- Legislators do not have to contend with managing their control set as technologies and threats evolve;
- Legislators get to take credit for being tough on cybersecurity and privacy without actually having to do much;
- Businesses have no room to complain about unnecessary controls since businesses have the responsibility to define the controls framework that they will use;
- Businesses can eliminate extra costs by leverage existing audits such as ISO 27001, NIST 800171 and PCI DSS to demonstrate compliance; and
- The court system should see a decrease in civil lawsuits through cases being dismissed by affirmative defense protections.
- The injured parties are out of luck for civil damages. The affirmative defense is essentially the state admitting that “sh*t happens,” and injured parties cannot sue when reasonable steps were taken. This may spawn both individual and commercial data protection insurance options for cases where civil damages are unobtainable.
- While the law identifies acceptable frameworks, it glosses over how an entity can be considered compliant based on “scale and scope” of an entity’s cybersecurity program. The vagueness of the phrase “reasonably conforms to an industry recognized cybersecurity framework” leaves significant room for interpretation.
- NIST Cybersecurity Framework
- NIST 800-171
- ISO 27002
- SOC 2
- EU GDPR
- CCPA (pending CA privacy law)
- Gather Pre-Requisites
- Identify applicable statutory, regulatory and contractual requirements.
- Identify all geographic locations where data is stored, transmitted and processed.
- Identify all key stakeholders and third-party service providers.
- Narrow the Scope
- From the coverage provided by the SCF, select only those requirements that are applicable (based on the gathering pre-requisites step).
- Ignore or delete the other requirements since they are not applicable to your current business model.
- Prioritize Controls
- Using the provided control weighting built into the SCF, prioritize your controls implementation starting with 10 and working towards 1.
- View this prioritization as a project. You should create a project plan to manage it.
- Assign Controls
- Use the SCF’s 32 domains to help with the assignment of controls to the correct teams or individuals.
- Educate control owners to implement controls based on risk (control weighting) to address the most important controls first.
- Monitor Controls
- Require control owners to periodically report on the status of assigned controls and track those metrics.
- Report metrics to management to identify good/bad trends and to gain support to remediate control deficiencies.