Ethics & Sustainability
Personal Data Security
Data Security for Business
Businesses handle and store intellectual property and personal information. Often there are multiple entry and exit points where this data can be accessed by unscrupulous people. And with more costly data laws being introduced by governments, securing data has become an absolute requirement for a company's longevity.
Industrial Control Systems Security
Equipment used in manufacturing processes have special controls and system requirements. Physical danger to employees and even surrounding areas are possible if access to these Industrial Control Systems (ICS) are breached. Because of unique requirements, ICS is segregated from a company's IT network and systems. Adherence to these controls will reduce the risk of exposure to criminal elements.
Cyber Security Training
Employees and contractors are an asset to maintaining security around your systems. But they can also be a huge liability if uneducated on cyber security. A cyber security training program ensures everyone in your business stays current and aware of the cyber pitfalls.
IOT Device Usage Controls
Internet of Things (IoT) devices are found in nearly every aspect of business and life. Historically security on IoT devices have been lacking, either through design or lack of security updates. Cyber criminals are increasing their attacks against such vulnerabilities. IoT usage controls can greatly shrink the security gaps.
IOT Device Development Controls
Internet of Things (IoT) devices can be physically or virtually connected to computers or other systems. And when a device contains sensitive customer or business information, it becomes a big target for the criminal element. Proper IoT development controls will reduce the security risk to customers using your devices.
Bring Your Own Device (BYOD) is prevalent in the workplace, especially when using contractors and freelancers. When you allow employees to use their personal devices, such as laptops, smartphones, and tablets, to access your system or data, whatever is on that device can infect your system. Managing BYOD reduces the cyber security risk.
Data Security Policies and Procedures
Data security policies are a starting point for identifying the security issues most important to a business, in addition to providing employees and contractors a guide for how to properly act while on your systems or using the information. Key vulnerabilities include internet usage on a company network, password requirements, email usage, social media postings, and USB usage.
P2P File Sharing Controls
Employees, contractors, vendors, partners, or anyone else sharing and transmitting your valuable data is a potential point for data corruption or loss. Peer-to-peer (P2P) file sharing is a method to easily swap data between different parties. P2P controls reduce the risk of systems being infected at critical interfaces in the process.
Data Usage for Business
Companies gather data from many sources, but it often languishes in computers until it becomes obsolete. Using this data can provide new insights into your business, and sometimes be another source of revenue. A business must focus on using existing data, and supplement it with external data if helpful.
Data Management for Business
Companies rely on data for decision making and managing operations. But when this data is not properly obtained, scrubbed and cleansed, and retained, it is costly. Unhappy customers and vendors, poor decisions, and non-compliance are just a few results. Properly managing your data from the beginning to the end will ensure confidence when using your information.
Data Laws and Regulations by Location
There are multiple laws and regulations related to the security and management of customer data. Regions, countries, and states throughout the world have different requirements. A company is responsible for meeting the specific requirements of each location they operate in.
Data Regulation EU GDPR
The primary goal of GDPR is to give control of personal data back to citizens and residents of the EU. This is reflected by requirements that subjects give consent before data is processed, that collected data is anonymized (remove identifiable information) and safely handled when transferred, and that breaches are handled with the utmost urgency and care. The regulation also applies strict rules to the export of personal data to entities outside of the EU and requires certain types of companies to appoint data protection officers for overseeing GDPR compliance within their organizations.
Data Regulation US CA Shine the Light
California Civil Code 1798.83 to .84 requires all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation. Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost.
Data Regulation PCI DSS
PCI DSS compliance is essential for any company handling credit card information. It entails maintaining a secure data network, regularly monitoring networks, and implementing security controls, among other rules. Most small-to-medium sized businesses fall into Level 4 (<20,000 transactions per year) and are required to submit the relevant Self-Assessment Questionnaire (SAQ) report.
Data Regulation US HIPAA
Sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA compliance. Regulations focus on the handling of medical information, including privacy and security. The regulation requires that any company handling healthcare data, from hospitals to insurance companies, must comply with HIPAA security standards when transmitting and storing electronic protected health information (ePHI).
Data Regulation US HBNR
The Federal Trade Commission (FTC), the nation’s consumer protection agency, has issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there’s a breach of unsecured, individually identifiable electronic health information. This FTC rule does not apply if you are a HIPAA covered entity or to the extent you are acting as a HIPAA business associate.
Data Regulation US Red Flags Rule
Identity Theft Red Flags Rule requires financial institutions to implement a program to detect, prevent, and mitigate identity theft.
Data Regulation US SOX 404
The goal of SOX 404 is to implement accounting and disclosure requirements that increase transparency in corporate governance and financial reporting. Focus is on a company's formal system of internal checks and balances. Information technology (IT) controls are specific activities performed by persons or systems to ensure that business objectives are met. IT control objectives relate to the confidentiality, integrity, and availability of data.
Data Regulation US CCPA
The new California data privacy act SB 1386 or AB-375 was effective Jan 1, 2020. The CCPA focuses exclusively on data collection and privacy. Citizens have the right to bring a civil action against companies that violate the law.
Data Regulation CAN CASL
The Canadian law sets clear requirements for all commercial emails. The Canadian Radio-television and Telecommunications Commission (CRTC) works hand in hand with its international counterparts—including agencies in the U.S., U.K., and Australia—to investigate and enforce violations of CASL by international senders.
Data Regulation US Privacy Shield
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the United States from the European Union (EU) in a way that is consistent with EU law. To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield Principles. Requirements of the EU-U.S. and Swiss-U.S. Privacy Shield are the same.
Data Regulation US COPPA
Data Regulation US GLBA
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
Data Regulation US Disposal Rule
Any large or small business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The Disposal Rule requires disposal practices that are reasonable and appropriate.
Data Regulation US CAN-SPAM
The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service."
Data Regulation US OH Data Protection Act
Provides organizations with a legal incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with any one of the approved industry-recommended frameworks. Companies in compliance with any of the frameworks are entitled to a “legal safe harbor” as a defense against legal claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures.
Data Regulation US CT Gen Statute 42-471
Conn. Gen. Stat. § 42-471 requires any company who collects Social Security numbers in the course of business to create a privacy protection policy. The policy must be "publicly displayed" by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
Data Regulation US DE Code 6-205C
Data Regulation US NV NRS 603A
Nevada Revised Statutes, Chapter 603A, focuses on the security of personal information.
Data Regulation US UT Code 13-37-201
Utah law 13-37-201 to -203, although not specifically targeted to online businesses, require all non-financial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation.
Risk Assessment and Management
Taking risks is part of doing business. Addressing up front the risks that most affect a particular company and industry helps reduce the negative impact if it occurs. Results from not addressing risks range from inconvenience to devastating. But managing risks can soften the financial blow and enable long term success.
Vendor Management for Business
Materials, products, services and other items consumed by your business ultimately reflect in YOUR product or service. What comes into your company directly affects what your immediate stakeholders and customers see. A vendor relationship starts before the contract is signed. Select the best vendor for your needs, then nurture the often-neglected relationship.
Inventory Management for Business
The end result of inventory management is to have the right product at the right amount at the right place at the right time. Inventory problems can have a huge negative effect on your business, especially cash flow. But there are several controls and processes that can help ensure your customer gets the product to their satisfaction.
Change Control Governance
Physical and digital changes are constantly made in business operations. But connected to each change is often a chain of other actions to consider, both before and after the change. Changes to processes, products, or services has serious ramifications to your success and reputation if done incorrectly. Change control is meant to reduce the chances of a key item being missed or not communicated.
Machinery Controls for Business
Proper maintenance and training on your machinery is critical for maximizing its value, whether the equipment is used for producing widgets, doing calibrations, or producing lab results. Great maintenance is preventive and not reactive.
Incident Response Plan
Cyber security events can be small and occur over an extended period or be large and immediately impact your business viability. An incident response (IR) plan focuses on how to identify, respond, and recover from such events. Events hit businesses without warning, and a thoughtful plan provides guidance in chaotic moments.
Disaster Recovery Plan
Like life insurance, a disaster recovery plan (DRP) is something you hope never to use but it definitely helps if something disastrous happens. A DRP addresses the possible risks to all your key systems, without which your business would have difficulty functioning. Whether a disaster caused by employees, criminal elements, or nature, preparedness is critical to returning your business back to full functionality.
Data Breach Notification
Companies that manage or possess customer or employee personal information are responsible for reporting theft or disclosure of that data. Each state and country has its own requirements for reporting a security breach of personal data. A data breach plan is designed to address the technical and administrative requirements before a data breach occurs so that the focus can stay on breach remediation.
User Access Management
User access controls, or lack of them, is a leading reason how cyber criminals can access business data. System and application access controls focus on keeping your user access list current and clean. This requires a focus on terminations, special privileges (admin rights), contractors, and regular reviews.
Privileged Access Management
Unwanted access into systems to abuse or steal valuable company data is usually accomplished using privileged accounts. Privileged accounts provide almost unlimited access to critical business systems and information. Actively managing privileged system access (PAM) is undoubtedly a key component of stopping cyber theft, ransomware, and other system attacks.
Cyber Security Plan
Securing your systems and applications from criminal cyber elements requires a structure that ensures key areas are consistently addressed. A cyber security plan focuses on risks, policies and procedures, training, and strategy planning.
Application Development Controls
Security holes in applications are sought by cyber criminal elements. Whether internal or external applications, security controls are needed to safeguard valuable information. Consistently adhering to basic application development controls reduces the possible vulnerabilities in your systems.
A policy is a documented management statement that identifies an important company issue and states why it needs to be done. Clear and concise policies provide all stakeholders with a good understanding of how your business wants to operate. Policy Development defines the guidelines for creating these solid policies. The lack of a comprehensive policy can sway a legal opinion and ruling. So it's critical to get the policy right from the beginning.
A successful policy clearly states the requirements for everyone operating within a business. Policy management defines how to maintain existing policies as circumstances change. A policy that does not match what is actually happening in your company is confusing to internal and external stakeholders. In some cases, inaccurate policies may have serious legal ramifications.
Enterprise IT Governance
Regardless of company size and products provided, information technology (IT) is the backbone that keeps it running. But often an IT function is not aligned with company goals. This results in mistrust, frustration, wasted money, and failed projects. IT enterprise governance focuses on aligning and blending IT requirements to keep the lights on and simultaneously work with the business to grow its value.
Every company has areas critical to their success. Any function which keeps the business successful, for example data, processes, or security management, should receive the highest level of scrutiny. To satisfy both internal and external demands, these success factors should be periodically audited and reviewed. This means implementing a simple but effective audit program.
Environmental Sustainability for Business
Many countries are tightening requirements for adding waste to landfills, cleaning the air and water, and in general improving the environment. At the same time, more consumers are wanting to buy more environmentally friendly products. An environmental sustainability program provides a focus on improving your operations and product.
Business Ethics Practices
Practical steps are necessary to ensure ethical people are hired and employees know how to make sound ethical decisions on a day-to-day basis. Employees, including managers, need to be educated, trained, and engaged. A company must seek to improve the community around them. Creating an ethical organization requires effort to establish and maintain.
Business Ethics Management
Good ethical behavior leads to trusting employees, customers, partners, and vendors, which leads to better company performance. Poor ethics leads to negative feelings about the company, lost opportunities, and even criminal charges. Organizational integrity is created through an ethics program that emphasizes a code of ethics, leadership, self-assessment, confidential reporting, and continuous training.
Every community in which a company operates or employees live has needs. The right thing to do in any society is to provide help and give something back. Develop a community outreach program that will ensure that your company stays focused on being a good corporate citizen.
Artificial Intelligence Governance
Artificial Intelligence (AI) is integrating into nearly everything we interact with, and the pace of development is accelerating. But AI brings with it certain unique concerns around privacy, built in human bias, ethical and cultural bias, and unintended consequences. The developing and evolving focus on AI governance will help you address these concerns and provide guidance in an area affecting both small and large businesses in nearly all industries.
Focus should be on what differentiates your business from others. Your strength is where a difference is made, not in performing non-core work that many others can accomplish. Whether someone else does the task, job, service, or operation locally, on premise, offshore, or nearshore, proper controls will help ensure a successful outsourcing relationship.
Systems and software applications are often purchased and implemented without knowing the life cycle costs. Replacing or keeping an existing business application only makes financial sense if you know the true costs and risks to support and maintain an application. The true total cost of ownership (TCO) via technology business management (TBM) will guide your decision making and strategic planning.
Getting Started in Governance
New to governance, compliance, and process controls? Looking for a more structured method to manage your business operations? Let us help you build a roadmap. This topic will quickly determine where to begin based on your particular needs. Once you have the basics, expand to other topics that will benefit your business.
Data Security for Yourself
Private and confidential data abounds in multiple devices used by individuals and families. Unfortunately, there are many bad elements around the world and in your neighborhood that want to get hold of it. Fortunately, there are some basic steps that can greatly reduce the risk of your information being stolen or misused because of something you do.
Often your digital information is valuable financially or emotionally to family and friends. Be prepared for someone to manage your data in the event you become incapacitated or die.
Data Theft Protection
Someone stealing your information and subsequently your financial resources can be devastating. Do everything possible to prevent identity theft and fraud from happening.
Making Your Home Safer
We often don't see the unsafe areas inside and outside the home because we get so used to it being that way. There are many ways to improve the home environment safety and security, most at little or no cost. For those with elderly persons or children living at home, safety is especially important.
Home Remodeling - General Requirements
General remodeling or doing major repairs is best done when you have considered and prepared for issues BEFORE the project starts. Key general remodeling issues include costs and budgets, rooms and key areas to cover, designing, permits and approvals, project scheduling, and tools and materials.
Home Remodeling - Do It Yourself
Remodeling or doing major repairs by Doing It Yourself (DIY) is best done when you have prepared for issues BEFORE the project starts. Key DIY issues include safety, tools, rentals, permits, equipment, videos, use of subcontractors, and planning.
Home Remodeling - Using a Contractor
Using a contractor for remodeling or doing major repairs at your home means selecting and managing the contractor and contract to limit the issues and ensure mutual satisfaction.