Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We’re thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.
For additional documentation, downloads, and a, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!
|Update your feed preferences|
The California Consumer Privacy Act is the latest addition to the privacy regulatory world and it is stirring the conversation about protecting personal data even more. I’ve been a huge fan of Saturday Night Live since the first time I saw it on TV. One of its iconic reoccurring skits was “The Californians”, whose primary theme was explaining how to get from one place to another by using different California roads and highways. As of last week, real Californians have a new topic to discuss that’s a lot more serious: Information Privacy! And the route by which organizations may need to proceed could have as many twists and turns as those classic SNL Californian skits.
What is the California Consumer Privacy Act?
On June 28, “The California Consumer Privacy Act of 2018” was signed into law extending Californian’s right to privacy. This law strengthens rights of California residents already in place. In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. According to the California Consumer Privacy Act, “fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”
he law provides for:
What does the new California Privacy Law mean to businesses?
The first step, as with all new regulatory changes, is to engage with legal counsel to see how the law may affect your business. According to the law, businesses that do not comply are subject to litigation and sanctions. Any consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
In assessing damages, the court shall consider any one or more of the relevant circumstances, including, but not limited to, the nature and seriousness of the misconduct; the number of violations; the persistence of the misconduct; the length of time over which the misconduct occurred; the willfulness of the defendant’s misconduct; and the defendant’s assets, liabilities, and net worth.
In addition, any person, business, or service provider that intentionally violates the Act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.
While the amounts involved may appear relatively immaterial, they will certainly be impactful in aggregate as the size of a breach grows. Further, the ill will and reputation risk associated with breaches will be magnified due to press coverage around violating this Act.
The concept that consumers own their information and have the right to control it is the front and center tenant of the California Consumer Privacy Act. Businesses subject to this regulation have much work to do to ready themselves to accommodate consumer rights to receive notice; to inquire about the information; to refuse sharing; and to delete information. At the same time, businesses handling consumer information must establish a program designed to ensure that reasonable security procedures and practices are implemented and maintained appropriate to the nature of the information to protect it from unauthorized disclosure. As with most privacy-related regulations, the California Consumer Privacy Act will prompt businesses to adopt an on-going, risk-based information security program across their extended enterprise.
No, this Act isn’t funny like SNL’s “The Californians” but it is already being touted as groundbreaking, and the most sweeping privacy legislation passed in the U.S. to date.
Check out RSA Archer’s use cases that are designed to help organizations with privacy challenges: Data Governance and Privacy Program Management in the RSA Archer Regulatory and Corporate Compliance solution
|Update your feed preferences|
The Labor Shortage
If you haven’t noticed yet, the U.S. Economy is booming! The U.S. unemployment rate reported for May stood at 3.8%. Not too many years ago, 5% unemployment was considered by most economists as full employment. For information security teams, this translates into a huge labor shortage. The Wall Street Journal recently reported the “…demand for cybersecurity workers is outpacing supply by so much that by 2022, North America will have 265,000 more data-security jobs than skilled workers” And it’s not just in North America. Australian press has reported there is a serious talent war over the shallow pool of risk managers in Australia. While in the EU and U.K., the rise of the data protection officer is the hottest tech ticket in town as a result of the EU General Data Protection Regulation.
Going up: Data Breaches and Vulnerabilities
All of this demand for information security professionals coincides with a massive information security workload.
(1) The Breach Level Index indicates that breaches are continuing to grow nearly 100% per year:
(2) According to the NIST National Vulnerability Database statistics, vulnerabilities continue to increase dramatically in number and severity.
Executive leadership is rabid to go digital fast, and information security teams have to figure out how to keep up in order to protect the organization. According to the KMPG 2018 Global CEO Outlook Survey
Information Security Governance Changing
The information tech talent shortage coupled with increasing breaches, increasing vulnerabilities and accelerated change have largely undermined the confidence CEOs have in their organization’s information security programs.
These forces have led to greater scrutiny of information security by Executives and Boards of Directors, who are now mostly requiring that IT Security budgets be approved by them directly, while CTOs, CIOs, and CISOs appear to no longer have much autonomy over their budgets.
Not only is budget approval of information security programs being escalated higher in the organization but leaders and boards want to know that the money they are allocating is having a positive impact. A recent Deloitte poll of more than 1,130 C-suite and other executives indicated that 62.7% believe Board of Directors will expect better reporting on the effectiveness of their cyber security program.
Where are all of the Security Professionals?
All of these factors are congealing into what I would call a mega trend for information security professionals. The technical and human resource challenges of information security must be countered with smarter and more efficient risk management. Risk management teams must adopt business context-based information security risk management to prioritize initiatives and communicate with the C-Suite and Board (RSA calls this Business Driven Security); and they must implement tools across all aspects of information security risk management and governance that efficiently recaptures precious time from each team member so that it can be reallocated to more important problems. It is only in this way that information security leaders stand a chance to survive this mega trend.
|Update your feed preferences|
With data breaches increasing at a record pace, an Information Security Management System (ISMS) has transformed from an IT buzzword into a necessity for most organizations. According to a report recently released by the Identify Theft Resource Center, there were nearly 1,600 data breaches reported in the United States in 2017. This represents an increase of 44% from figures reported in 2016. More alarming is the average cost of a breach, estimated to be roughly $3.6 million per incident, according to a report conducted by Ponemon Institute. These numbers are only expected to increase in 2018, necessitating a proactive approach to cybersecurity.
To address the increasing occurrence of data breaches, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published an updated version of ISO 27001 in 2013. Part of the ISO 27000 family of standards, ISO 27001 outlines the policies, processes, and procedures required to implement an ISMS. Regardless of organizational size or type, ISMS can be applied to secure information assets and manage information in all its forms. Organizations that meet these standards may pursue ISO 27001 certification following a successful audit. Not only is certification useful for protecting valuable data and information assets, but ISO 27001 covers many of the requirements necessary to adhere to the new General Data Protection Regulation (GDPR) that will be in effect May 25, 2018.
To account for updates to ISO 27001, we have released an enhancement to our Information Security Management System offering in version 6.4, released last week. Features new to the release include:
ISMS General Information Section
There are three components crucial to managing an ISMS:
As an organizational ISMS continues to evolve, these components must be regularly evaluated and refined to ensure risks facing crucial assets are properly mitigated. The RSA Archer ISMS use case sits at the convergence of these components, allowing users to seamlessly scope assets and stakeholders, manage inherent risk, and apply mitigating controls from a library of ISO 27002 content.
With RSA Archer ISMS users can:
Interested in learning more? Join us for our Free Friday Tech Huddle this Friday, April 27 to hear more about the offering and see a live demo. The Free Friday Tech Huddles are available to existing RSA Archer customers. If you are not yet a customer but interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.
|Update your feed preferences|
One of the top concerns for IT operations today is ensuring the proper security measures are in place for storage systems. At Dell EMC, we take these requirements seriously, and have invested in industry certifications, dedicated security engineering resources and labs to address security compliance across a variety of government and private sector entities. We know your business depends on protecting your data, and it’s important for our customers to know that their investments in Dell EMC storage systems can help them address their own security requirements. Research firm Enterprise Strategy Group (ESG) validates the importance of cybersecurity, as shown in the following technology spending report:
Source: ESG Research Report, 2018 IT Spending Intentions Survey, Dec 2018We are proud to announce our security achievements to date for the Dell EMC Unity midrange storage platform, including the completion of the Authorized Products List (APL) listing from DISA (Defense Information Systems Agency). Dell EMC Unity is one of just a handful of midrange storage systems that has been engineered to meet 10 major security compliance requirements, thereby helping to secure sensitive data.
Many of these security compliance objectives are driven by the United States Federal Government and these strict security requirements apply to a variety of public sector environments.
Other industries, including but not limited to, banking and retail directly benefit from these security capabilities designed to meet the highly secure Payment Card Industry (PCI) requirements for securing financial transactions. These security features can offer added peace of mind when deploying the full Dell EMC Unity portfolio. In addition, all of our security features are provided at no charge and with no additional costs or licenses. The following is a list of Dell EMC Unity security capabilities available in the product family today, some of which have achieved specific industry or government security compliance certification for data storage systems.
Dell EMC Unity Security Compliance Features
Customer Spotlight – Defense Health Agency
Meeting the needs of government and federal customers that require compliance to regulations is very important to Dell EMC. One of our federal customers includes the Defense Health Agency (DHA) which provides the Department of Defense and Department of Veterans Affairs health care providers global visibility and access to artifacts and images generated during the health care delivery process.
When a vendor changes or upgrades their hardware or software, DHA undergoes intense security vulnerability hardening, systems testing, scanning, and remediation to determine its IA (Information Assurance) compliance with the Department of Defense (DoD) Risk Management Framework (RMF) security controls and security requirements. Currently, DHA is pursuing STIG (Security Technical Implementation Guide) compliance for the new Dell EMC hardware it purchased as part of an overall refresh of its enterprise-wide storage footprint.
“With some vendors, the deployment, installation, and hardening of a SAN can be a complex project,” said Brian Reese, DHA Project Lead, SPAWAR Systems Center Atlantic. “We value our partnership with Dell EMC as we deploy the Dell EMC hardware together. Dell EMC has been critical in supporting the IA compliancy efforts required to get the systems and hardware ready. With the Common Criteria Certification, user-enabled STIG mode now available on the Dell EMC Unity series and many other product improvements that are ideal for federal customers, the deployment process is much shorter and easier.”
Quite simply, Dell EMC has done the hard work for our customers to help them better protect their most critical data assets that reside on Dell EMC Unity storage systems. This work helps facilitate compliance with strict IA requirements while ensuring data and the applications that depend on that data can operate seamlessly with world-class security in place.
For additional security details in Dell EMC Unity, please visit the following links:
|Update your feed preferences|