Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
October 5, 2023
The California Privacy Protection Agency (CPPA) has released draft regulations detailing cybersecurity program audit requirements for businesses that process the personal information of consumers and present a significant risk to consumers’ security. Whether or not an entity presents a “significant risk” is defined by the thresholds of revenue, the volume of consumers and the known age of the consumer. If adopted, this would represent a significant step forward in providing uniform requirements on how a cybersecurity program must be assessed, documented and measured.
The CPPA was formed in 2020 with the objective of adopting regulations for businesses that handle the personal data of consumers. The agency is governed by a five-member board and is responsible for the implementation and enforcement of the privacy protection laws introduced under the California Privacy Rights Act (CPRA).
If enacted, the CPPA’s draft regulations would impose major cybersecurity requirements on covered businesses. It would require an annual audit to assess, document and detail each applicable component of a business’s cybersecurity program, including the identification of any gaps and weaknesses that must be addressed before the next audit cycle.
If adopted, several areas across the cybersecurity landscape would be in scope. These areas are not vastly different than what is covered in other industry-wide control frameworks. However, the specificity of components that a cybersecurity program will be audited on establishes a clear picture of what every entity’s program must include. The following cyber elements are specifically listed for assessment and documentation:
The security measures detailed by the CPPA are defined in a uniform manner. This means that an increased burden would be placed on covered entities to explain the remediation plan for any gaps found during an audit. Covered entities might also have to explain how the current process provides equivalent security to what is outlined if a business doesn’t believe that the control is applicable to them.
Another unique topic that the CPPA includes for consideration is how a business might map “reduction in harm” information to each control. This aims to define whether or not a program component actually reduces the chance of a negative event taking place.
While the CPPA has not yet begun the formal rulemaking process, it has provided these draft regulations to facilitate discussions between the board of directors and the public. Many phases of review, feedback and change are necessary before the adoption of the final regulations. Regardless of the final outcome, this is a compelling start to providing uniform guidance on which components must be covered in a cybersecurity program and what covered entities will need to have in place to ensure the privacy of consumer data.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.