Training for EverybodyWhile it is essential to include privacy and security best-practice to all new-hires during their orientation, there should also be a plan to ensure periodic retraining of all employees to keep them updated on changes in privacy and security protocols.
Caerleon Security can help you plan this training, or can even implement it if requested.
Preparation of the IT Security Team
The average company has a small security team inside the IT department. While there are some exceptions, the average company:
- Does not have a robust operating manual for their SOC (Security Operations Center) if they have a SOC at all.
- They probably don’t have a complete list of all:
- Servers – both as to location, IP address and who is running it.
- Logs – both as to location and what is in each of those files.
- Most IT Security teams log only a small fraction of the data that could be generated by the IT system, and
- The retention of those logs is probably very short.
- The security team itself probably does not have up-to-speed experts in IT Forensics.
Most companies compound the problem by waiting until a breach happens before facing how they will deal with the many challenges of:
- Who is going to figure out what happened?
- How did it happen?
- What records were compromised?
- Were they encrypted?
- If malware is involved, has it been removed?
- Who is going to be the outside “expert” – with wide experience in IT security – who is going to testify in regulatory inquires or litigation that occurs after an event? They are the one who opines as to the appropriateness of each move and decision made by the team was appropriate. This credible testimony will be your strongest defense against negligence claims.
Preparation by legal department/General Counsel
The contracts that are signed with all contractors (and in the healthcare world, all the Business Affiliates) must make it clear what happens if the contractor is the cause of a breach:
- The contractor’s obligations when that happens?
- Do they have their own insurance?
- Are you named as an “additional insured” on that policy? Why not?
- Who is going to manage the breach? Do you, the client, want the defense of your data to be handled by your vendor, the one that caused the breach?
- If they are going to be managing any part of a breach, how do you know they will do a good job?