By Jamal Hartenstein, JD, CISSP, CGEIT, PMP

(ISC)², a leading cybersecurity and IT security professional organization, is holding their annual Security Congress event in Orlando in a few months. At the conference, I will be presenting a panel called “Behind the Text: Laws on Data Privacy, Consumer Rights and Cybersecurity, Deconstructed.” Today I am sharing a little bit of insight into what I will delve further into at the (ISC)² event.

Data privacy and cybersecurity laws shape many aspects of an organization, from influencing the operational decisions an organization makes to the way IT security professionals do their jobs.

The purpose of data privacy laws is to provide regulatory compliance measures to protect personal data—depending on the industry, this could be the data of consumers, customers, private citizens, or others. Typically, the laws align with IT security frameworks (often created by academics or other experts) and companies write their data privacy policies to comply with laws and adhere to frameworks.

But, what’s missing? When you deconstruct the text of the laws that govern an organization’s industry—think private sector financial, health insurance, banking, etc.—you may find loopholes or obligations you didn’t know existed. Organizations can save themselves a lot of time and money by understanding the scope of their legal obligations.

Legislation is increasingly shaping the IT security professional’s field. Some laws that currently govern IT security have been on the books for 100+ years, but only recently have been interpreted to cover data privacy and cybersecurity violations. These changing legal interpretations, along with the new laws being put on the books, means that there’s a level of legal understanding that can be daunting for organizations and the security professionals they employ. Collectively, we need to dissect the wording used in the popular data privacy and cybersecurity laws and break it down so IT professionals can truly understand what we’re working with.

As an IT Security professional, I understand the threats, technology, and strategies to mitigate threats. Having a legal background makes it easier for me to understand laws that determine exposure to compliance obligations and laws that influence how I develop strategies. For example, when organizations comply with a deletion request, or “the right to be forgotten” (aka: of your own personal data records held with an organization), this can be an expensive process, especially if the data is on offsite backups and housed with third party data processors. But the law is particularly tricky with explanations on why, how, and when an organization must process a deletion request, or even if the request must be performed at all. Consequently, a lot of time and money can be saved if IT Security professionals understand the text of the laws.

Interested in learning more? During my discussion at the (ISC)² Security Congress, we’ll cover the following:

• Identifying loopholes in laws. For example, whether you must comply with a consumer’s request to be “forgotten”/deleted.
• Identifying widely unknown obligations. For example, the requirement to appoint an EU Representative under GDPR, distinguished from the DPO.
• Understanding the rights of the consumers regarding data privacy provisions and IT security obligations.
• Understanding factors used to determine whether you must comply with data privacy and cybersecurity laws…and to what extent.

Want to find out how to deconstruct and understand security law? Attend my panel at the (ISC)² Security Congress in October—I hope you see you there!

About the Author: IT Security Program Manager at KAI Partners, Jamal Hartenstein is a cybersecurity legal expert who has helped some of the country’s largest financial institutions, healthcare companies, and federal agencies develop their IT Security Roadmap programs. In his current role, Jamal provides guidance to executive staff and security professionals on laws, frameworks, and policies that help shape their strategic plan, and helps organizations innovate safely and securely. Prior to working for KAI Partners, Jamal served as an Electronic Warfare Sergeant in the U.S. Army Military Intelligence Corps, where he was a steward for Defense Information Systems Agency (DISA) framework. He earned his undergraduate degree from Georgia Military College and his Juris Doctorate from University of the Pacific, McGeorge School of Law in California.

By Jamal Hartenstein, JD, CISSP, CGEIT, PMP

I recently had the opportunity to speak to a group of civil servants through the organization, NxtGov. NxtGov is a professional network for people working in California public service, and those who are interested in public service. According to NxtGov, “We want to develop this network into a platform for collaboration across government and other sectors to develop innovative ideas to improve government service and restore trust and pride in public service.”

To achieve their mission, NxtGov promotes training and advancement of current government workers and actively recruits new talent. NxtGov adds value with opportunities on how to find and apply to government positions and training on how to sharpen skills to promote within.

My discussion focused on improving understanding of the Information Technology workforce within the public sector, including information on the different certifications and skills-building that might be beneficial. With so many public sector agencies undertaking large system replacements and other innovation projects, skilled IT professionals are needed now more than ever. And, IT professionals with different backgrounds—like project management and change management—are just as much in demand.

Interested in learning more? Here are some Q&A on IT certifications and professional development:

1. Do I need an IT certification? Considering all the letters behind my name, I definitely think certifications are valuable! Plus, certifications are often mandatory checkboxes when applying for government positions. Even if it’s not mandatory, a certification can indicate to employers your interest in and dedication to a particular industry. A certification can also validate years of experience and capability.
2. Which certification do I need? First you need to determine which certification is most valuable to you and your goals. A certification is only as strong as the certificate authority and how you use your credential. Remember that earning a certification often allows you to gain access to and participate in a new online community with membership by the certification authority. Resources will become available that otherwise were not offered, which only aids in your continued development.
3. Is a PMP® an IT certification? Short answer: Yes! Many of us have been involved in IT project management, but just didn’t know it. A PMP® credential is a valuable IT certification and as of July 2019, there are nearly 900 open project management jobs in the Sacramento region. (Bonus: The average IT Project Manager position pays upwards of $95K annually).

The future of IT in the public sector is great and growing. Whether it’s through cloud migrations, third party software replacements, or an innovation we haven’t even thought of yet, now is the time to start taking your professional development up a notch. For a sustainable IT career, you should keep up with new certification and training and make sure you don’t stay stagnant in a position that isn’t growing along with the speed of technology.

How are you navigating the IT changes in the public sector? Be sure to check out NxtGov to learn more about the important work they’re doing to help improve government services.

About the Author: IT Security Program Manager at KAI Partners, Jamal Hartenstein is a cybersecurity legal expert who has helped some of the country’s largest financial institutions, healthcare companies, and federal agencies develop their IT Security Roadmap programs. In his current role, Jamal provides guidance to executive staff and security professionals on laws, frameworks, and policies that help shape their strategic plan, and helps organizations innovate safely and securely. Prior to working for KAI Partners, Jamal served as an Electronic Warfare Sergeant in the U.S. Army Military Intelligence Corps, where he was a steward for Defense Information Systems Agency (DISA) framework. He earned his undergraduate degree from Georgia Military College and his Juris Doctorate from University of the Pacific, McGeorge School of Law in California.

By Jamal Hartenstein, JD, CISSP, CGEIT, PMP

The Greater Sacramento Capitol Chapter of ARMA recently held its annual Records Knowledge Conference, which brought together records managers from city, county, and state clerk offices.

According to our local ARMA chapter, ARMA is dedicated to providing education and resources to those in the Records Management and Information Governance fields. They are committed to enhancing Records Management and Information Governance professionals through training, networking, leadership, and outreach.

The conference attendees brought a sense of eagerness to learn and share—ARMA chapter leadership gave event attendees a special opportunity to hear from world-class speakers—including and a lead researcher on the IBM Watson project, Dr. Ashish Kundu—on some of the most important and cutting-edge topics.

Along with a formidable group CEOs, I was honored to be asked to speak about Cybersecurity Threats to Information Governance. Highlights of the event and major takeaways included:

• Understanding what data you have, who accesses it, and where it goes is paramount.
• Conflicts among document retention policies, industry best practices, and laws suggest that we seek out and use the highest common denominator.
• Trending topics and buzzwords the government sector include players like Smart Communities, Artificial Intelligence (AI), Digital ID, Blockchain, NIST, and the KAI Partners approach to security assessments.
• Data Migrations are underway. Records Managers who respond to Freedom of Information Act (FOIA) requests for public records or subpoena must deliver records formats adhering to general business practices, which may be legacy.
• Regarding Third Party Risk Management (TPRM), cloud services, and Business Associate Agreements, liability points back to the data controller regardless of contracts with data processors or third parties.
• Mobile device management and data/device ownership remain a point of contention and confusion during public record requests.
• Innovation is forcing a cultural shift in workforce demands and understandings of emerging technologies.
• Artificial Intelligence (AI) solutions can be used to categorize and classify data, performing some of the tasks of current Data Custodians and Data Owners.
• While AI may not replace Records Managers, Records Managers who understand and embrace AI will inevitably replace those who do not.

Public sector IT innovation and modernization means systems and processes change rapidly. One example of this is California Assembly Bill 2658, recently signed into law by the governor. This new law updates the definition of an Electronic Record to include blockchain and smart contracts as legally recognized records. It sends a clear signal that digital records management, particularly blockchain technology and smart contracts, are priorities for a more innovative and dynamic public sector.

This new law impacts public records requests because entries logged in public agency-owned private blockchains are electronic records. These records are susceptible to the Freedom of Information Act (FOIA). Records Managers may benefit from technology that makes the identification and delivery of public records to requestors easier. It may also create convenience for those exercising Public Records Act (PRA) requests. It’s a double-edged sword; it streamlines the processes but increases PRA volume at the same time.

The discussion of the California blockchain law was one most important topics discussed at the ARMA event. Another popular topic was IT Security Assessments.

The urgency in public sector data governance and records management is an incredible opportunity to embed IT security controls for the public sector personnel working at the heart of the ever-expanding challenges.

KAI Partners performs security assessments to address the multitude of challenges facing the public sector. Our assessments help ensure secure and efficient delivery systems where the organizational objectives align with the development of strategic plans and programs. In addition, KAI Partners’ training division—KAIP Academy—works to address technical skills gaps. Our training courses include ITIL, Project Management, Agile/Scrum, and more.

Were you at the ARMA Conference? What were your biggest takeaways about public sector innovation?

About the Author: IT Security Program Manager at KAI Partners, Jamal Hartenstein is a cybersecurity legal expert who has helped some of the country’s largest financial institutions, healthcare companies, and federal agencies develop their IT Security Roadmap programs. In his current role, Jamal provides guidance to executive staff and security professionals on laws, frameworks, and policies that help shape their strategic plan, and helps organizations innovate safely and securely. Prior to working for KAI Partners, Jamal served as an Electronic Warfare Sergeant in the U.S. Army Military Intelligence Corps, where he was a steward for Defense Information Systems Agency (DISA) framework. He earned his undergraduate degree from Georgia Military College and his Juris Doctorate from University of the Pacific, McGeorge School of Law in California.

By Jamal Hartenstein, JD, CISSP, CGEIT, PMP

If organizations don’t have IT Security governance, risk management, and compliance measures in place, they are susceptible to breach, dissemination of data, or regulatory violations that can cripple the organization.

Case in point: The California Attorney General’s office filed a legal claim against an airline company for not having a privacy policy for their smart-phone app.

A regulatory violation (i.e., if an organization does not meet deadlines for disclosures) can mean legal penalties. Enterprises without an IT Security Strategic Plan are poorly suited to assess and manage IT related risks, in alignment with business objectives.

In any of these events, consequences include brand/reputational damages, increased cybersecurity insurance premiums, legal fees, and injunctions.

In addition to those risks, there’s a regulatory component to IT Security—the state of California mandates periodic risk assessments for public sector groups at the state, county, and city levels. To keep up with ever-changing mandates and to successfully meet regulatory mandates, you might need Strategic Risk Management Planning.

So, where do you begin to start this planning and make sure your organization is protected?

KAI Partners is your one-stop shop for IT Security services.

Whether public sector, private sector, non-profit, or small business, KAI Partners can offer IT Security services that allow your organization to operate and innovate safely.

Our IT Security services help ensure that the software, hardware, and policies you implement not only protect your organization, but also mitigate the threat of catastrophic litigation.

Members of the KAI Partners IT Security team hold credentials in Certified Information System Security Professional (CISSP), Project Management Professional (PMP)®, Certified ScrumMaster®, Certified in the Governance of Enterprise Information Technology (CGEIT), CompTIA Security+, Network+, Project+, A+, Microsoft Certified Professional (MCP), and more.

KAI Partners works together with Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT Security Managers, vendors, and other strategic partners to help your organization create and implement a comprehensive IT Security plan.

Some of KAI Partners’ IT Security services include:

1. Strategic Planning Development, aligned with IT Security Roadmap Program planning
2. Security Operations and Subject Matter Expert Staff Augmentation
3. Independent Security Assessments
4. IT Security Governance, Risk Management, and Compliance (GRC)

Legislation, regulations, and policy shape the way organizations conduct business today. The laws have a hard time keeping up with technology—and technology has a hard time keeping up with threats. KAI Partners can help you create and implement IT Security practices that are unique to your business objectives and help protect the privacy of your organization.

Interested in learning more about how KAI Partners’ IT Security services can help your organization stay safe and compliant? Contact us today!

About the Author: IT Security Director at KAI Partners, Jamal Hartenstein is a cybersecurity legal expert who has helped some of the country’s largest financial institutions, healthcare companies, and federal agencies develop their IT Security Roadmap programs. In his current role, Jamal provides guidance to executive staff and security professionals on laws, frameworks, and policies that help shape their strategic plan, and helps organizations innovate safely and securely. Prior to working for KAI Partners, Jamal served as an Electronic Warfare Sergeant in the U.S. Army Military Intelligence Corps, where he was a steward for Defense Information Systems Agency (DISA) framework. He earned his undergraduate degree from Georgia Military College and his Juris Doctorate from University of the Pacific, McGeorge School of Law in California.

By Julie Kendall

Last time we discussed in more detail the ISO 27001 standard for ISMS. As we wrap up our four-part series today, we’ll discuss what is needed to implement a successful ISMS framework.

What does it take to implement an effective ISMS framework?

First and foremost an Information Security Management System framework such as ISO 27001 can only be effective if executive level management support is unwavering, consistent and ongoing. Without top management buy in and commitment to support a ISMS framework you cannot expect your ISMS to be fully effective.

A centralized direction for all, clearly defined organizational responsibilities related to information security, and resource commitments in staffing and funding is required to ensure the approach to protecting sensitive information assets will be consistent and predictable. Trying to manage such sensitive assets by only relying on personal initiative is asking for trouble.

Information security should also be an integral part of an organization’s overall risk management process. Just as assessing the impact competitors is important for your company’s potential sales, assessing the impact on revenues if customers believe their sensitive data is not well protected is just as important to an organization’s success. Information security objectives must be related to business objectives and the control choices made by management must be based on a cost/benefit analysis so as to ensure the right resourcing and focus is going to the most vulnerable areas associated with sensitive information.

An information security management system must also enable people to do what they need to in a controlled and predictably safe manner. An ISMS is not effective if its implementation stops people from meeting their business objectives or does not provide management any assurance the activities done by staff are predictably safe.

An effective ISMS must also account for continuous improvement and ongoing evaluation.  Business, like life, is ever changing and what works today may not be good enough for tomorrow. The ISMS framework should allow management a formal and regular means to determine if change in the control environment protecting sensitive information is necessary. This assumes regular control evaluations related to information security must be performed and the results analyzed by management so decisions and resources needed to affect change can be done expeditiously. Changes in business objectives and directions, economies, competition, customer satisfaction all contribute to the need to re-evaluate the ISMS for your organization and adjust as needed. New technologies, changes in trading partner needs, previously unknown vulnerabilities all require an organization to re-assess their risk profile as it relates to information security and business overall.

If your digital information is considered a valuable asset to your organization, you need to implement an Information Security Management System to safeguard those assets. Adoption and implementation of an effective, efficient information security management system framework like the ISO 27001 ISMS framework is cost effective and a ‘dollar worth spending,” before your data is lost or damaged.

For assistance in identifying gaps in your information security efforts and what steps you should consider implementing to become compliant with ISO’s 27001 standards, please contact KAI Partners by email info@kaipartners.com. We can help you address the risks associated with information security risks and train your staff to minimize your IS risks.

 About the Author: Co-owner of KAI Partners, Inc., Julie Kendall is an IT Audit Manager with over 40 years’ experience working in project management, IT risk analysis, IT audit testing, Sarbanes-Oxley IT control testing, SAS 70 vendor reviews, and IT audit/control teaching. Julie’s work has focused on IT audit department development consulting, IT risk analysis, IT infrastructure support and application audits, vendor information security testing, IT control identification, IT SOX and ISO 27001 Information Security control compliance consulting/testing, and IT audit software development consulting/project management. Julie has provided training consultation for CISA exam reviews related to IT auditors and management training on a variety of technology controls based on different information security standards, including COSO, SOX, PCI-DCSS, HIPAA, and ISO27001. Her primary focus in the last 10 years has been with the financial services industries, high technology manufacturing, state governments, and digital content production companies.