Where does a CISO start? There are many approaches. NIST and ISO 27001 are the big ones that are often used as the foundation of other cyber security frameworks. The standards are often in the range of 250-500 pages, NIST 800-53a RV4 is 487 pages long, and this is because they go to the depth of security; a large chunk of this documentation only really applies to US Government entities.
You must go to this depth if you wish to determine your organizational risk. The job of a CISO is to work with the organization’s IT team and work through the framework, prioritize the cost, time, and risk for the organization. Then begin the process of continuous improvement. NIST refers to these as maturity levels.
All organizations will ultimately need to meet some sort of security standard, even if self-imposed; healthcare in Ontario for example is responsible for up to $500,000 in damages per breach. Starting the process now will enable the cost and time to be spread across multiple budget years.
This process is similar to an accounting audit. You have an independent third party verify and then you organization can work at resolving the issues discovered in the process.
SANS Policy Templates
As covered in an early blog. SANS provides free policy templates to use and modify to your own needs.
There’s no excuse for not having policies; remember to include your legal representative and get their input after customizing the policies to your organization.
Some excellent starting policies to look at:
The Canadian government
Some quality ones to look at first:
The CSA group standards
NIST Computer Security Resources
NIST self-assessment - To be superseded in Summer 2019. 487 pages of awesome depth.
NIST is a very popular standard that is often the basis for new frameworks or industry frameworks. It’s an excellent starting point if you don’t know what framework you will need to be compliant with or if you require certification.
CIS 20 Critical Controls
!GET A LAWYER!
We are not lawyers; you really should engage your own lawyers. Below is to illustrate why you should engage your own lawyers.
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
age, name, ID numbers, income, ethnic origin, or blood type;
opinions, evaluations, comments, social status, or disciplinary actions; and
employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
PIPEDA does not generally apply to:
political parties and associations.
Municipalities, universities, schools, and hospitals are generally covered by provincial laws.
PIPEDA’s 10 principles:
Limited Use, Disclosure, and Retention
Requirement to report breaches:
Knowingly failing to report or record a breach will be an offence punishable by fines of up to C$100,000.
Ontario Privacy Act
Substantially similar to PIPEDA above. The organization must have security safeguards in place securing the personal information. Collection of information must be done so only by consent. All breaches must be reported to the affected persons.
Ontario has a $5,000 damages for these violations
Intrusion upon seclusion
"One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person."
Ontario has a tort of up to $10,000 in damages for someone breaching their privacy.
The federal government announced late December 2017 that it will pay at least $17.5 million to settle the Condon v. Canada class action lawsuit.
Ontario Health Privacy ACT
PHIPA damages are up to $100,000 for individuals and up to $500,000 for organizations.
Healthcare worker had accessed and leaked private health information. The person was distributing these records to third parties. The affected people were alerted as required under PHIPA. This adds a tort damages possibility as well on top of the above damages.
Privacy at work in Canada
For example web filters recording the browsing history of employees cannot be leaked or used to punish the employee.
Canadian Communications privacy
The common understanding is that Canada is a 1 party consent to record communications. Typically this is understood as Telegraphs or phone calls, you can record your own phone calls, you cannot record other people’s phone calls.. However, this applies to computer networks because all communications are covered.
Unauthorized use of computer
Canada’s antispam laws
You must have the consent of the other party when you email them. Some exceptions apply.
Canadian financial institutions
The above is insanely complicated and a major minefield for organizations to go without a lawyer.
!GET A LAWYER!
!GET A LAWYER!
Pager Duty released their internal documentation of incident response.