Surety Bond Quarterly - Fall 2017 - 19

managing that risk and don't know
where to start. Some companies are
still not addressing these risks, as
they feel overwhelmed and don't
know how to manage it.
Assumptions are a critical detriment to any cybersecurity program.
The most secure companies we work
with aren't the largest companies or
the ones that spend the biggest budget. They are the companies brave
enough to continuously question their
assumptions about their own cybersecurity. They question, and re-question,
where their high-risk data is and how
to protect it. Time is spent on reviewing their security tools and systems.
Resources regularly validate that
systems are functioning as desired
instead of assuming that they are.
They inspect and look for exceptions
to the systems and rules, eliminating
those that create the greatest risks.
With the rise of automated attacks
and bots, one thing is for certain-
everyone, regardless of size or industry, is now a potential target. The point
of this article is to provide a basic
road map of how to start and continue a data privacy and cybersecurity
risk management program, no matter
where you are in the process.
Here are the basic components of
a risk-based data privacy and cybersecurity program, which should be
tweaked and enhanced depending
on the specific legal requirements
of certain industries and the size and
scope of your organization.
Map and Classify High-Risk
Data (Both Paper and Digital)
You must know where your high-risk
data is in order to protect it.
* Start with Social Security numbers, drivers' license numbers,
health insurance information and
financial information.
* Encourage your IT department to
actively go hunting for high-risk
data. Often a hunt for data will result
in vast areas of risk that the business
didn't anticipate during mapping
and classification. It is important to
look everywhere and at everything,
not just where the team assumes
high-risk data may be located.

Don't Overlook the
Foundations of Cybersecurity
For any risk-based program to be
effective, you must have a functional
cybersecurity platform to rely on.
* Whether you adopt the Cloud or
not, Multi Factor Authentication is
a must for Cloud, SaaS, and remote
access or functionality.
* Pay attention to your firewalls' controls and restrict both incoming and
outgoing traffic.
* Reverse the concept of rank having
privileges. High-ranking personnel should be the most secured
employees. They generally have
access to the most sensitive and
largest amount of data. Too often
we see exceptions to security policies for those that are at the highest
risk of being targeted.
* View security as a work in progress.
The threat landscape is constantly
changing; your security systems, processes, and policies need
the flexibility to change with them.
Complete a Security
Risk Assessment
Complete a security risk assessment to prioritize where resources
should be applied on a rolling basis,
and assess the highest risks to the
organization's data.
* Using an outside information technology firm provides an independent evaluation of your physical
and electronic status and can assist
with identifying gaps and priorities
for budgeting.
* Consider using outside counsel in
any processes that are identifying
vulnerabilities for protection under
the attorney-client privilege and
work product doctrine.
* Don't treat your security team as the
enemy. Success requires open and
honest communication of gaps and
risks between the IT security team
and the executive team.
Implement Appropriate
Safeguards
Implement appropriate physical,
technical, and administrative safeguards for the data based on the size
and scope of the organization.

* Processes are not one-size-fits-all,
so protecting highest risk data is the
most efficient place to start, particularly with budgeting constraints.
* Technical safeguards must be implemented from the point of view of
what could happen, not what should
happen. Over reliance on safeguards
based on people doing the right thing
or following the right processes may
cause you to easily fall victim to basic
human error. Worse yet, they ignore
what could be done if credentials are
lost or a system is hacked.
Develop and Implement
Procedures and Processes
for the Protection of Data
Develop and implement procedures
and processes for the protection of
data, including any policies that are
legally required.
* Processes and procedures any
business should consider are data
classification, acceptable use,
mobile assets, encryption, incident
response, data backup plan, disaster recovery, bring your own device,
social media, a Written Information
Security Program, and, if applicable, a HIPAA compliance program.
* A word of caution: although it is
important to document the processes and procedures used by the
company in protecting data, be careful about calling each process, procedure, or program a "policy." There
are some policies that are legally
required, but many are not, and from
a risk management and litigation
perspective, proper labeling of the
processes is extremely important.
* Include analysis of whether data
is being processed outside of the
United States, as other laws may
apply, including Europe's General
Data Protection Regulation.
* Prioritize efforts so that training on
the policies is a constantly recurring effort. Training is the most
valuable security safeguard.
Develop and Implement a
Vendor Management Program
Develop and implement a vendor
management program, including
processes.

NATIONAL ASSOCIATION OF SURETY BOND PRODUCERS | WWW.NASBP.ORG

19


http://WWW.NASBP.ORG

Table of Contents for the Digital Edition of Surety Bond Quarterly - Fall 2017

NASBP Upcoming Meetings & Events
2017–2018 Executive Committee
From the CEO: Advice for the Advisor!
How Can Construction Contractors Expedite Payment on Federal Contracts?
The Growing Importance of the Bond Producer in the Efficient Resolution of Claims
Practical Tools to Help Jump-Start Your Company’s Cyber Plan
Bond Agency Owners: The Hardest Part is Letting Go
New Software Selection and Implementation is not a Weekend Project
Is Canada Soon to Have Its Version of the Miller Act?
2017 NASBP Resource Directory
Surety Bond Quarterly - Fall 2017 - Intro
Surety Bond Quarterly - Fall 2017 - cover1
Surety Bond Quarterly - Fall 2017 - cover2
Surety Bond Quarterly - Fall 2017 - 3
Surety Bond Quarterly - Fall 2017 - 4
Surety Bond Quarterly - Fall 2017 - 5
Surety Bond Quarterly - Fall 2017 - 6
Surety Bond Quarterly - Fall 2017 - 2017–2018 Executive Committee
Surety Bond Quarterly - Fall 2017 - 8
Surety Bond Quarterly - Fall 2017 - From the CEO: Advice for the Advisor!
Surety Bond Quarterly - Fall 2017 - How Can Construction Contractors Expedite Payment on Federal Contracts?
Surety Bond Quarterly - Fall 2017 - 11
Surety Bond Quarterly - Fall 2017 - 12
Surety Bond Quarterly - Fall 2017 - 13
Surety Bond Quarterly - Fall 2017 - The Growing Importance of the Bond Producer in the Efficient Resolution of Claims
Surety Bond Quarterly - Fall 2017 - 15
Surety Bond Quarterly - Fall 2017 - 16
Surety Bond Quarterly - Fall 2017 - 17
Surety Bond Quarterly - Fall 2017 - Practical Tools to Help Jump-Start Your Company’s Cyber Plan
Surety Bond Quarterly - Fall 2017 - 19
Surety Bond Quarterly - Fall 2017 - 20
Surety Bond Quarterly - Fall 2017 - Bond Agency Owners: The Hardest Part is Letting Go
Surety Bond Quarterly - Fall 2017 - 22
Surety Bond Quarterly - Fall 2017 - 23
Surety Bond Quarterly - Fall 2017 - 24
Surety Bond Quarterly - Fall 2017 - 25
Surety Bond Quarterly - Fall 2017 - New Software Selection and Implementation is not a Weekend Project
Surety Bond Quarterly - Fall 2017 - 27
Surety Bond Quarterly - Fall 2017 - 28
Surety Bond Quarterly - Fall 2017 - 29
Surety Bond Quarterly - Fall 2017 - Is Canada Soon to Have Its Version of the Miller Act?
Surety Bond Quarterly - Fall 2017 - 31
Surety Bond Quarterly - Fall 2017 - 32
Surety Bond Quarterly - Fall 2017 - 2017 NASBP Resource Directory
Surety Bond Quarterly - Fall 2017 - 34
Surety Bond Quarterly - Fall 2017 - 35
Surety Bond Quarterly - Fall 2017 - 36
Surety Bond Quarterly - Fall 2017 - 37
Surety Bond Quarterly - Fall 2017 - 38
Surety Bond Quarterly - Fall 2017 - 39
Surety Bond Quarterly - Fall 2017 - 40
Surety Bond Quarterly - Fall 2017 - 41
Surety Bond Quarterly - Fall 2017 - 42
Surety Bond Quarterly - Fall 2017 - 43
Surety Bond Quarterly - Fall 2017 - 44
Surety Bond Quarterly - Fall 2017 - 45
Surety Bond Quarterly - Fall 2017 - 46
Surety Bond Quarterly - Fall 2017 - cover3
Surety Bond Quarterly - Fall 2017 - cover4
https://www.nxtbook.com/naylor/SBPQ/SBPQ0118
https://www.nxtbook.com/naylor/SBPQ/SBPQ0417
https://www.nxtbook.com/naylor/SBPQ/SBPQ0317
https://www.nxtbook.com/naylor/SBPQ/SBPQ0217
https://www.nxtbook.com/naylor/SBPQ/SBPQ0117
https://www.nxtbook.com/naylor/SBPQ/SBPQ0416
https://www.nxtbook.com/naylor/SBPQ/SBPQ0316
https://www.nxtbook.com/naylor/SBPQ/SBPQ0216
https://www.nxtbook.com/naylor/SBPQ/SBPQ0116
https://www.nxtbook.com/naylor/SBPQ/SBPQ0415
https://www.nxtbook.com/naylor/SBPQ/SBPQ0315
https://www.nxtbook.com/naylor/SBPQ/SBPQ0215
https://www.nxtbook.com/naylor/SBPQ/SBPQ0115
https://www.nxtbook.com/naylor/SBPQ/SBPQ0414
https://www.nxtbook.com/naylor/SBPQ/SBPQ0314
https://www.nxtbook.com/naylor/SBPQ/SBPQ0214
https://www.nxtbookmedia.com