GDPR Compliance Best Practices for Today and Tomorrow

Are you looking for a high-level overview of the General Data Protection Regulation (GDPR)? Do you want to determine your role for processing personal data under the law? Do you want to find out how GDPR applies to the speech analytics and call center industries? In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, partners with CallMiner to answer these questions.

GDPR Best Practices

Ensuring that your organization is GDPR compliant is paramount if your call center collects, stores, processes, or transmits the personal data of EU data subjects. Because of this, we suggest following these GDPR best practices:

  1. Data Mapping: Organizations need to identify where their data is coming from and where it goes. A call center associate might collect a name, date of birth, and email address, but a payment collection associate might collect just payment card information. If a data subject requests that data is erased, you must be able to identify where each piece of information lives and which channels it goes through.
  2. Identify and Document Each Legal Basis for Processing: Organizations may have multiple processing activities occurring at the same time. For example, if your call center associate was an EU data subject, then you might have to establish a legal basis not only for processing the data of the consumer, but you would also have to establish a legal basis and document the legal basis for processing the legal basis for processing personal data of your employee.
  3. Create a Flow Chart for Data Subject Rights: Organizations must understand each right that GDPR gives EU data subjects. For example, if a data subject submits a request for erasure based on a withdrawal of consent, your organization must be able to identify if it can refute that request for erasure because it has a legal requirement to keep that data, if it’s in the public interest, or if the data is being used for litigation purposes.
  4. Establish and Monitor Security Standards: Organizations must identify appropriate technical and organizational measures to ensure security based on the risk of processing. If your organization, for example, processes special categories of data such as genetic data, healthcare data, biometric data, or racial data, you’re going to have greater risk and thus will need greater security measures.

Following these four GDPR best practices will help your organization demonstrate your commitment to GDPR compliance, but it’s just the tip of the iceberg. To learn more about how organizations in the speech analytics and call center industries can ensure GDPR compliance, watch the full webinar now. For more information about GDPR compliance or to learn about our GDPR services, contact us today.

About CallMiner

CallMiner helps businesses and organizations improve contact center performance and gather key business intelligence by automating their ability to listen to every customer interaction. CallMiner’s market leading cloud-based voice of the customer analytics platform automatically analyzes contacts across all communication channels: calls, chats, emails, SMS, surveys, and social.

How to Prepare for Phase 2 HIPAA Compliance Audits

The U.S. Department of Health and Human Services Office for Civil Rights announced on March 21, 2016 that Phase 2 of the HIPAA audits have officially begun. Now, more than a year later, 200 desk audits have occurred, but covered entities and business associates are still struggling to know what to focus on and in which areas they are lacking safeguards. In this webinar hosted by LockPath, Joseph Kirkpatrick shares his insights on trends from Phase 1 and 2 HIPAA audits and where we’re headed in 2018.

In Phase 1, we learned that 65% of findings were from the Security Rule. 42.7% of issues from the Security Rule were from Administrative Safeguards, 40.54% were from Technical Safeguards, and 16.76% were from Physical Safeguards. 81% of findings were from healthcare providers, and 66% of findings were from Level 4 entities.

In this presentation, we discuss a few different settlement and enforcement examples. Obviously, the Equifax breach gives us a lot to talk about, but, we also take a look at Anchorage Community Mental Health Services. They were fined $150,000 for failure to follow Security Rule policies and procedures and failure to identify and address risk. Next, we discuss the $4.3 million Civil Money Penalty on Cignet for violations of the Privacy Rule, failure to provide patients with medical records, and failure to cooperate with the Federal Government. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) was fined $650,000 for failure to perform a thorough Risk Analysis and failure to implement appropriate security measures.

For covered entities, Phase 2 audits focused on Notice of Privacy Practices Content Requirements, Provision of Privacy Notices – Electronic Notice, Right to Access, Timeliness of Breach Notification, and Content of Breach Notification. For business associates, Phase 2 audits focused on Risk Analysis, Risk Management, and Breach Reporting to the Covered Entity. We recommend going over the detailed audit protocol information provided by the U.S. Department of Health and Human Services.

About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at lockpath.com.

How to Accurately Define the Scope of an Information Security Assessment

In this session of Duo’s webinar series, A Comprehensive Security Roadmap for MSPs, Joseph Kirkpatrick presents best practices for defining and reducing the scope of an information security assessment.

Scoping involves the identification of people, processes, and technologies that interact with, or could otherwise impact, the security of the information to be protected. Scoping is the first step for any assessment and also one of the most important elements of an information security assessment because ignoring any of the relevant people, processes, or technologies could severely impact the quality and reliability of the entire assessment.

When considering people that could be in scope, you must ask: Who connects to the environment? Executives, IT, 3rd parties, programmers? These people must abide by policies and adhere to requirements. When determining processes that could impact the security of protected information, you must ask: Is there a process that involves someone doing a daily backup for you? A cloud provider or company coming onsite to pick up backup media? A remote data center with remote hands service to perform a process for you? Finally, what technologies are in scope? You must identify all systems in scope, like web, database servers, firewalls, switches, authentication services, log servers, etc.

Managed Service Providers are often hesitant to consider themselves as in-scope. To be considered out of scope, a system component must not have access to any system within the network containing sensitive data. Questions we commonly ask MSPs are:

  • Could the MSP impact the security of the systems that do access sensitive information?
  • Does the MSP install new patches and review logs produced by the system?
  • Does the MSP’s access to the systems require administrative-level privileges?
  • Even if there are firewalls between one system and the next, what ports are available for the MSP to connect to in order to manage the network?
  • Even if the MSP connects over a VPN and all traffic is encrypted, doesn’t the MSP become part of the client’s network?
  • If a user is now connected to the network and is considered in scope, what else is in scope?

The key to accurately defining the scope of an information security assessment is to be thorough in assessing the people, processes, and technologies that interact with, or could impact the security of, the information to be protected. Listen to the full webinar to hear case studies and more details from Joseph Kirkpatrick.

About Duo Security

Duo Security is a cloud-based Trusted Access provider protecting thousands of the world’s largest and fastest-growing organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Yelp, Zillow, and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data, and applications from breaches, credential theft, and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas; and London. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures, and True Ventures. Try it for free at www.duo.com.

Turning Audit Into Enablement

When Does an Audit Become a Benefit?

Audits strengthen business operations, yet many organizations are fearful of the process, rather than seeing the benefits of information security audits. In this webinar hosted by LockPath, Joseph Kirkpatrick shares his insights on the auditing process, how your organization can leverage audits to gain a competitive advantage, and the benefits of information security audits and compliance.

We view the audit lifecycle in three stages. During the first year, you probably begin the auditing process for a reason; a major client may require some type of compliance or you may be looking to distinguish your business from the competition. Your organization is probably asking, “Do we have to do this? Do we have to go through this audit? How can compliance help our business?” You’re almost in denial, questioning if this audit is really necessary. You may get stuck in the checkbox mentality, rather than reaping the benefits of information security audits. In the second year, though, your mindset probably switches to, “We are doing this audit.” Your organization should have a little bit more confidence knowing that you completed the audit and reached compliance last year. You may have already seen some of the benefits of audits. You know the process, you know what you need to do, and you’re going to get it done. With the third year comes the mindset that we hope to get your organization to. We want you to say, “I’m glad we’re doing this audit. This is important for our business.” In this phase, you’ve moved on from the checkbox mentality and you recognize the value and benefits of audits.

So, when does an audit become a benefit?

  • When it helps your organization maintain customers and attract new ones
  • When it helps your organization operate more efficiently
  • When it helps your organization’s processes and controls mature
  • When it helps distinguish your business from the rest, giving you a competitive advantage
  • When it helps you avoid fines for non-compliance or breaches
  • When it creates the Safe Harbor Effect for your business
  • When it prevents a data breach
  • When you need to answer to any sort of regulatory body
  • When you can give a vendor evidence from an auditor who has seen the controls in place operating effectively
  • When you realize that your organization constantly strengthening its processes and controls

Topics like application development, business continuity, data retention, disaster recovery, incident response testing, risk assessment, and audit trends are also discussed in this webinar. By listening to the full session, you’ll also hear from Sam Abadir, Director of Product Management at LockPath. In his position, Sam helps companies automate compliance and policy management for better performance and productivity. In this webinar, he will discuss the beneficial aspects of Lockpath’s Keylight Platform.

About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at lockpath.com.

Incident Response Planning: 6 Steps to Prepare your Organization

In this webinar hosted by LockPath, Jeff Wilder discusses the importance of incident response and the steps your organization can take to create an Incident Response Plan. Wondering what incident response is? Incident response is a predetermined approach for identifying and addressing a security incident, which dictates the procedures following detection to minimize the impact. Incident response planning is vital to your organization. Incidents not handled properly have the potential to be catastrophic in damage and Incident Response Plans prevent business interruption, revenue loss, and loss of customer trust.

There are several aspects you need to consider when developing your Incident Response Plan. Policies and procedures are the starting point; these documents should dictate immediate steps following detection of an incident. Your organization also needs to put together an Incident Response Team, but your plan should be known and tested by all management and personnel. Incident Response Plans involve your organization’s legal team, human resources department, public relations team, customer service representatives, security team, IT department, and executive staff. Each of these team members have a role in responding to an incident.

The Six Steps of an Incident Response Plan:

  1. Preparation – How are we currently preparing for a security incident? What are we doing to prevent an incident? How are we limiting the impact of an incident? Have we tested our policies and procedures?
  2. Detection & Identification – How would we identify an incident? How do we report an incident? How do we detect malicious activity? Do we have a specific Incident Response Team?
  3. Containment – Has the appropriate personnel been notified? What evidence should be collected? Have we fully assessed the scope of the damage? How can we prevent further damage?
  4. Remediation – Do we have backups in place? Has a complete a forensic analysis to determine origin been performed? Have we cleaned the system? Can we make changes to prevent a repeat incident? How can we test the changes?
  5. Recovery – Have we securely restore the system? Do we have continuous monitoring to ensure problem is resolved? Have we replaced any lost files with backups?
  6. Lessons Learned – What happened? What gaps can we now identify? Have we regained our customers’ confidence? Have we reviewed policies and procedures to prevent future attacks?
About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at lockpath.com.