Dear Advisor: How do I know if my company is compliant with security and privacy regulations?
December 2021, updated February 2022
With the log4j vulnerability and the AWS outage this month, I’m getting many requests for advice around security. Since security also goes hand-in-hand with CCPA (for customers in California), GDPR (AKA “right to be forgotten”) and other privacy regulations, such as for healthcare and finance, I’ll share advice that applies to both security and privacy here.
Disclaimer: This is not legal advice, but a framework to help you do this assessment of your company yourself.
My framework for how you can evaluate your company’s security and privacy practices touches on people, process and technology. Once you diagram/answer these questions, you should be able to cross-reference your work against regulations, to see for yourself where the security gaps are in your current process.
What data do you collect about all (internal and external) aspects of your customer journeys and business?
Do you need all of the data now – or in the future – to help you make better decisions?
What (potential) PII do you really, really need? And what PII should you consider not even collecting?
What does the data architecture look like? What are the data sources?
Is the storage system compliant with your industry’s regulations, such as AWS for HIPAA, HITECH, and HITRUST?
How is it stored and refreshed?
How long is it stored for?
Where is the data stored? What zone and specific geo locations is the data stored in?
What is the deletion process on the company’s side, for handling a “right to be forgotten” request?
How will historical metrics be reconciled following requests to be forgotten? What will you be anonymizing and how?
How will flagging of fraudulent transactions change following requests to be forgotten?
Limit access to identifiable customer data. Does anyone outside of Sales need to know people’s names and emails?
Does everyone need the most granular level of data access? Or are week-over-week trends enough for most teams?
Deployment to production: is there a process :) – and is it as automated as possible? With alerts in place when things go wrong? (I've given many talks with advice on deployment of Machine Learning to production here.)
How can a customer submit the request to be forgotten? What do they need to share with the company to trigger the process?
I’ll admit, this looks deceptively simple, but will take some time to complete. One way to get started is to pick a business question you'll try to answer, and as you work on answering that question, document the answers to the questions here -- to see for yourself where the security gaps are in your current process..
Good luck! Do you need help figuring out what business question to start with, please reach out!
You may also like:
SOC 2 Checklist by SANS