Dear Advisor: How do I know if my company is compliant with security and privacy regulations?

With the log4j vulnerability and the AWS outage this month, I’m getting many requests for advice around security. Since security also goes hand-in-hand with CCPA (for customers in California), GDPR (AKA “right to be forgotten”) and other privacy regulations, such as for healthcare and finance, I’ll share advice that applies to both security and privacy here.

Disclaimer: This is not legal advice, but a framework to help you do this assessment of your company yourself.

My framework for how you can evaluate your company’s security and privacy practices touches on people, process and technology. Once you diagram/answer these questions, you should be able to cross-reference your work against regulations, to see for yourself where the security gaps are in your current process.

Technology

• Data collection: 

  • 1. What data do you collect about all (internal and external) aspects of your customer journeys and business?

    2. Do you need all of the data now – or in the future – to help you make better decisions?

    3. What (potential) PII do you really, really need? And what PII should you consider not even collecting?

    4. Do you have data lineage (such as through dbt) that shows you how all the data sources connect and depend on each other?

• Data storage: 

  • 1. What does the data architecture look like? What are the data sources? 

    2. Is the storage system compliant with your industry’s regulations, such as AWS for HIPAA, HITECH, and HITRUST?

    3. How is it stored and refreshed? 

    4. How long is it stored for? 

    5. Where is the data stored? What zone and specific geo locations is the data stored in?

• Software: Among many things, the log4j vulnerability taught us that we need to know our package dependency graphs, to make sure we’re using only the packages we need. 

Process

• "Request to be forgotten": 

  • 1. What is the deletion process on the company’s side, for handling a “right to be forgotten” request?

    2. How will historical metrics be reconciled following requests to be forgotten? What will you be anonymizing and how?

    3. How will flagging of fraudulent transactions change following requests to be forgotten? 

• Access: 

  • 1. Limit access to identifiable customer data. Does anyone outside of Sales need to know people’s names and emails?

    2. Does everyone need the most granular level of data access? Or are week-over-week trends enough for most teams? 

• Deployment to production: is there a process :) – and is it as automated as possible? With alerts in place when things go wrong? (I've given many talks with advice on deployment of Machine Learning to production here.)

• SOC2 Starting Seven, by Latacora, recommended by Roy Breidi: 7 things to do now to improve security and prepare you for SOC2.

People

• 10 cybersecurity best practices that every employee should know, by Norton

• How can a customer submit the request to be forgotten? What do they need to share with the company to trigger the process?

I’ll admit, this looks deceptively simple, but will take some time to complete. One way to get started is to pick a business question you'll try to answer, and as you work on answering that question, document the answers to the questions here -- to see for yourself where the security gaps are in your current process..

Good luck! Do you need help figuring out what business question to start with, please reach out!

You may also like:

• Column: Your Business Has Lots of Ideas on What To Work On. Here’s How To Decide on What’s Next 

• (Step 2) Dear Advisor: I’d like to make data-driven decisions. Where do I start?

• SOC 2 Checklist by SANS

• National Association of Corporate Directors (NACD)'s 2023 Directors Handbook on Cyber Risk Oversight