A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
CPPA Releases Draft Cybersecurity Regulations Breadcrumb Home Insights Blog CPPA Releases Draft Cybersecurity Regulations October 5, 2023 The California Privacy Protection Agency (CPPA) has released draft regulations detailing cybersecurity program audit requirements for businesses that process the personal information of consumers and present a significant risk to consumers’ security. Whether or not an entity presents a “significant risk” is defined by the thresholds of revenue, the volume of consumers and the known age of the consumer. If adopted, this would represent a significant step forward in providing uniform requirements on how a cybersecurity program must be assessed, documented and measured. Background The CPPA was formed in 2020 with the objective of adopting regulations for businesses that handle the personal data of consumers. The agency is governed by a five-member board and is responsible for the implementation and enforcement of the privacy protection laws introduced under the California Privacy Rights Act (CPRA). What do these regulations do? If enacted, the CPPA’s draft regulations would impose major cybersecurity requirements on covered businesses. It would require an annual audit to assess, document and detail each applicable component of a business’s cybersecurity program, including the identification of any gaps and weaknesses that must be addressed before the next audit cycle. What components do these regulations cover? If adopted, several areas across the cybersecurity landscape would be in scope. These areas are not vastly different than what is covered in other industry-wide control frameworks. However, the specificity of components that a cybersecurity program will be audited on establishes a clear picture of what every entity’s program must include. The following cyber elements are specifically listed for assessment and documentation: Cybersecurity Components Covered: Authentication Antivirus Protections Encryption Network Segmentation Zero Trust Architecture Ports, Services and Protocols Access Controls Cybersecurity Awareness and Training Personal Data Inventory Secure Coding Secure Configuration Third-Party Oversight Vulnerability Scanning Data Retention and Destruction Log Management Incident Response Network Monitoring and Defense Business Continuity Planning What is unique about these draft regulations? The security measures detailed by the CPPA are defined in a uniform manner. This means that an increased burden would be placed on covered entities to explain the remediation plan for any gaps found during an audit. Covered entities might also have to explain how the current process provides equivalent security to what is outlined if a business doesn’t believe that the control is applicable to them. Another unique topic that the CPPA includes for consideration is how a business might map “reduction in harm” information to each control. This aims to define whether or not a program component actually reduces the chance of a negative event taking place. Conclusion While the CPPA has not yet begun the formal rulemaking process, it has provided these draft regulations to facilitate discussions between the board of directors and the public. Many phases of review, feedback and change are necessary before the adoption of the final regulations. Regardless of the final outcome, this is a compelling start to providing uniform guidance on which components must be covered in a cybersecurity program and what covered entities will need to have in place to ensure the privacy of consumer data. If you have questions about compliance with state privacy laws and how they affect your organization, click here to learn more about our offerings, or drop us a line. By: TJ Carsten SENIOR CONSULTANT - DATA GOVERNANCE, PRIVACY AND PROTECTION | OPTIV TJ Carsten has over 16 years’ experience in both consulting and corporate enterprise data management. He has experience working with medium sized businesses as well as Fortune 500 corporations to build and enhance their data privacy and governance programs. Share: Privacy Secure Configuration CPRA CCPA CPPA California privacy rights data subject rights Cybersecurity Authentication Encryption Zero Trust Access Controls Personal Data Vulnerability Scanning Centralized Log Management Network Monitoring Antivirus Protections Network Segmentation Cybersecurity Awareness Cybersecurity Training Secure Coding Third Party Oversight Data Retention Data Destruction Incident Response Business Continuity Planning BCR Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.