🕳 Benchmarking GDPR Privacy Operations β New IAPP / TrustArc research report reveals how companies are managing compliance 🕳
<code>Media</code><code>In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.</code><code>Media</code><code>Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EUβs General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?</code><code>The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).</code><code>In this 4 part blog post series we will share highlights on the following key takeaways from the report:</code><code>Data inventory is becoming a standard privacy management practice</code><code>DPIAs are the most common type of privacy assessments</code><code>Individual rights / data subject access rights (DSAR) requests impacting most organizations</code><code>Data breach notification requirements impacting larger companies</code><code>Media</code><code>Key Takeaway #1: Data inventories are becoming a standard privacy management practice crucial to privacy compliance</code><code>One of the most important steps to design and build a data privacy program is to create an inventory of all of the business processes within a company. If a company does not know the type of data they collect and how itβs shared, processed and stored; or the data inflows and outflows, it is difficult t o know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides in order to be able to efficiently respond to data subject access requests.</code><code>As privacy regulations become broader in scope, requiring companies to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is increasing. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and data subject access rights requests.</code><code>Media</code><code>Our survey results showed that 83% of respondents have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago. We also found that 20% of respondents are using specialized data inventory and mapping software, which is up from 10% two years ago.</code><code>TrustArc Data Flow Manager</code><code>Media</code><code>Data Flow Manager, part of the TrustArc Privacy Platform, is a dedicated privacy data mapping system which can help build and manage a data inventory, data flow maps, and compliance reporting such as GDPR Article 30.
</code><code>Data Flow Manager is based on the business process approach which TrustArc recommends based on extensive experience developing and building GDPR and CCPA compliance programs for companies of all sizes around the world.
</code><code>Data Flow Manager provides a three-stepβ¦
<code>Media</code><code>In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.</code><code>Media</code><code>Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EUβs General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?</code><code>The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).</code><code>In this 4 part blog post series we will share highlights on the following key takeaways from the report:</code><code>Data inventory is becoming a standard privacy management practice</code><code>DPIAs are the most common type of privacy assessments</code><code>Individual rights / data subject access rights (DSAR) requests impacting most organizations</code><code>Data breach notification requirements impacting larger companies</code><code>Media</code><code>Key Takeaway #1: Data inventories are becoming a standard privacy management practice crucial to privacy compliance</code><code>One of the most important steps to design and build a data privacy program is to create an inventory of all of the business processes within a company. If a company does not know the type of data they collect and how itβs shared, processed and stored; or the data inflows and outflows, it is difficult t o know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides in order to be able to efficiently respond to data subject access requests.</code><code>As privacy regulations become broader in scope, requiring companies to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is increasing. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and data subject access rights requests.</code><code>Media</code><code>Our survey results showed that 83% of respondents have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago. We also found that 20% of respondents are using specialized data inventory and mapping software, which is up from 10% two years ago.</code><code>TrustArc Data Flow Manager</code><code>Media</code><code>Data Flow Manager, part of the TrustArc Privacy Platform, is a dedicated privacy data mapping system which can help build and manage a data inventory, data flow maps, and compliance reporting such as GDPR Article 30.
</code><code>Data Flow Manager is based on the business process approach which TrustArc recommends based on extensive experience developing and building GDPR and CCPA compliance programs for companies of all sizes around the world.
</code><code>Data Flow Manager provides a three-stepβ¦
π΄ Symantec Intros USB Scanning Tool for ICS Operators π΄
π Read
via "Dark Reading: ".
ICSP Neural is designed to address USB-borne malware threats security.π Read
via "Dark Reading: ".
Darkreading
Symantec Intros USB Scanning Tool for ICS Operators
ICSP Neural is designed to address USB-borne malware threats.
π Only 29% of EU organizations are GDPR compliant π
π Read
via "Security on TechRepublic".
Despite the May 2018 deadline, most companies have not implemented all necessary GDPR changes, according to an IT Governance report.π Read
via "Security on TechRepublic".
TechRepublic
Only 29% of EU organizations are GDPR compliant
Despite the May 2018 deadline, most companies have not implemented all necessary GDPR changes, according to an IT Governance report.
β Chrome 71 stomps on abusive advertising β
π Read
via "Naked Security".
Google shipped version 71 of its Chrome browser yesterday, alongside fixes for 43 security issues. The latest Chrome version also introduces several new security measures.π Read
via "Naked Security".
Naked Security
Chrome 71 stomps on abusive advertising
Google shipped version 71 of its Chrome browser yesterday, alongside fixes for 43 security issues. The latest Chrome version also introduces several new security measures.
β Googleβs private browsing doesnβt keep your searches anonymous β
π Read
via "Naked Security".
DuckDuckGo says you can go right ahead and log out of Google, then enter private browsing mode, but you'll still see tailored search results.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Patch now (if you can!): Latest Android update fixes clutch of RCE flaws β
π Read
via "Naked Security".
Androidβs December security bulletin arrived this week with another decent crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Pixel users.π Read
via "Naked Security".
Naked Security
Patch now (if you can!): Latest Android update fixes clutch of RCE flaws
Androidβs December security bulletin arrived this week with another decent crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Pβ¦
β Facebook staffβs private emails published in press β
π Read
via "Naked Security".
The cache of seized Facebook documents show how Facebook whitelists certain companies so they can keep lapping up user data.π Read
via "Naked Security".
Naked Security
Facebook staffβs private emails published by fake news inquiry
The cache of seized Facebook documents show how Facebook whitelists certain companies so they can keep lapping up user data.
β Facebook Defends Data Policies On Heels of Incriminating Internal Docs β
π Read
via "Threatpost | The first stop for security news".
The company allegedly tried to hide away new policy changes that would collect Android app users' call and message logs.π Read
via "Threatpost | The first stop for security news".
Threat Post
Facebook Defends Data Policies On Heels of Incriminating Internal Docs
The company allegedly tried to hide away new policy changes that would collect Android app users' call and message logs.
π Android Security Bulletin December 2018: What you need to know π
π Read
via "Security on TechRepublic".
Another month where Android finds itself with a mixture of Critical and High vulnerabilities. Jack Wallen offers highlights.π Read
via "Security on TechRepublic".
TechRepublic
Android Security Bulletin December 2018: What you need to know
Another month where Android finds itself with a mixture of Critical and High vulnerabilities. Jack Wallen offers highlights.
β Marriott, Kubernetes and PewDiePie [PODCAST] β
π Read
via "Naked Security".
Here's the latest Naked Security Podcast - enjoy!π Read
via "Naked Security".
Naked Security
Marriott, Kubernetes and PewDiePie [PODCAST]
Hereβs the latest Naked Security Podcast β enjoy!
π΄ Evidence in Starwood/Marriott Breach May Point to China π΄
π Read
via "Dark Reading: ".
Attackers used methods, tools previously used by known Chinese hackers.π Read
via "Dark Reading: ".
Darkreading
Evidence in Starwood/Marriott Breach May Point to China
Attackers used methods, tools previously used by known Chinese hackers.
π΄ 7 Common Breach Disclosure Mistakes π΄
π Read
via "Dark Reading: ".
How you report a data breach can have a big impact on its fallout.π Read
via "Dark Reading: ".
Darkreading
7 Common Breach Disclosure Mistakes
How you report a data breach can have a big impact on its fallout.
π΄ Apple Issues 13 Security Fixes π΄
π Read
via "Dark Reading: ".
Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.π Read
via "Dark Reading: ".
Dark Reading
Apple Issues 13 Security Fixes
Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.
π΄ Apple Issues 13 Security Fixes π΄
π Read
via "Dark Reading: ".
Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.π Read
via "Dark Reading: ".
Dark Reading
Apple Issues Security Fixes Across Mac, iOS
Software updates for Mac and iOS bring patches to Safari, iCloud, iTunes on Windows, and tvOS.
β Infected WordPress Sites Are Attacking Other WordPress Sites β
π Read
via "Threatpost | The first stop for security news".
Researchers identified a widespread campaign of brute force attacks against WordPress websites.π Read
via "Threatpost | The first stop for security news".
Threat Post
Infected WordPress Sites Are Attacking Other WordPress Sites
Researchers identified a widespread campaign of brute force attacks against WordPress websites.
π΄ 55% of Companies Don't Offer Mandatory Security Awareness Training π΄
π Read
via "Dark Reading: ".
π Read
via "Dark Reading: ".
Dark Reading
Dark Reading | Security | Protect The Business - Enable Access
Cyber security's comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them.
π΄ 55% of Companies Don't Offer Mandatory Security Awareness Training π΄
π Read
via "Dark Reading: ".
Even those that provide employee training do so sparingly, a new study finds.π Read
via "Dark Reading: ".
Dark Reading
55% of Companies Don't Offer Mandatory Security Awareness Training
Even those that provide employee training do so sparingly, a new study finds.
🕳 Workday and Envestnet | Yodlee Demonstrating Best Privacy Practices for Processors through APEC PRP Certification 🕳
<code>Media</code><code>Global companies are increasingly more concerned with ensuring the privacy and security of the information they hold. Not only is complying with international privacy regulations and frameworks important to avoid fines, but it is also critical for building trust with customers, mitigating risks, and protecting the companyβs reputation. One way that companies can demonstrate compliance is by adhering to a recognized international privacy framework, such as the Asia-Pacific Economic Cooperation (APEC) framework as demonstrated by the APEC Privacy Recognition for Processors (PRP) certification.</code><code>Like the APEC Cross Border Privacy Rules (CBPR) system (which applies to data controllers), the APEC PRP system is a voluntary, enforceable program designed to ensure the continued free flow of personal information while maintaining meaningful protection for the privacy and security of personal information for data processors. The U.S. became the first formal participant in the PRP system with the Federal Trade Commission (FTC) serving as the first enforcement authority in 2018 with more expected to follow.</code><code>A significant portion of the worldβs economy is based in the region represented by the Asia-Pacific Economic Cooperation (APEC). Companies acting as data processors in the Asia Pacific region can comply with the PRP program requirements in order to process personal data efficiently, securely, and safely while respecting data privacy. In addition, the PRP system enables businesses that operate as data processors to demonstrate their commitment to global privacy standards.</code><code>Two examples of companies who have achieved this certification are Workday and Envestnet | Yodlee.</code><code>Workday and Envestnet | Yodlee have worked with TrustArc to demonstrate compliance with the APEC PRP certification standards.</code><code>Barbara Cosgrove, Chief Privacy Officer at Workday said: βMaintaining the privacy and security of customersβ data in compliance with privacy laws is of critical importance to our business. By partnering with TrustArc to achieve the APEC CBPR and APEC PRP certifications, weβve been able to further demonstrate our commitment to privacy and qualifications to process data in compliance with the APEC privacy framework.β</code><code>βEnvestnet | Yodlee wanted a way to demonstrate the rigor of our privacy programs to our clients, prospects and the market. Security-focused certifications, like the APEC PRP, provide objective reliable evidence that Envestnet | Yodlee adheres to applicable privacy standards,β said Brian Costello, Chief Information Security Officer at Envestnet | Yodlee. βTrustArc is a trusted advisor for our entire global privacy program β we leverage their expertise for general certification as well as the APEC certifications.β</code><code>TrustArc Solution</code><code>To prepare companies for an APEC PRP (and/or CBPR) Certification, TrustArc works in partnership with clients following a three-phase process leveraging a combination of in-house privacy experts and proven assessment methodology powered by the TrustArc Privacy Platform that accelerates and assists in documenting compliance.</code><code>Phase I β A review of the companyβs privacy practices against the APEC requirements and creation of a detailed privacy findings report. </code><code>Phase II β A collaborative review of the findings, implementation of remediation recommendations, and documentation of action item resolution.</code><code>Phase III β Certification activation of the TRUSTe APEC PRP (and/or PRP) Privacy Seal and Dispute Resolution Services. </code><code>For more information about TrustArc privacy tools and solutions, click here.</code><code>The post Workday and Envestnet | Yodlee Demonstrating Best Privacy Practices for Processors through APEC PRPβ¦
<code>Media</code><code>Global companies are increasingly more concerned with ensuring the privacy and security of the information they hold. Not only is complying with international privacy regulations and frameworks important to avoid fines, but it is also critical for building trust with customers, mitigating risks, and protecting the companyβs reputation. One way that companies can demonstrate compliance is by adhering to a recognized international privacy framework, such as the Asia-Pacific Economic Cooperation (APEC) framework as demonstrated by the APEC Privacy Recognition for Processors (PRP) certification.</code><code>Like the APEC Cross Border Privacy Rules (CBPR) system (which applies to data controllers), the APEC PRP system is a voluntary, enforceable program designed to ensure the continued free flow of personal information while maintaining meaningful protection for the privacy and security of personal information for data processors. The U.S. became the first formal participant in the PRP system with the Federal Trade Commission (FTC) serving as the first enforcement authority in 2018 with more expected to follow.</code><code>A significant portion of the worldβs economy is based in the region represented by the Asia-Pacific Economic Cooperation (APEC). Companies acting as data processors in the Asia Pacific region can comply with the PRP program requirements in order to process personal data efficiently, securely, and safely while respecting data privacy. In addition, the PRP system enables businesses that operate as data processors to demonstrate their commitment to global privacy standards.</code><code>Two examples of companies who have achieved this certification are Workday and Envestnet | Yodlee.</code><code>Workday and Envestnet | Yodlee have worked with TrustArc to demonstrate compliance with the APEC PRP certification standards.</code><code>Barbara Cosgrove, Chief Privacy Officer at Workday said: βMaintaining the privacy and security of customersβ data in compliance with privacy laws is of critical importance to our business. By partnering with TrustArc to achieve the APEC CBPR and APEC PRP certifications, weβve been able to further demonstrate our commitment to privacy and qualifications to process data in compliance with the APEC privacy framework.β</code><code>βEnvestnet | Yodlee wanted a way to demonstrate the rigor of our privacy programs to our clients, prospects and the market. Security-focused certifications, like the APEC PRP, provide objective reliable evidence that Envestnet | Yodlee adheres to applicable privacy standards,β said Brian Costello, Chief Information Security Officer at Envestnet | Yodlee. βTrustArc is a trusted advisor for our entire global privacy program β we leverage their expertise for general certification as well as the APEC certifications.β</code><code>TrustArc Solution</code><code>To prepare companies for an APEC PRP (and/or CBPR) Certification, TrustArc works in partnership with clients following a three-phase process leveraging a combination of in-house privacy experts and proven assessment methodology powered by the TrustArc Privacy Platform that accelerates and assists in documenting compliance.</code><code>Phase I β A review of the companyβs privacy practices against the APEC requirements and creation of a detailed privacy findings report. </code><code>Phase II β A collaborative review of the findings, implementation of remediation recommendations, and documentation of action item resolution.</code><code>Phase III β Certification activation of the TRUSTe APEC PRP (and/or PRP) Privacy Seal and Dispute Resolution Services. </code><code>For more information about TrustArc privacy tools and solutions, click here.</code><code>The post Workday and Envestnet | Yodlee Demonstrating Best Privacy Practices for Processors through APEC PRPβ¦
π΄ Boosting SOC IQ Levels with Knowledge Transfer π΄
π Read
via "Dark Reading: ".
Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.π Read
via "Dark Reading: ".
Dark Reading
Boosting SOC IQ Levels with Knowledge Transfer
Despite shortages of skills and staff, these six best practices can improve analysts' performance in a security operations center.
π΄ Bringing Compliance into the SecDevOps Process π΄
π Read
via "Dark Reading: ".
Application security should be guided by its responsibility to maintain the confidentiality, integrity, and availability of systems and data. But often, compliance clouds the picture.π Read
via "Dark Reading: ".
Dark Reading
Bringing Compliance into the SecDevOps Process
Application security should be guided by its responsibility to maintain the confidentiality, integrity, and availability of systems and data. But often, compliance clouds the picture.
π΄ Adobe Flash Zero-Day Spreads via Office Docs π΄
π Read
via "Dark Reading: ".
Adobe has patched a zero-day in its Flash player after attackers leveraged the exploit in an active campaign.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading