Affiliations
Services‎ > ‎

Protect Value

Cost-Effective Data Security Prevents Breaches

RESULTS

Avoiding Costly Breaches Protects:
  • Most Valuable Asset - Customers
  • Company Brand/Reputation
  • Investors and Company Officers
  • Company Value and Bottom Line

SOLUTIONS

Establish Information Security Program
  • Governance and Roles/Responsibilities
  • Policies and Procedures; Training
  • ISO 27002, HIPAA, NIST, HITRUST
  • Workplace Privacy
  • Risk Assessment and Mitigation
  • Privacy Breach Response Plan
  • Risk and Controls Assessment
  • M&A, Partner, and Vendor Due Diligence and Monitoring

ACTION

Keep a Breach from Derailing Your Company

Privacy Breach Prevention Programs

Vulnerabilities in an Information Security Program Creates Privacy Breach Risk

A comprehensive data protection program:

  • is required by state privacy and security laws and industry specific regulations
  • can provide a “safe harbor” against willful and negligent liability claims
The success of this program depends upon your people.  Yet personnel are typically the weakest link in privacy prevention.  Surveys continuously find a majority of workers regularly subvert security policies due to lack of training.
 
Additionally, industry experts find too many organizations leave information security in IT’s hands and as a result have gaping holes in their programs.  Technology alone cannot protect an organization.

Are your information security practices embedded in your organization with clear roles and responsibilities to assure sustainability? 
 
Is your organization’s information security program sufficiently comprehensive to address all material threats?

Our Services 

We can help you develop a customized, pragmatic program that employs and integrates people, process and technology.  The program will be comprehensive, yet not over wrought, to fit your organization’s goals and risk profile and tolerance.
 
We will educate your management and staff about the reasons behind policies to help ensure the program's success. 
 
Well-designed and implemented policies and processes dramatically increase the effectiveness of your people and technology.  More importantly, our unique approach to establishing clear roles and responsibilities provides assurance of program sustainability. 
 
Our proactive breach planning will allow your organization to act quickly and effectively to minimize the impacts of a breach should one occur in the future. 

For more information, please contact us.


Risk and/or Controls Assessment

Independent Assessment of Your Program’s Vulnerability to Privacy Breaches

Periodic independent assessment of your privacy practices provides assurance of compliance to your online privacy policy (a contract with your customers) to mitigate the risk of deceptive or unfair trade practice lawsuits and enforcement actions.  

Are you confident that business development, sales, marketing, product development/management, IT and others are adhering to your organization's privacy policy?

Regular independent information security audits provide assurance of the effectiveness of your data protection program to mitigate the risk of privacy breaches.  However, many non-publicly traded companies do not have appropriate expertise and experience on staff and find that Big Four information security audits are very expensive.

Many laws and regulations require risk assessments periodically and after material organizational risk profile changes.  If you have customers who are Massachusetts residents, a periodic controls assessment is required.   

Has your organization's risk profile changed since your last risk and controls assessment?  Considerations include new products, systems, partners, service providers, outsourcing, personnel growth, etc.

Does your organization’s information security program leave you vulnerable for a breach?

Our Service

We can provide an independent, cost-effective assessment of your privacy and/or information security program.  Based on policy reviews and interviews, our firm will help you identify and prioritize material gaps and provide recommendations on a pre-breach or pre-audit basis.  We can also help you close some or all of the gaps.

On a pre-audit basis, we help you prepare for the audit and mitigate the likelihood of an unsatisfactory audit which would be discoverable during regulator inquiry or litigation.

For more information, please contact us.

Due Diligence

Regulators Hold Organizations Responsible for Qualifying their Third Party’s Information Security Program before Granting Access to Personal Information 

newly acquired organization can introduce significant risks into your organization.  If such an organization suffers a privacy breach prior to integration completion, your organization could be liable and it could threaten the economics of the merger.

Likewise, a new business partner, vendor, service provider can introduce significant risks to your organization.
 
The Poneman Institute's 2007 annual breach study indicates that 40% of respondents reported breaches by third parties, such as outsourcers, contractors, consultants, vendors, and business partners.  Verizon Business' 2008 four year study of 500 forensic cases finds that the overall risk (probability of occurrence X number of compromised records) is higher for third parties then for external or internal threats.  The Poneman study also reported that average costs for third party breaches were 35% more costly than by the enterprise itself.      

Regulations require organizations to:

  • assess a third party’s controls prior to allowing access to customer or employee data
  • properly contract with third parties to mitigate privacy and security risks prior to granting such access 
  • oversee and periodically monitor third parties to ensure continued compliance
In November 2008, the FTC held a company’s officer personally liable for failing to assess and monitor a third party who suffered a breach. 
 
 
Does your organization have the expertise and staff to conduct due diligence to avoid third party breach liability?

Our Service

Our firm can conduct due diligence assessments based on phone or on-site interviews and issue a confidential report:

  • identifying material risks and recommendations
  • helping you qualify or disqualify M&A candidates or prospective business partners, vendors, or service providers
By conducting periodic / annual third party assessments, we can help you ensure continued compliance by your third parties.
 
Our firm can also help you identify and implement privacy information security integration opportunities for the merged enterprise.

For more information, please contact us.

Sign in|Report Abuse|Print Page|Remove Access|Powered By Google Sites