well as provide continuous training for employees. “If you think you can skate on these policies, think again,” said Love. “You’re going to be in big trouble if you can’t show them to the Privacy Commissioner.”
How a virtual CISO can help
Companies are realizing that they need a governance role along with privacy expertise, said Ball, noting that a CIO or IT manager may not have this skill set. A virtual CISO can work with a company to put all of these required elements of an incidence response plan in place, or simply handle it for you. What’s more, a virtual CISO consists of a team of highly trained and experienced specialists with skills that can be difficult to find,” said Ball.
What can you expect from a virtual CISO? In the first 30 days, they should conduct an assessment and interview people to see what procedures you have in place and how they’re working, said Ball. They will identify gaps and measures to address them. They will also develop a long-term plan for your organization.
Within 60 days, the virtual CISO will build an information security policy framework for you, Ball said. They will work with you to implement new security measures, access management and incident response procedures. Quarterly metrics will also be established to evaluate ongoing progress.
“The new privacy rules will affect all companies regardless of size or industry,” said Ball. “All companies need a competent CISO and an incident response plan.”