NZCyberResearchCenter

Security and Privacy Controls

globe, space, galaxy-6858907.jpg

Digital Security is part of business and IT Risk management that helps to protect business asset properties. Security Controls for organisations looking to protect their business assets, grow beyond boundaries and adopt Regulatory Compliance and Certifications such as GDPR, CCPA, NZISM, ISO27001, and PCI DSS.

Regulatory compliance and Certifications supply an endless business opportunities for Organizations to grow bigger.

Security Controls: Confidentiality, Integrity, and Availability (CIA) of information is protected by a set of procedures.

Importance: The Organizations need to follow the regulations based on geography for BAU and use the data that is collected from persons and organizations, such as Personally Identifiable Information (PII), Health databases, and Financial Data

Ask yourself:

Why and where are we collecting data?

Where do we use it? And got consent for it?

Where do we store the data?

Who has the data access and purpose? (Ex: Extensive access for contractors or Ex-Employees)

How do we secure the collected data?

Do we have a data cycle? Do we dispose of it? How do we dispose of it? (Ex: Historic PII, Health, Card details, Employees data / CV, etc. )

What do we do if data is compromised? (Ex: Report to agency/ stakeholders)

Do we have a data recovery plan? (Business continuity)

You might have defined answers for the above questions. If not, it is good to explore and find solutions aligned with the business; in Recent years, SAAS-based businesses have been growing rapidly and aggressively, so it is reasonable to know your data flow and access to protect your digital assets.

From the 1980s to now, cyber threats are grown vastly, and in recent days we are experiencing Modern and sophisticated threats for digital assets that need to be addressed in a structured way. That’s where regulations and certifications play a significant role, and it is essential to have certifications and compliance in place to go out of your zone. You might need to consider what you need to adopt the required certifications and compliance, such as CCPA, GDPR, SOC2, PCI DSS, and ISO 27001.

The risk management framework is set out in the NIST special publication 800-53 Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5, Security and Privacy Controls for Info Systems and Organizations | CSRC (nist.gov)). These publications have well-defined Security and Privacy structure, and controls are organised into 20 families, and families have rules for the specific family area.