Security Compliance & Risk Management
An information security program is more than a compliance requirement. Assessing risk and establishing effective, measurable security controls are essential elements for protecting your information assets. We work with you to:
- Conduct data security risk assessments and compliance gap reviews;
- Establish compliant data security policies and procedures;
- Review data security agreements with service providers and advise on compliance oversight;
- Provide data security compliance training;
- Analyze data security risk allocation and cyber liability insurance coverage; and
- Enable defensible disposition of unnecessary information, to lessen risk.
Breach Response Readiness
It’s a when – not if – world for data breaches. Your IT security team may have an incident response plan in place, but that plan will not prepare you for all that must be handled. Also, only a fraction of data breaches will first cross the radar of your IT InfoSec team.
When handling a data breach, many channels of activity must be accomplished in sync, such as Security, Legal, Forensics, Law Enforcement, Regulators, Insurance Coverage, Public Relations/Communications, Stakeholders, Notifications, and Personnel Management. Effective readiness requires understanding what may be needed in each of these activity channels, and also how to manage them simultaneously to avoid unnecessary delay, cost, and risk.
We help organizations lay the groundwork in advance for these response activities, so that structure, direction, and resources for dealing with critical data security incidents are ready when needed.
Critical Security Incident Response
When protected information is compromised or lost, we help you determine your legal responsibilities and next steps. We can guide you through the requirements and options for compliant incident response:
- Incident investigation, including use of forensics experts;
- Analysis of whether and how breach notification requirements apply to the incident;
- Breach notifications, including use of notification service providers;
- Legal holds for the security incident;
- Coordination with law enforcement agencies;
- Collaboration with public relations and crisis communications providers;
- Assessment of liabilities of service providers and other responsible parties; and
- Analysis of cyber liability and incident response insurance coverage.