NIST Cybersecurity Requirements for Government ContractorsUnanet
What is Controlled Unclassified Information (CUI)? What is NIST SP 800-171? How is my project management and accounting system impacted?
Navigating your way through these complex topics can be difficult for any government contractor, but protecting CUI in a non-federal environment is critical. Compliance is required by December 31, 2017.
Join us for this webinar to learn more about:
• What it means to be compliant with NIST SP 800-171
• Documenting your compliance status
• Preparing for audits and/or requests for compliance attestation/reports
• Key CUI requirements
• Suggested NIST processes
• How having the right system and team in place can help you remain compliant
Learn more at: https://www.unanet.com/news/demand-webinars
The Cybersecurity Whistleblower Protections guide provides a description of the major legal claims and federal whistleblower rewards programs that may be available to employees who report cybersecurity deficiencies. It also offers specific suggestions to help you blow the whistle in a manner that best protects you.
Presentation to (ISC)2 Omaha-Lincoln Chapter meeting on March 15th, 2017. This presentation looks at managing compliance with multiple cybersecurity laws and regulations across different industries using the NIST Risk Management Framework.
We are optimistic that the United States can
strengthen critical infrastructure cybersecurity through
a government-industry partnership that builds a
robust Cybersecurity Framework, shares threat
data, and collaborates on achieving national cyber
goals. Although we don’t discount the challenges
of bringing together such large and diverse
groups of stakeholders, we believe that emerging
cyber technologies and capabilities have created
opportunities for success that did not exist 15
years ago when government first initiated "whole of
government" efforts similar to the Executive Order.
NIST Cybersecurity Requirements for Government ContractorsUnanet
What is Controlled Unclassified Information (CUI)? What is NIST SP 800-171? How is my project management and accounting system impacted?
Navigating your way through these complex topics can be difficult for any government contractor, but protecting CUI in a non-federal environment is critical. Compliance is required by December 31, 2017.
Join us for this webinar to learn more about:
• What it means to be compliant with NIST SP 800-171
• Documenting your compliance status
• Preparing for audits and/or requests for compliance attestation/reports
• Key CUI requirements
• Suggested NIST processes
• How having the right system and team in place can help you remain compliant
Learn more at: https://www.unanet.com/news/demand-webinars
The Cybersecurity Whistleblower Protections guide provides a description of the major legal claims and federal whistleblower rewards programs that may be available to employees who report cybersecurity deficiencies. It also offers specific suggestions to help you blow the whistle in a manner that best protects you.
Presentation to (ISC)2 Omaha-Lincoln Chapter meeting on March 15th, 2017. This presentation looks at managing compliance with multiple cybersecurity laws and regulations across different industries using the NIST Risk Management Framework.
We are optimistic that the United States can
strengthen critical infrastructure cybersecurity through
a government-industry partnership that builds a
robust Cybersecurity Framework, shares threat
data, and collaborates on achieving national cyber
goals. Although we don’t discount the challenges
of bringing together such large and diverse
groups of stakeholders, we believe that emerging
cyber technologies and capabilities have created
opportunities for success that did not exist 15
years ago when government first initiated "whole of
government" efforts similar to the Executive Order.
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Terrance Tong
China’s recent cybersecurity laws have been cited by the government as internet and personal data protection milestones, while being viewed with suspicion by foreign multinationals as potentially increasing compliance costs. The one certain thing is that the Chinese government
is succeeding in exercising more control and oversight over cyberspace.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Is Ukraine safe for software development outsourcing? N-iX
Many companies that are looking for a software development outsourcing company in Ukraine wonder if the destination is safe in terms of politics, economy, business climate, and information security.
We’ve completed the guide that covers all these aspects and will hopefully help you make well-weighed conclusions.
Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama\'s 2014 deadline.
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
Reports of data security breaches conjure up images of anonymous computer hackers sitting in a darkened room,
fingers flying over a key board in an effort to hack into a computer system to find valuable information to exploit.
Not long ago, most of us considered these breaches to be infrequent and likely targeted at information much more
commercially unique than the average consumer data stored by most businesses.
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2019/
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Strengthening the Great Cyber-Wall of China — An Effort in Protecting the Mas...Terrance Tong
China’s recent cybersecurity laws have been cited by the government as internet and personal data protection milestones, while being viewed with suspicion by foreign multinationals as potentially increasing compliance costs. The one certain thing is that the Chinese government
is succeeding in exercising more control and oversight over cyberspace.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Is Ukraine safe for software development outsourcing? N-iX
Many companies that are looking for a software development outsourcing company in Ukraine wonder if the destination is safe in terms of politics, economy, business climate, and information security.
We’ve completed the guide that covers all these aspects and will hopefully help you make well-weighed conclusions.
Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama\'s 2014 deadline.
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
Reports of data security breaches conjure up images of anonymous computer hackers sitting in a darkened room,
fingers flying over a key board in an effort to hack into a computer system to find valuable information to exploit.
Not long ago, most of us considered these breaches to be infrequent and likely targeted at information much more
commercially unique than the average consumer data stored by most businesses.
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Bootcamp)Financial Poise
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2019/
For today’s digital businesses, being prepared to meet new compliance requirements when storing and managing consumer data will not only minimize risk, but also enable more valued and trusted customer experiences that drive increased loyalty, engagement and revenue. To gain better perspective on this important issue, it’s important to understand:
- The trends driving governmental regulatory shifts and the basic tenets of these new laws
- The challenges faced by executives across the enterprise when managing privacy compliance for consumer data
- The emergence of cloud-based solutions that help businesses manage privacy compliance by acting as end-to-end customer data storage and management solutions that are far more scalable and flexible than legacy systems
Issues with respect to the proper ownership and jurisdiction of information contained on the internet have set the stage for an ongoing legal debate over Cyber-Law and its impact on Cyber-Crime.
Enhanced Global Cyber-Security and proposed governing regulations are not a luxury, but a necessity, for today’s business and government entities which operate in real time environments.
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
Information security is a threat for every business, but it’s particularly disruptive to the nation’s infrastructure systems. Infrastructure companies should monitor how mandatory rules play out for financial institutions. If the regulatory efforts are successful in reducing the number of financial institution cyber incidents, state and federal regulators may turn their attention to other industries.
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Statement of Michelle Richardson, Director, Privacy & Data
Center for Democracy & Technology
before the
United States Senate Committee on the Judiciary
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
On behalf of the Center for Democracy & Technology (CDT), thank you for the
opportunity to testify about the importance of crafting a federal consumer privacy law that
provides meaningful protections for Americans and clarity for entities of all sizes and sectors.
CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing the
rights of the individual in the digital world. CDT is committed to protecting privacy as a
fundamental human and civil right and as a necessity for securing other rights such as access to
justice, equal protection, and freedom of expression. CDT has offices in Washington, D.C., and
Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and
individual donations.1
The United States should be leading the way in protecting digital civil rights. This hearing
is an opportunity to learn how Congress can improve upon the privacy frameworks offered in
the European Union via the General Data Protection Regulation (GDPR) and the California
Consumer Privacy Act (CCPA) to craft a comprehensive privacy law that works for the U.S. Our
digital future should be one in which technology supports human rights and human dignity. This
future cannot be realized if people are forced to choose between protecting their personal
information and using the technologies and services that enhance our lives. This future depends
on clear and meaningful rules governing data processing; rules that do not simply provide
1 All donations over $1,000 are disclosed in our annual report and are available online at:
https://cdt.org/financials/.
2
people with notices and check boxes but actually protect them from privacy and security
abuses and data-driven discrimination; protections that cannot be signed away.
Congress should resist the narratives that innovative technologies and strong privacy
protections are fundamentally at odds, and that a privacy law would necessarily cement the
market dominance of a few large companies. Clear and focused privacy rules can help
companies of all sizes gain certainty with respect to appropriate and inappropriate uses of data.
Clear rules will also empower engineers and product managers to design for privacy on the
front end, rather than having to wait for a public privacy scandal to force the rollback of a
product or data practice.
We understand that drafting comprehensive privacy legislation is a complex endeavor.
Over the past year we have worked with partners in civil societ.
Rarely does a week go by without the announcement of another major data breach that has put thousands, or even millions of consumers at risk of fraud. From malicious use of compromised credit and debit cards, to increased identity theft risk to drained bank accounts, the threats are real and impact millions of consumers. . A key challenge for the incoming 114th Congress will be to implement long-needed reforms that will protect American consumers personal data from malicious use by criminal hackers.
Project 2020
Scenarios for the Future of Cybercrime -
White Paper for Decision Makers
2
Contents
1. About Project 2020 3
2. Implications for Cybersecurity Stakeholders 3
3. Cybercriminal Threats 6
4. The View from 2012 8
5. Scenario Narratives for 2020 10
a. Citizen - Kinuko 10
b. Business - Xinesys Enterprises and Lakoocha 14
c. Government - South Sylvania 19
6. Beyond 2020 24
Appendix – Scenario Method 25
3
1. About Project 2020
Project 2020 is an initiative of the International Cyber Security
Protection Alliance (ICSPA). Its aim is to anticipate the future of
cybercrime, enabling governments, businesses and citizens to
prepare themselves for the challenges and opportunities of the
coming decade. It comprises a range of activities, including
common threat reporting, scenario exercises, policy guidance and
capacity building.
The scenarios in this document are not predictions of a single
future. Rather, they are descriptions of a possible future, which
focuses on the impact of cybercrime from the perspectives of an
ordinary Internet user, a manufacturer, a communications service
provider and a government. The events and developments
described are designed to be plausible in some parts of the world,
as opposed to inevitable in all. They take their inspiration from
analysis of the current threat landscape, the expert opinion of
ICSPA members and extensive horizon scanning, particularly of
emerging technologies.
The European Cybercrime Centre (EC3) at Europol and the ICSPA
would like to express their heartfelt thanks to the Global Review
Panel of experts from governments, international organisations,
industry and academia who took the time to validate the scenarios.
This document is undoubtedly the better for it.
2. Implications for Cybersecurity Stakeholders
The scenarios presented in Section 5 raise a number of questions to
be answered by today’s stakeholders and decision makers. These
include:
• Who owns the data in networked systems, and for how
long?
• Who will distinguish between data misuse and legitimate
use, and will we achieve consistency? What data will the
authorities be able to access and use for the purposes of
preventing and disrupting criminal activity?
• Who covers (and recovers) the losses, both financial and in
terms of data recovery?
• Who secures the joins between services, applications and
networks? And how can objects that use different technologies
operate safely in the same environment?
4
• Do we want local or global governance and security
solutions?
• Will we be able to transit to new governance and business
models without causing global shocks, schisms and
significant financial damage?
If these questions remain unanswered, or the responses are
uncoordinated, we risk imposing significant barriers to the
technological advantages prom.
The growing awareness of the need of protecting personal information, as well as the necessity for companies to be more accountable for their data collecting and use policies, is driving the trend towards more transparency in data privacy.
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
In the past few years, a new approach to cybersecurity has emerged, based on the analysis of data on successful attacks. In this approach, continuous diagnostics and mitigation replace the reactive network security methods used in the past. The approach combines continuous monitoring of network health with relatively straightforward mitigation strategies. The strategies used in this approach reduce the opportunities for attack and force attackers to develop more sophisticated (and expensive) techniques or to give up on the target. In combination, continuous monitoring and mitigation strategies provide the basis for better cybersecurity.
Pending legislation in Congress wuold protect whistleblowing about cybersecurity and data privacy. In the interim, some existing federal and state whistleblower protection laws provide limited protection for cybersecuriity and data privacy whistleblowing.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits. As we think about making software safer and more secure for users, the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INFORMATION SYSTEMS 1
Security and safety of the power grid and its related computer information systems
Name of the student:
Name of the institution:
There have been increased use and application of information and communication technologies in most of critical infrastructures and departments of the government. They have proved to be fundamentally significant in helping the various departments to carry out their daily activities with a lot of ease and proficiency. However, these systems have also opened quite a considerable unforeseen opportunity both positive and negative. The infrastructures have become highly efficient and flexible and this has been very beneficial to the people. On the other hand, there have been persistent problems with cybercrimes and hackers who have outsmarted the government and the set securities protocols every now and then. This has made the state lose billions of dollars in a theft of its secrets and high-level information. In this case, it is right to analyze all the general impacts that can be put in place to prevent cybercrimes as well as threats. It is hence important to validate all the necessary measures that need to be put in place in every organization. The paper will hence give recommendations that can help the named organization solve the issues mentioned.
To address this issue, proper precautions needs to be put in place. The government has to demonstrate preparedness in combating this crime both in terms of systems put in place and also the legal jurisprudence (Higgins, 2016). The US power grid system is an interconnected system that is made up of power generation, transmissions software, and its distribution with a capacity to bring down the whole economy if not well protected. The nation's department of defense (DoD) is one of the most critical and sensitive institutions that can paralyze the state if tampered with by unscrupulous individuals. The situation is even worse if there is an advanced persistent threat (APT) against computers and software that operates the western interconnection power grid. This needs an urgent measure to remove the threat immediately and avoid its reoccurrence. We recommend the following security and safety of the power grid and its related computer information systems are taken by the concerned departments:
a. Creation of a special branch that is specifically dedicated to cyber security
It is high time for the government to come up with a special branch of the military personnel that will be dedicated to fighting cybercrimes (Higgins, 2016). Its main function will be to detect cybercrime activities, to develop mechanisms to prevent cybercrimes, apprehend, arrest and align cyber criminals in a court of law.
b. Creation of special court to determine cybercrime cases
Security and safety of the power grid and its related computer information systems and those crimes associated w.
Similar to Forecast cybersecurity regulation v3 (20)
The Strategic Value of offloading non core functions as a cost saver and empowering the business to better focus on you core competence is rarely questioned - WHEN DONE WELL.
You don't own your Brand....your customers define it for you. What you do - how you do it - how consistent are you - online - in person - customer support ?
The Team Member and Guest Experience - Lead and Take Care of your restaurant team. They are the people closest to and delivering Hospitality to your paying Guests!
Make the call, and we can assist you.
408-784-7371
Foodservice Consulting + Design
Artificial intelligence (AI) offers new opportunities to radically reinvent the way we do business. This study explores how CEOs and top decision makers around the world are responding to the transformative potential of AI.
Specific ServPoints should be tailored for restaurants in all food service segments. Your ServPoints should be the centerpiece of brand delivery training (guest service) and align with your brand position and marketing initiatives, especially in high-labor-cost conditions.
408-784-7371
Foodservice Consulting + Design
The case study discusses the potential of drone delivery and the challenges that need to be addressed before it becomes widespread.
Key takeaways:
Drone delivery is in its early stages: Amazon's trial in the UK demonstrates the potential for faster deliveries, but it's still limited by regulations and technology.
Regulations are a major hurdle: Safety concerns around drone collisions with airplanes and people have led to restrictions on flight height and location.
Other challenges exist: Who will use drone delivery the most? Is it cost-effective compared to traditional delivery trucks?
Discussion questions:
Managerial challenges: Integrating drones requires planning for new infrastructure, training staff, and navigating regulations. There are also marketing and recruitment considerations specific to this technology.
External forces vary by country: Regulations, consumer acceptance, and infrastructure all differ between countries.
Demographics matter: Younger generations might be more receptive to drone delivery, while older populations might have concerns.
Stakeholders for Amazon: Customers, regulators, aviation authorities, and competitors are all stakeholders. Regulators likely hold the greatest influence as they determine the feasibility of drone delivery.
Senior Project and Engineering Leader Jim Smith.pdfJim Smith
I am a Project and Engineering Leader with extensive experience as a Business Operations Leader, Technical Project Manager, Engineering Manager and Operations Experience for Domestic and International companies such as Electrolux, Carrier, and Deutz. I have developed new products using Stage Gate development/MS Project/JIRA, for the pro-duction of Medical Equipment, Large Commercial Refrigeration Systems, Appliances, HVAC, and Diesel engines.
My experience includes:
Managed customized engineered refrigeration system projects with high voltage power panels from quote to ship, coordinating actions between electrical engineering, mechanical design and application engineering, purchasing, production, test, quality assurance and field installation. Managed projects $25k to $1M per project; 4-8 per month. (Hussmann refrigeration)
Successfully developed the $15-20M yearly corporate capital strategy for manufacturing, with the Executive Team and key stakeholders. Created project scope and specifications, business case, ROI, managed project plans with key personnel for nine consumer product manufacturing and distribution sites; to support the company’s strategic sales plan.
Over 15 years of experience managing and developing cost improvement projects with key Stakeholders, site Manufacturing Engineers, Mechanical Engineers, Maintenance, and facility support personnel to optimize pro-duction operations, safety, EHS, and new product development. (BioLab, Deutz, Caire)
Experience working as a Technical Manager developing new products with chemical engineers and packaging engineers to enhance and reduce the cost of retail products. I have led the activities of multiple engineering groups with diverse backgrounds.
Great experience managing the product development of products which utilize complex electrical controls, high voltage power panels, product testing, and commissioning.
Created project scope, business case, ROI for multiple capital projects to support electrotechnical assembly and CPG goods. Identified project cost, risk, success criteria, and performed equipment qualifications. (Carrier, Electrolux, Biolab, Price, Hussmann)
Created detailed projects plans using MS Project, Gant charts in excel, and updated new product development in Jira for stakeholders and project team members including critical path.
Great knowledge of ISO9001, NFPA, OSHA regulations.
User level knowledge of MRP/SAP, MS Project, Powerpoint, Visio, Mastercontrol, JIRA, Power BI and Tableau.
I appreciate your consideration, and look forward to discussing this role with you, and how I can lead your company’s growth and profitability. I can be contacted via LinkedIn via phone or E Mail.
Jim Smith
678-993-7195
jimsmith30024@gmail.com
CV Ensio Suopanki1.pdf ENGLISH Russian Finnish German
Forecast cybersecurity regulation v3
1. Summary
Due to the volatility, force and pace with which technological innovation is moving through the
global economy, cyber risk has become the biggest contemporary threat to all actors, especially
private enterprise.
Taking a regulatory perspective must be a key part of any overall successful strategy. However,
as regulations are growing increasingly complex, doing the minimum in compliance is not
enough anymore. It is evident, more and more, governments and customers will view a
provider’s security posture less from a compliance perspective and more as a competitive
differentiator. A provider of products and services will have to consider compliance simply as
the ante to earn the right to compete in the marketplace.
Drivers for regulations are most abundant in Financial Services; Healthcare;
Telecommunications; Critical Infrastructure and Government systems.
Despite high profile breaches — from Target to Yahoo — legislation to toughen data protection
standards hasn't gained traction, but it's not for lack of an effort.
A search for "cyber security" yields 141 pieces of legislation — including bills and amendments
— that have gone before the 115th Congress with those words in the title or body and cover a
variety of areas.
Given the current focus of the Administration to “deregulate” and a partisan Congress, it is less
likely that sweeping national new regulation will be realized over the next two years. This
means that the States (like what we are seeing from California, Maryland and New York) will be
driving a great deal of the regulatory changes. It is more than fair to say that regulation alone
does not make any system more secure. Coming to terms on consistent metrics will be key. One
cannot manage what one cannot measure.
The Challenge in Cybersecurity Regulation
Cybersecurity is a fast-morphing mix of adapting new behaviors in people to new ways of doing
things and with even newer technologies. This means that making any assumptions about what
regulations will be needed six days; six weeks; and six months from now is more than
2. Page 2
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
problematic. Most legislation is initiated well after the fact and driven by a wave of litigation
and special interest lobbying. Meaningful cyberwarfare requires a more expeditious approach.
To regulate something, you must know all the players; the expected and desired actions of each
of the players and the mutually agreed upon desired outcome. To leverage the sports
metaphor, we know the right number of players in the game; their positions relative to one
another and what it means to score a point.
In the cyber world, we can’t know all the players; we cannot predict “how” they will arrive to
play; whether they come to “score points” or to simply disrupt the game; and the rules, as
outlined, are merely guideposts for what to avoid. And, currently, only one team plays offense
and the other defense, throughout the competition. This game never ends.
In order for citizens, governments, and industries to be able to begin to effectively regulate
cybersecurity, we must find a common definition of terms; a comprehensive series of
meaningful metrics; a consensus on approach; a consistent application across geographies; a
constructive incentive scheme and a crushing global deterrent.
The current internet infrastructure and regulatory frameworks are poorly tailored to keep pace
with the evolution of the internet and the digital realm in general. A very significant number of
NIST publications are in the process of being revised, rewritten and/or retired based on the
introduction of new technologies and the obsolescence of others…and most of these
publications were mostly written since in this millennia. NIST Special Publication 800-53 Rev. 1
was published in 2008.
Therefore, a majority severely lag behind present technology and threat level awareness. This is
because the internet infrastructure was not designed to cope with present data quantities and
the myriad of actors challenging the very scope and content of it.
Cyber security legislation and
compliance – if come into force –
is ever-shifting. Consequently, it is
crucially important that companies
anticipate tomorrow‘s regulatory
environment. In particular, when
they are active in multiple
jurisdictions, it is fundamental to
systematically track evolving laws
and regulations in order to be able
to respond to legal and political
challenges on time.
3. Page 3
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
Which Laws Kick Started Cyber Regulations?
There are three main federal cybersecurity regulations
1996 Health Insurance Portability and Accountability Act (HIPAA)
1999 Gramm-Leach-Bliley Act
2002 Homeland Security Act, which included the Federal Information Security
Management Act (FISMA)
These three regulations mandate that healthcare organizations, financial institutions, and
federal agencies should protect their systems and information. However, these rules are not
foolproof in securing the data and require only a “reasonable” level of security.
For example, FISMA, which applies to every government agency, “requires the development
and implementation of mandatory policies, principles, standards, and guidelines on information
security”.
But, these regulations do not address numerous computer-related industries, such as Internet
Service Providers (ISPs) and software companies. Furthermore, the vague language of these
regulations leaves much room for interpretation.
More Recent Federal Cybersecurity Laws
In a recent effort to strengthen its cyber security laws, the federal government is introducing
several new cyber security laws as well as amending the older ones for a better security
ecosystem. Amendments and expansion of these existing laws could happen well before any
new regulation is passed. Below are a few of them:
Cybersecurity Information Sharing Act (CISA): Its objective is to improve cybersecurity
in the United States through enhanced sharing of information about cybersecurity
threats, and for other purposes. The law allows the sharing of Internet traffic
information between the U.S. government and technology and manufacturing
companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in
the Senate October 27, 2015
Cybersecurity Enhancement Act of 2014: It was signed into law December 18, 2014. It
provides an ongoing, voluntary public-private partnership to improve cybersecurity and
strengthen cybersecurity research and development, workforce development and
education and public awareness and preparedness.
4. Page 4
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
Federal Exchange Data Breach Notification Act of 2015: This bill requires a health
insurance exchange to notify each individual whose personal information is known to
have been acquired or accessed as a result of a breach of security of any system
maintained by the exchange as soon as possible but not later than 60 days after
discovery of the breach.
National Cybersecurity Protection Advancement Act of 2015: This law amends the
Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s)
national cyber security and communications integration center (NCCIC) to include tribal
governments, information sharing, and analysis centers, and private entities among its
non-federal representatives. There have been very recent moves to create centers for
cybersecurity expertise and focus driven out of the DHS.
Reiterating that most regulation is as a result of a great deal of litigation and well documented
history cyber security losses, sustainable regulation has to be driven by collaborative efforts on
both sides of the aisle in Congress. In the current session of Congress, over 141 pieces of cyber
related legislation has been introduced.
Working against rapid adoption of many of these efforts are aggressive efforts by the current
Administration to deregulate; lobbying for industries resisting regulation; partisan politics; lack
of consistent interpretation of terms, outcomes, approaches, metrics and enforcement entities;
jurisdictional conflicts; geographic dispersion; and the absence of a genuine economic
incentive.
Note: To explore the Acts (and Amendments) in Congress in this session regarding Cybersecurity:
https://www.congress.gov/search?q=%7B%22congress%22%3A%22115%22%2C%22source%22%3A%22
legislation%22%2C%22search%22%3A%22cybersecurity%22%7D&searchResultViewType=expanded
In the Absence of Federal Laws We Will See More from State Laws
State governments also have taken sincere measures to improve cyber security by increasing
public visibility of firms with weak security.
Cybersecurity Laws of California
In 2003, California passed the Notice of Security Breach Act which requires that any
company that maintains personal information of California citizens and has a security
breach, must disclose the details of the event. The security breach regulation
regulations punish firms for their cyber security failures while giving them the freedom
to choose how to secure their systems.
5. Page 5
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
This regulation creates an incentive for companies to proactively invest in cyber security
to avoid potential loss of reputation and economic loss. This worked well for California
and later several other states have implemented a similar security breach notification
regulations.
Cyber Security Laws of New York
The financial services industry is a significant target of cyber security threats. Over the
past few years, the New York State Department of Financial Services (“DFS”) has been
closely monitoring the ever growing threat posed to information and financial systems
by nation-states, terrorist organizations, and independent criminal actors.
Given the seriousness of the issue and the risk to all regulated entities, certain
regulatory minimum standards are warranted, while not being overly prescriptive so
that cyber security programs can match the relevant risks and keep pace with
technological advances.
Accordingly, this regulation is designed to promote the protection of customer
information as well as the information technology systems of regulated entities. This
regulation requires each company to assess its specific risk profile and design a program
that addresses its risks in a robust fashion.
The New York Cyber Security regulation has been effective since March 1, 2017.
Covered Entities will be required to annually prepare and submit to the superintendent
a Certification of Compliance with New York State Department of Financial Services
Cybersecurity Regulations commencing February 15, 2018.
More State Regulations to Come
Cybersecurity continues to be a concern for government and the private sector. It has
enormous implications for government security, economic prosperity and public safety.
States are addressing cybersecurity through various initiatives, such as providing more funding
for improved security measures, requiring government agencies or businesses to implement
specific types of security practices, increasing penalties for computer crimes, addressing threats
to critical infrastructure and more.
At least 35 states, D.C. and Puerto Rico introduced/considered more than 265 bills or
resolutions related to cybersecurity. Some of the key areas of legislative activity include:
• Improving government security practices.
• Providing funding for cybersecurity programs and initiatives.
• Restricting public disclosure of sensitive government cybersecurity information.
• Promoting workforce, training, economic development.
6. Page 6
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
At least 22 states have enacted 52 bills so far in 2018. Every day, more regions introduce new
privacy and data protection bills on their way to become law.
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-
legislation-2018.aspx
A Glimpse into a Globalized Regulatory Future
Nothing in recent history has had a global impact on industry as much as the General Data
Protection Regulation (GDPR). The expected departure of the UK from the EU (Brexit) will most
certainly be a catalyst for additional regulation.
By mid-2019, forced compliance of the NIS Directive by the EU member states will take place.
Therefore it is important to know if our business is effected by the NIS, what it requires us to
do, and what this might mean in the years to come.
https://www.ncsc.gov.uk/guidance/introduction-nis-directive
The premise behind the NIS Directive is a need to improve the security of network and
information systems across the UK, with a particular focus on essential services which if
disrupted, could potentially cause significant damage to the economy, society and individuals’
welfare.
The technical requirements for the NIS Directive are limited. In order to enforce compliance
with local regulation, a government must designate Competent Authority's (CAs) having the
power to judge whether operators of critical infrastructure are complying with the regulation.
CAs are part of existing government agencies, although their structure can be different in each
country. For example, in the UK there is a CA for each sector such as railroads and energy,
where the Germans rely on a single CA which is the BSI (Bundesamt für Sicherheit in der
Informationstechnologie).
Since the implementation of the NIS in local regulation is very recent, it still has to be shown
how these CA’s will adopt their new responsibilities.
A Small Sample New Global Requirements
Cyber standards are being raised throughout Europe and Asia as well, with national
governments encouraging tighter security measures when working with the private sector.
European Union: The new Network and Information Security (NIS) Directive calls for
additional security protocols specific to government agencies when utilizing digital
service providers and considers extending these measures to contractors and suppliers
United Kingdom: In order to qualify for government awards, private sector government
contractors must comply with the Cyber Essentials Scheme, involving protection of
citizens’ personal information or government data classified at the “Official” level and
above. From 1 October 2014, Government requires all suppliers bidding for contracts
7. Page 7
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
involving the handling of certain sensitive and personal information to be certified
against the Cyber Essentials scheme (base cost of about £300)
https://www.cyberessentials.ncsc.gov.uk
Australia: Government contractors and suppliers must comply with Protective Security
Policy Framework (PSPF) and Information Security Manual (ISM) requirements; the
Department of Finance requires suppliers to include data protection plans using industry
accepted standards with their proposals/contracts and are required to report breaches.
Australia’s Notifiable Data Breaches scheme
The NDB scheme applies from 22 February 2018 to all agencies and
organizations with existing personal information security obligations under the
Privacy Act. It was established by the passage of the Privacy Amendment
(Notifiable Data Breaches) Act 2017.
The scheme includes an obligation to notify individuals whose personal
information is involved in a data breach that is likely to result in serious harm.
The notification must include recommendations about the steps individuals
should take in response to the breach. The Australian Information Commissioner
(Commissioner) must also be notified of eligible data breaches.
Who must comply with the NDB SCHEME?
The NDB scheme applies to agencies and organizations that the Privacy
Act requires to take steps to secure certain categories of personal
information. This includes Australian Government agencies, businesses
and not-for-profit organizations with an annual turnover of $3 million or
more, credit reporting bodies, health service providers, and TFN
recipients, among other
Breach Notification Form:
https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-
NDB
Japan: Contractors are required to abide by security policies aligned with government
procurement guidelines.
To Anticipate What Will Need Regulating
Regulations become dated the moment they are placed into effect. Trying to anticipate where
regulation will be needed can be driven by what trends in technologies we can forecast.
8. Page 8
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
These trends bring together technologies with the potential to initiate lasting transformation in
the digital ecosystem, which we define as all of the infrastructure, software applications,
content, and the social practices that determine how the ecosystem is used. The largest trends
are as follows:
1. Cloud computing
2. Big data
3. The Internet of things
4. Mobile Internet
5. Brain-computer interfaces
6. Near-field communication (NFC) payments
7. Mobile robots
8. Quantum computing
9. Internet militarization/weaponization
10. Blockchain and open journaling technologies
11. Crypto Currencies
A Consensus on Predictions that will Impact Cybersecurity
1. While Governments and Private Enterprise Slowly invest In Artificial Intelligence to
support Cyber security, Attackers will aggressively invest in AI to aid in their attacks.
2. Growing 5G Deployment will open up a new dimension in cyber-attack surfaces
A number of 5G network infrastructure deployments kicked off this year, and 2019 is
shaping up to be a year of accelerating 5G activity. While it will take time for 5G
networks and 5G-capable phones and other devices to become broadly deployed,
growth will occur rapidly. IDG, for example, calls 2019 “a seminal year” on the 5G front,
and predicts that the market for 5G and 5G-related network infrastructure will grow
from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound
annual growth rate of 118 percent.
Over time, more 5G IoT devices will connect directly to the 5G network rather than via a
Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For
home users, it will also make it more difficult to monitor all IoT devices since they
bypass a central router. More broadly, the ability to back-up or transmit massive
volumes of data easily to cloud-based storage will give attackers rich new targets to
breach.
9. Page 9
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
3. IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous
Forms of Attack
4. Attackers will increasingly Capture Data in Transit
In 2019 and beyond, we can expect increasing attempts to gain access to home routers
and other IoT hubs to capture some of the data passing through them. Malware
inserted into such a router could, for example, steal banking credentials, capture credit
card numbers, or display spoofed, malicious web pages to the user to compromise
confidential information.
5. The Supply Chain will Become (more than it already has) an Attack Target
An increasingly common target of attackers is the software supply chain, with attackers
implanting malware into otherwise legitimate software packages at its usual distribution
location. Such attacks could occur during production at the software vendor or at a
third-party supplier. The typical attack scenario involves the attacker replacing a
legitimate software update with a malicious version in order to distribute it quickly and
surreptitiously to intended targets. Any user receiving the software update will
automatically have their computer infected, giving the attacker a foothold in their
environment.
These types of attacks are increasing in volume and sophistication and we could see
attempts to infect the hardware supply chain in the future. For example, an attacker
could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS
before such components are shipped out to millions of computers. Such threats would
be very difficult to remove, likely persisting even after an impacted computer is
rebooted or the hard disk is reformatted.
6. Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory
Activity
The European Union’s mid-2018 implementation of the General Data Protection
Regulation (GDPR) will likely prove to be just a precursor to various security and privacy
initiatives in countries outside the European Union. Canada has already enforced GDPR-
like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to
enter into force in 2020. Singapore and India are consulting to adopt breach notification
regimes, while Australia has already adopted different notification timelines compared
to GDPR. Multiple other countries across the globe have adequacy or are negotiating
GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law
considered to be the toughest in the United States to date. We anticipate the full impact
of GDPR to become clearer across the globe during the coming year.
At the U.S. federal level, Congress is already wading deeper into security and privacy waters.
Such legislation is likely to gain more traction and may materialize in the coming year.
10. Page 10
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
Inevitably, there will be a continued and increased focus on election system security as the U.S.
2020 presidential campaign gets underway.
While we’re almost certain to see upticks in legislative and regulatory actions to address
security and privacy needs, there is a potential for some requirements to prove more
counterproductive than helpful. For example, overly broad regulations might prohibit security
companies from sharing even generic information in their efforts to identify and counter
attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities
even as they close others.
How Can Regulators Narrow the Gap?
Rather than concede defeat, Regulators can do more to stay abreast of the challenges
presented by emerging technologies if they were to:
1. Develop and deploy permanent monitoring procedures and tools, the purpose of
which will be to monitor the development of the digital ecosystem by surveying the
various actors and interactions, and to assess the effects of these transformations on
cyber security.
2. Align the regulatory regimes applicable to the various infrastructures, applications
and content with the resources and strategies implemented by a growing number of
government actors, as well as their private partners, in order to quickly detect emerging
digital risks and limit their impact on a constantly evolving ecosystem.
3. Initiate an in-depth consultation and reflection exercise to formulate proposals on
how to restructure existing government institutions or create new ones to adapt the
government’s intervention and coordination abilities to the new needs.
4. Intensify empirical research on the transformations of risks, standards and practices
associated with privacy protection in the digital ecosystem.
5. Accentuate coordination and knowledge-transfer initiatives of national and state
authorities in order to accelerate and standardize the development of local capabilities.
This will require a near complete collaboration of efforts at the local; national and international
levels.
One recognized and recommended approach is for the Federal Government to establish a
single Agency with a consolidating charter and authority to drive advancements in
cybersecurity.
To succeed, it should be that the national cybersecurity agency has appropriate statutory
powers: Currently, most national cybersecurity agencies are established not by statute but by
the delegation of existing powers by other parts of government. We anticipate that this
approach will need to change with the passage of comprehensive cybersecurity laws. The
11. Page 11
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
delegation of existing powers, which may be subject to multiple underlying regulations, may
not be sufficient to provide the national cybersecurity agency with all of the powers it requires
to effectively carry out its new functions.
Currently, the Department of Justice has both the FBI and the National Cyber Investigative Joint
Task Force (NCIJTF). The Department of Homeland Security and the Office of the Director of
National Intelligence (DNI) apply themselves to the Cyber Threat Intelligence Integration
Center. Meanwhile, the Federal Trade Commission (FTC), the Secret Service and the National
Institute of Standards and Technology (NIST) make occasional joint efforts to bolster the
nation’s cybersecurity readiness. In February 2018, the Department of Energy (DOE)
announced the establishment of the Office of Cybersecurity, Energy Security and Emergency
Response (CESER). The DOE’s program intends to target energy infrastructure in the country.
COMPLIANCE as a Leader and Not
Simply a Monitor
Cyber security risk usually extends to
all business units, operational units,
employees and key third parties. That
is why the compliance function is
growing as a critical role. Whenever
organizations need to do something
on an ongoing and systematic way,
where people are to be held
accountable, Compliance is front and
center. Here are five ways Compliance can play a pivotal role in a cross-functional approach to
cyber security.
1. Own or Implement a Cyber Risk Assessment
Compliance regularly operates in the world of risk assessments and understands how to
identify an organization’s greatest risk by developing a comprehensive risk profile. With a full
understanding of a company’s risks and threats, Compliance can guide an organization’s
approach and control environment to effectively manage and mitigate risks while at the same
time deploying scarce resources toward the most significant among them.
2. Embed Regulatory Requirements into Business Operations
As with other enterprise-wide risks, cyber security is a regulatory compliance challenge for an
increasing number of companies. As mentioned above, there is a growing number of fairly
nuanced regulations addressing cyber security that apply to private and public sectors, specific
industries, and specific data sensitivities. The compliance function has the competence to
design and implement policies, procedures and controls that meet these requirements.
12. Page 12
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
3. Connect the Functional Dots Across the Organization
Cyber security is an enterprise-wide risk and requires a cross-functional approach for
management. Compliance is skilled in building a systematic approach across an enterprise. It
has the regular contact and seniority to engage effectively with the C-suite, Legal, HR and other
functional and operational teams. Compliance can connect the dots across an organization.
4. Address the “People & Processes” of Cyber Security
Cyber security involves an integrated approach to “people, processes and technology.” The
compliance function has deep insights into how to engage broadly with employees and how to
collect and analyze data through the monitoring and audit processes needed to manage risks.
This proficiency in influencing employee behavior and organizational culture are necessary skills
needed to complement the protection efforts deployed by the technology function.
5. Developing & Tracking Program KPIs
As another aspect of monitoring, Compliance has expertise in developing key performance
indicators (KPIs) and specific metrics to track progress and ROI, as well as developing a rhythm
for board reporting, and reporting externally, as appropriate. Consistent application of KPIs will
help cyber security programs mature over time with a cadence toward continuous
improvement. Being on a trajectory of maturing practices not only builds stronger resilience but
also demonstrates to customers, partners and regulators, as needed, a commitment to risk
management, compliance and best practices.
Now, more than ever, Compliance must play an integral part in any organization’s cross-
functional cyber security program to make sure such efforts are enterprise-wide, consistent
with regulatory requirements and embedded in how the company operates and its people
conduct their work. As with other compliance issues, organizations will need to be in a position
to tell their story of continuous improvement through KPIs, metrics and demonstration of using
best practices.
CONCLUSION
There are cries to regulate the disruptive tech giants to include Google, Amazon, Twitter and
Facebook. Not only are their business models being scrutinized but the pervasiveness of their
emerging connected environments (auto driving vehicles; artificial intelligence; Internet of
Things; telecommunications and more!) challenges the idea of effective self-regulation.
Not to make a political statement but, in this next two years under an administration bent on
Deregulation (as we have seen with many consumer protection laws; environmental and
financial services regulation) and with partisan divisions, we are less likely to see any major
13. Page 13
CYBERSECURITY REGULATIONS ORLANDO, JOE [US-US]
sweeping national regulations get through Congress. This will mean that the individual States
(as we are seeing with California, New York and Maryland) will drive more regulating strategies.
Final thoughts
Perhaps redundantly, it has to be stressed that cybersecurity should not and cannot be driven
by regulation. Regulatory relief comes too late. The drivers of innovation and inventiveness
come from business drivers and the strong desire to “be first!” in a competitive society.
References
Cyber Laws and Trends: How the Internet Just Became a Crime Scene, By Steve Surfaro, PSWG, Security Industry
Association, April 30, 2018
Cybersecurity Futures: How Can We Regulate Emergent Risks? Benoit Dupont, July 2013
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,
Issued on: May 11, 2017 2018 Study on INFRASTRUCTURE & TECHNOLOGY
Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018
Risk Management Solutions, Inc. March 2018 CYBER RISK OUTLOOK 2018
Top 18 Prediction Security Predictions for 2018, BY DAN LOHRMANN / JANUARY 4, 2018
DUFF & PHELPS, GLOBAL REGULATORY OUTLOOK, 2018, MAY 8, 2018
2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards, June
5, 2018 — by Carl Herberger
Appknox, “A Glance at the United States Cyber Security Laws,”
Accenture Security, 2017 Cyber Threatscape Report: Midyear Cybersecurity Risk Review-
Forecast and Remediations. Accenture Security 2017