Privacy Policies Built for CCPA Compliance

Updating Your Privacy Policy for CCPA Compliance

If 2018 was the year spent anticipating the GDPR enforcement deadline, 2019 will be the year US states begin enforcing their own data privacy laws. While the California Consumer Protection Act (CCPA) isn’t the first US data privacy law to go into effect, it has certainly gained more attention than others. This could largely be in part because of its similarities to GDPR, but it could also be because it’s the strictest US data privacy law of our time. And though the CCPA doesn’t go into effect until January 1, 2020, provisions within the law require that businesses provide data collected from up to 12 months prior to the enforcement date, which means that organizations must begin their CCPA compliance efforts now. If you’re a US-based company or have clients located in California, you’ll need to update your privacy policy to ensure compliance with CCPA. Check out these 10 ways that you can accomplish this.

What Should a CCPA-Compliant Privacy Policy Include?

Many of the best practices that organizations are using to comply with GDPR will be effective when beginning to comply with CCPA, but there are some slight differences when meeting the CCPA’s privacy policy requirements. Section 1798.130(b) of the CCPA states the required information that should be provided when personal data is collected from California data subjects, which includes, but is not limited to:

  • A description of consumers’ rights under CCPA
  • A description of the purposes of processing personal information
  • A description of the categories of personal information to be collected
  • A definition of the process for requesting the personal information collected about individuals
  • A description of the right to deletion
  • A description of the right to disclosure

Want the full checklist?

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

Deciding to undergo an information security audit can be daunting for the sole reason that there are so many frameworks and regulations to learn about. SOC 1, SOC 2, SOC for Cybersecurity, PCI DSS, HIPAA/HITECH, HITRUST CSF, ISO 27001, GDPR, FISMA, and FERPA – what do they all mean? Which framework or regulation does your organization need to comply with? Which one best suits your organization’s needs? In this guide, you’ll learn about the 10 most common information security frameworks, who they apply to, and how they can benefit your organization.

Commonly Used Frameworks

Of the 10 commonly used information security frameworks included in this guide, the top three frameworks are SOC 1, SOC 2, and PCI DSS. So, what are they?

SOC 1: A SOC 1 audit is an audit that is performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SOC 1 reports are designed to report on the controls at a service organization that could impact their clients’ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

SOC 2: As a service provider, how do you validate the security of your services? A SOC 2 audit evaluates internal controls, policies, and procedures as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. These five established categories, known as the Trust Services Criteria, address the questions like: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a robust information security standard that encourages and enhances cardholder data security by providing industry-recognized data security measures. In other words, a PCI audit is an information security audit focused on the protection of credit card data. All PCI audits must be performed by a PCI Qualified Security Assessor (QSA) and are designed to test whether an organization is compliant with the 12 technical and operational requirements established to protect cardholder data.

Want to Learn About 7 More Frameworks?

ISO 27001 FAQs – Information Security Management for Your Organization

What is an ISO 27001 Audit?

ISO 27001 is the only internationally-accepted standard for governing an organization’s information security management system (ISMS), created by the International Organization for Standardization (ISO). ISO is an independent, non-governmental international organization with a membership of 161 national standards bodies. It brings together experts to share knowledge and develop voluntary, consensus-based, market relevant international standards that support innovation and provide solutions to global challenges.

The ISO 27001 standard regulates how organizations create and run an effective ISMS through policies and procedures and associated legal, physical, and technical controls supporting an organization’s information risk management processes. An ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It’s vital that an ISMS is integrated with the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls.

How Can ISO 27001 Compliance Benefit Your Organization?

Do you want to give clients and prospects a reason to trust your services? Do you want to demonstrate your commitment to security to global business partners? ISO 27001 certification provides organizations with an evolving ISMS that can adapt to new challenges and validates your commitment to security. It’s the gold standard for information security management and can be used in any vertical. Implementation is customized for each organization to treat their particular risks.

ISO 27001 certification brings value to organizations through:

  • Demonstrating to your business partners that you have a mature and risk-based information security program in place.
  • Helping you prioritize your information security budget and resources based on risk, because ISO 27001 is customized for your environment and based on your specific risks.
  • Effectively managing disparate standards like PCI, HIPAA, HITRUST CSF, and FISMA in a comprehensive and repeatable way.
  • Recognizing that you use and implement international best practices.

Undergoing an ISO 27001 audit is also a way to be proactive in your information security and compliance efforts, which could be just what you need to stay ahead in your industry.

Get all of the answers to ISO 27001 FAQs.

Risk Assessment Checklist – 5 Steps You Need to Know

What is a Risk Assessment?

A risk assessment is a process by which an organization analyzes vulnerabilities, potential threats and risks to the organization’s security posture and IT systems. Performing a risk assessment is a critical component of any Information Security program. Because it’s mandated by several frameworks (SOC 1, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA), organizations wanting to comply with these frameworks must conduct risk assessments on a regular basis. By doing so, organizations will be able to stay on top of mitigating vulnerabilities in their security posture and demonstrate to their current and potential clients that they are performing their due diligence in keeping sensitive assets secure.

How Do You Conduct a Risk Assessment?

We believe that the risk assessment process can be broken down to five steps. The first step is to conduct the risk assessment. To do this, an internal or third-party auditor will perform staff interviews, review policies and procedures, observe tasks in real-time, and conduct a physical inspection. Your organization’s hardware, software, system interfaces, data, information, and IT personnel will be involved in the risk assessment.

The next step is to identify risks. After you have identified your organization’s assets, you have to identify the treats to those assets, which were found in your risk assessment. These threats can be man-made (intentional or accidental) or natural events (floods, power outages, earthquakes, etc.) that can take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality.

After you have identified risks, you’ll assess the risk importance and risk likelihood. What is the importance of each risk? What is the likelihood that each risk would actually occur? This process will help your organization strategically prioritize risk and determine where eyou should spend your time and effort. The likelihood of a risk can be expressed subjectively or quantitatively (high, medium, low or 1, 2, 3, 4, 5).

Get the full checklist.

FERPA FAQ – What You Need to Know About FERPA Compliance

Does your organization process, store, transmit, or use educational records? Are you responsible for ensuring that the information of students remains secure? FERPA is one of the most significant federal regulations in the education sector, aimed at protecting the privacy of students and their parents. Undergoing a FERPA audit is one way that educational institutions can identify and mitigate any vulnerabilities in their security infrastructure and are doing what is needed to protect students’ information. In this guide, you’ll learn the rights FERPA gives students and their parents, the controls used to assess an organization’s FERPA compliance, how a FERPA audit could benefit your organization, and ways that you can prepare for a FERPA audit. Let’s start with the basics first.

What is a FERPA Audit?

The Family Educational Rights and Privacy Act (FERPA) governs the access and privacy of educational information and records, such as enrollment information, GPAs, billing information, student course schedules, and student financial records. The educational records that a covered entity or business associate creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. FERPA compliance protects the confidentiality, integrity, and availability of educational records.

Who Needs a FERPA Audit?

Are you a service provider to educational institutions? Are you an educational institution or agency that receives federal funding? If your organization is an educational institution that receives federal funding or an organization that creates, receives, maintains, or transmits educational records, you must be compliant with FERPA.

What are the Benefits of Receiving a FERPA Audit Report?

FERPA compliance affirms the security of your services and gives your organization the ability to provide clients and regulators with evidence from an auditor who has actually seen your internal controls in place and operating. FERPA compliance can help your organization maintain loyal clients and attract new ones, operate more efficiently, avoid fines for non-compliance or a loss of federal funding, and most importantly: assure clients and regulators that students’ personal data is protected.

Ready to take the next steps in your FERPA compliance journey?