Reasonable Compliance and Information Risk Management

"Reasonable". The word appears more and more in information privacy legislation. In fact, there is a judicial burden of proof to do what is “reasonable”.

Businesses are facing an increasingly legislated and litigious operating environment. Highly regulated enterprises, particularly those in “high risk” vertical markets such as finance and healthcare, face even more daunting challenges across several governmental, industry and market compliance obligations. It is difficult to know where to focus current resources and how best to budget and plan for the future in the face of unidentified existing vulnerabilities, changing threat environment complexities and compliance requirements.

The burden of decision-making, planning and responding to the demands of legislation and regulations such as GDPR, HIPAA, PCI, CCPA, and the rising tide of breach notification and privacy laws in the US and abroad is significant. Faced with many risk and security management framework choices such as NIST, ISO and COBIT, the process for setting priorities according to business-drivers and existing risks can be daunting and, sometimes, difficult to justify with reason. Some will seek to align with “best practices” frameworks and some will aim to achieve broadly recognized risk and security management systems certification. Some will seek to pass the next audit while hoping not to fall victim to the latest threat.

Because external threat actors exploit vulnerabilities in enterprise IT architecture and human behavior within your organization, you need a trustworthy partner, with both business and technical skills, who employs a reasonable approach to reduce risk without disruption. Agillect is your trusted partner and your bright light through the Fog of More to help you plot a course and arrive at a confident, risk-based and defensible “reasonable” for your organization.

Many organizations are overwhelmed by regulatory compliance and expansive frameworks which neither directly map to organizational priorities nor rapidly yield useful performance metrics. Agillect is able to recommend Key Risk Indicators (KRIs) and supporting measurable Key Performance Indicators (KPIs) which communicate meaningful risk posture information to stakeholders. Assessments establish the foundation for this work while also creating possible roadmaps for a rationalized information risk management program.

Minimally, assessment of controls and demonstrated methodical gap remediation for alignment with a prevailing reference framework generally provides a foundation for meeting the judicial standard of “reasonable” due care and due diligence necessary to establish a legally defensible information security posture.

• Application, Vendor, Service Provider, Supply Chain and Third-Party: Write me…

• Risk and Control Self-Assessment: Write me…

• Audit & Discovery Readiness: Breach of consumer or jurisdictional resident non-public personal information, and subsequent proof of failure to comply with statutes such as Califonia’s CCPA/CPRA, New York State's Department of Financial Services (DFS) privacy mandate, other state and federal legislation such as GLBA and SOX, and the European Union General Data Protection Regulation (GDPR) can result in business crippling punitive public fines, private judicial damages reward, and irrecoverable loss of reputation value.

• Compliance: write me…

• Certification: write me... Obtaining independent auditor certification of

• Best Practices: write me….

With an acquired understanding of mission, stakeholder risk appetite and risks, Agillect applies the appropriate reference frameworks and standards to conduct assessments of readiness to avoid, prevent and respond to risks and threats, and to mitigate incidents. They also assist in budgetary prioritization for rationally mapped controls producing performance data.

Because average time to detection is 200 days from initial successful exploit, and litigation outcomes have no allowances for detection delays, it is essential to achieving and demonstrating “reasonable due care and due diligence” in conduct of information risk and security management; increasing probability of favorable judgment.

Agillect serves medium-sized corporate clients in financial services/technologies, health services/technologies, legal services and other significantly at-risk sectors with head-offices in the United States.

Through collaboratively integrated risk assessments, we provide vital foundation services to address the difficult challenges of compliance, information privacy and security risk management. We facilitate risk-prioritized budgetary planning, and assisting in taking business-driven risk mitigating actions which consistently produce meaningful Key Risk Indicator and Key Performance Indicator data for stakeholders.

Please contact us to set up a consultation do discuss how Agillect services meet your needs to best manage information privacy and security risk.

In addition to more than 20 years cross-sector information risk and security controls management experience, our team members hold the internationally-recognized credentials Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Certified in Risk and Information Systems Controls (CRISC) and Certified Information Systems Auditor (CISA).