Posts Tagged ‘due diligence’
Saturday, October 3rd, 2015
Businesses must be aware of risks with outsourcing to other countries activities involving personal information. Over the past couple of months I’ve heard over a dozen organizations express their opinion that if they hire organizations outside the U.S. to do work for them, then those organizations are not bound by U.S. laws. Most were from small to midsized organizations and startups. But it was somewhat surprising to hear also hear this sentiment from an organization with multiple locations and thousands of employees. This has been an incorrect belief of far too many organizations for decades.
I’ve also had clients in other countries ask about the need to comply with U.S. laws, such as for HIPAA compliance, when they provide services for U.S individuals and/or businesses. Many believe they do not need to. (more…)
Tags:BA management, data protection, data protection law, Dell, due diligence, Information Security, IT compliance, policies and procedures, power more, powermore, privacy, privacy professor, privacyprof, Rebecca Herold, risk management, vendor management, vendor risks
Posted in BA and Vendor Management, Information Security, Privacy and Compliance | No Comments »
Tuesday, February 25th, 2014
Recently I’ve heard in various discussion venues the argument that information security controls are an impediment to technology use, and that instead we should look at demotivating the hackers. With specific regard to medical devices, one commenter stated that generally, the best “bet in defending medical devices (as well as financial systems) is making the information useless/pointless for the attackers.” This is a dangerous attitude, and minimizes the true value of data on the devices.
Considering data on any type of computing device is considered (more…)
Tags:audit, awareness, compliance, data protection, due diligence, hack, hacker, hacking, IBM, Information Security, information security policy, infosec, laws, medical device, midmarket, mobile device, non-compliance, outsourcing, penalties, personal information identifier, personal information item, policies, privacy, privacy policy, privacy professor, privacyprof, punishment, Rebecca Herold, risk assessment, risk management, sanctions, security, security procedure, training, vendor
Posted in Information Security, privacy | No Comments »
Saturday, February 1st, 2014
I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, compliance, covered entity, data protection, disclosure, due diligence, Google Glass, IBM, incidental, Information Security, information security policy, infosec, iWatch, midmarket, mobile device, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, third party, training, vendor, vendor contract, vendor oversight, wearable device, wireless
Posted in Information Security, mobile computing | No Comments »
Friday, December 27th, 2013
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight
Posted in BA and Vendor Management, Information Security | No Comments »
Wednesday, February 20th, 2013
Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts? (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, breach harm, breach response, business associate, compliance, contracted workers, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, outsource, oversight, patients, personal information, personally identifiable information, personnel, physical harm, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA, CE, HIPAA, HITECH | No Comments »
Sunday, February 3rd, 2013
Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located. One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information. (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, contracted workers, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, outsource, oversight, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA | No Comments »
Thursday, January 24th, 2013
A Tale of Two Viewpoints
When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990’s I had literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were putting our information at risk. The contracts with them had a very brief requirement to “provide appropriate security controls” for the information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said this simple clause was enough. And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker to enter our network. (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in Information Security, Laws & Regulations | No Comments »
Sunday, July 22nd, 2007
Here’s another example of the insider threat similar to situations that I’ve heard of happening many times throughout the years through conversations with folks at conferences and other professional meetings.
(more…)
Tags:awareness and training, due diligence, ethics, extortion, Information Security, insider threat, IT compliance, Metropolitan Sewer District, PII, policies and procedures, privacy
Posted in Information Security, Privacy and Compliance, Privacy Incidents | 2 Comments »
Sunday, March 26th, 2006
In this episode I briefly discuss the current privacy concerns and business activities regarding the safeguarding of personal information and the types of impact incidents have upon business; the challenges associated with protecting personal information (both consumer and employee), and ways to address these challenges to avoid ending up in the newspaper as the next privacy incident headline; and the need to address privacy issues within business processes, not only to meet regulatory requirements but also to demonstrate due diligence, support business goals and build business value.
Tags:data protection, due diligence, personal information protection, Podcast, privacy, privacy incident, privacy issues, regulatory requirements
Posted in Podcast | No Comments »
