SERVICES
STANDARDS AND CONTROLS
We use standards and controls applicable to your privacy and security posture including:
-
California Consumer Privacy Act of 2018, Amendments and Rulemaking
-
HIPAA/HITECH Security, Privacy and Breach Notification Rules
-
Generally Accepted Privacy Principles (GAPP)
-
EU’s General Data Protection Regulation (GDPR)
-
ISO/IEC 27001-2:2013
-
CIS Top 20 Critical Security Controls (CA AG requires)
-
SEC OCIE Cybersecurity Initiative
-
NIST Cybersecurity Framework
-
U.S. Sentencing/DOJ/OIG Guidelines for Effective Compliance (program foundation)
-
Applying Risk Management Program Management and Principles
We work with our clients and develop a common sense approach to meet your needs.
PRIVACY OR SECURITY PROGRAM
PHASE I
Risk/Gap Assessment Detail
-
Data mapping
-
Controls evaluation to standards
-
Risk assessment
-
Policies and procedures review (optional depending upon readiness)
-
Findings and recommendations report
-
Gap and risk register to actively manage recommendations
PHASE II
Program Establishment
-
Design governance infrastructure/roles and responsibilities
-
Establish risk management/ controls framework for sustainability
-
Requested documents review
-
Develop policies/procedures
-
Develop/deliver training
-
Design role-based access control (RBAC) rights
-
Design program oversight/monitoring
-
Obtain executive/board commitment and empower privacy/security official
PRIVACY/ SECURITY-BY-DESIGN
-
Privacy engineering (SDLC) program/ policy/ training
-
Privacy impact assessment (PIA/DPIA) during product design (scope includes security)
-
E.g. big data, mobile apps, IoT, websites, robotics/AI
THIRD-PARTY DUE DILIGENCE and MANAGEMENT
-
Pre-contract due diligence and contract requirements
-
Cloud services (use cases) policy/guidance
-
Managed security services - build vs. buy guidance/assessment
-
Third-party management program/policy
CONSULTING SERVICES
À LA CARTE
-
Obtain executive commitment
-
Mobile app/ website privacy policy for counsel review
-
Cross border transfer rules guidance
-
Workplace privacy/social media privacy guidance
MONTHLY RETAINER
-
Provide guidance and advice as requested as Subject Matter Experts in Privacy and/or Security