A PRACTICAL CYBERSECURITY PROGRAM – ADMINISTRATIVE CONTROLS

Perhaps the least appreciated part of a cybersecurity program is the use of administrative controls. These safeguards are more “process-oriented” than the more tangible controls that we’ve discussed in previous posts like physical and technical protections. As a result, administrative controls are often put on the backburner. But they are fundamentally important and, in fact,…

A PRACTICAL CYBERSECURITY PROGRAM – TECHNICAL CONTROLS

Technical controls are what most people think of when the word “cybersecurity” comes to mind: encryption, multi-factor authentication, anti-virus software and other slick tools to protect information. While sound cybersecurity extends well beyond these kinds of safeguards, having strong technology inplay to protect data is important. What most small insurance businesses fail to realize is…

What is Training & Monitoring?

Section 14 of 23 NYCRR500 is broken into two seemingly unrelated sections – training and monitoring. Section 14(a) focuses on monitoring requirements and Section 14(b) focuses on training requirements. Section 14(a) is anything but prescriptive and essentially requires Covered Entities to implement policies, procedures and controls to monitor their network activity to detect unauthorized access…

What is Data Retention?

The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up…