Managing risk is important across an organization in order to stay in compliance with laws and regulations and also to maintain the trust of your customers. Understanding the risks your organization faces or may face allows you to make the necessary decisions to secure your business.
Defining Risk Management
Risk Management Teams work within the organization with key stakeholders to identify, assess, and build mitigation strategies for risks or impactful uncertainties the organization identifies. These risks can stem from a variety of sources, like financial uncertainty, management or employee errors, cybersecurity threats, regulatory changes, or natural disasters.
The goal of a risk management plan is to manage risks to prevent negative outcomes, but to also aid in or direct strategic decision making. While each risk should be evaluated individually, it’s also important to consider how individual risks may relate to each other, and if a treatment plan could be created to address the related risks.
By enabling a Risk Management Team to operate appropriately companies can implement operational and budgetary strategies, as well as enable compliance with industry standards and regulations.
Mitigating risks and managing compliance when collecting behavioral data isn’t vastly different from many risks that an organization faces, and can typically be addressed in similar manners.
Conduct a risk assessment
Working with your risk management team to perform a risk assessment can help you identify if collecting and using the behavioral data aligns with your internal risk strategies. An internal risk assessment allows you to examine the threats and vulnerabilities that your organization faces that may lay outside of the questions external auditors may ask.
Effective risk assessment, management, and mitigation strategies are complex and challenging, especially as both the threat and legal landscape evolve, but they’re a vital part of any organization, especially those collecting personal information.
Adopt a cybersecurity framework
Most modern cybersecurity frameworks, such as SOC2 or ISO 27001 (security) and 27701 (privacy), include controls for risk management and mitigation and allow your security and privacy programs to be audited by an external firm to ensure the relevant controls are in place and are being met. If risk management is the only control set that your organization needs to implement, ISO 31000 is a framework and process for managing risk in any organization. Regardless of the framework chosen.
Understand regulatory requirements for data collection
If you collect data that is protected under one or more data protection laws or regulations, that should be considered prior to collection. There are valid reasons to collect personal data, but it brings with it a need to protect that data appropriately based on what data points are collected. Understanding the regulatory requirements for the data that you collect is vital.
Understand the expectations of your organization vs those of the contracted third party collecting the data
It’s important to know which party is responsible for the different aspects of the data collection process, including processing, storing, and securing the data. This is often managed during the contract negotiation phase of the process, and both parties should clearly understand their responsibilities as well as the responsibilities of the second and potentially third parties.
It’s also important to know if the contracted party intends to use the collected data for any purposes other than the contracted services offered. If this is allowed by your organization, it would be a risk that should be accounted for.
Mitigation measures
Ensure data is encrypted in transit and at rest
Most modern browsers enforce encryption by default now and include warning pages for sites with invalid or missing TLS certificates, making half of the encryption process pretty easy, but encrypting the data at rest to the highest level available is advised.
Use SSO with MFA
SSO/SAML-based authentication simplifies user access and allows you to enforce password requirements, including MFA, if a SaaS vendor doesn’t meet your security standards. Password security advice has changed over time, with the current NIST recommendation being our guiding standard. One problem that SSO helps to solve is increasing security by allowing your organization to set your password requirements and then enforce them across the suite of third-party applications used. This eliminates any password fatigue from having to remember individual passwords for every application.
Know who has access to your data
Periodic access reviews give you visibility into which employees have access to collected data and document if access is added or removed. According to Verizon’s Data Breach Investigations Report, 74% of all breaches included a human component (either via privilege escalation, use of stolen credentials, social engineering, or other human error), making it critical that organizations be aware of which employees have access to which tools, or data sets.
Review configuration settings
As well as reviewing who has access to collected data, it’s vitally important to regularly review the configuration settings of the application(s) that are collecting data to make sure they haven’t been changed and that they still meet the requirements of the collection project.
Train staff on data protection expectations
As important as any of the previous recommendations, training staff on proper data protection expectations and procedures helps to ensure that any collected data is kept secure throughout its lifecycle. Training staff provides several benefits such as keeping employees informed of the latest trends in cybersecurity news both externally and internally, empowering staff to bring suspicious activities to the attention of the security team(s) “See something, say something!”, as well as building your internal and external culture of cybersecurity.
Build out a suite of policies and procedures in line with internal data practices and external regulatory requirements (GDPR, CCPA, LGPD, etc.)
Lastly, it is crucial to ensure your policy and procedure library is actively managed. This management should involve a dedicated team responsible for keeping the library current with your internal data practices and in line with external regulations. Such proactive maintenance positions your organization well to remain compliant with both existing and potential future regulations that affect your business.