Cybersecurity Risk Management – Part III

Cybersecurity risk management has become a more challenging endeavor recently. It was never an easy task for commercial enterprises, but now that we’re facing a global pandemic and economic recession, there are additional challenges. At this point, most of our personal information is being transmitted and stored on the internet. Third-party cloud service providers have become a useful variable in the equation but they can also become a liability if there is a cybersecurity incident. Therefore, cybersecurity risk management has become more difficult especially since commercial enterprises share personal or confidential information with third parties.

The fact that our personal information is no longer in our possession or control makes cybersecurity risk management more challenging. Now, if, our personal information was stored in one location, and as such, was in one company’s possession, life would have been easier. However, multiple vendors, and third-party service providers gain access to our confidential information. So, the level of liability rises to a different stage since there is additional potential responsibilities that must be managed. In addition, some companies have allowed their employees to work from home and this business model makes it more difficult to manage cybersecurity risks. In other words, remote employees can become the proverbial “weakest link” which can be quite dangerous for the commercial enterprise.

A problem in the cybersecurity risk management formula is that change is never ending. The constant change in technology and law makes it more difficult for companies and their information technology managers to keep up. Our law firm’s cybersecurity lawyers generally recommend working with computer technology experts on a regular basis. This way, they can develop the necessary policies on their networks. They should identify the risks by understanding the cybersecurity rules and regulations. An information technology manager should implement internal and external policies to secure the network which usually holds confidential information. For example, the network should have a secure software or hardware firewall, encryption algorithm, and multi-factor authentication system. The information technology manager should develop and implement regular training sessions for employees.

The National Institute of Standards has published a special guide for the federal information system’s risk assessment. This guide, that is labeled as the NIST Special Publication 800-30, is designed to provide instructions on how to implement security and privacy controls on the government’s information systems by helping to assess risks. The guide focuses on several major principles which should be followed by the public and private sectors. First, they must identify the cybersecurity risks. Second, they must assess the cybersecurity risks. Third, they must identify risk mitigation measures. Fourth, they must engage in ongoing monitoring of the computer network. Accordingly, risk assessment is a major component of the risk management process which can be used to identify, estimate, and prioritize business operation risks.

The E-Government Act is a federal statute designed to enhance the management and promotion of electronic government services and procedures by establishing a federal Chief Information Officer. It’s designed to establish a broad framework of measures that require using internet-based information technology to enhance access to government information and services. Its purposes are as follows: (1) to provide effective leadership of federal government’s efforts to develop and promote electronic government services; (2) to promote use of the Internet and other information technologies to provide increased opportunities for citizen participation in government; (3) to promote interagency collaboration in providing electronic government services, where this collaboration would improve the service to citizens by integrating related functions, and in the use of internal electronic government processes, where this collaboration would improve the efficiency and effectiveness of the processes; (4) to improve the ability of the government to achieve agency missions and program performance goals; (5) to promote the use of the Internet and emerging technologies within and across government agencies to provide citizen-centric government information and services; (6) to reduce costs and burdens for businesses and other government entities; (7) to promote better informed decision-making by policy makers; (8) to promote access to high quality government information and services across multiple channels; (9) to make the federal government more transparent and accountable; (10) to transform agency operations by utilizing, where appropriate, best practices from public and private sector organizations; and (11) to provide enhanced access to government information and services in a manner consistent with laws regarding protection of personal privacy, national security, records retention, and access for disabled persons.

The Federal Information Security Management Act (“FISMA”) was passed under Title III of the E-Government Act, and is a federal statute that recognizes the importance of information security to the government’s economic and national security interests. This act introduced a data security risk reduction method which focuses cost effectiveness. It requires federal agencies to develop and implement information security programs.

Our law firm assists clients in matters related to cybersecurity risk management rules and regulations. Please contact our law firm to speak with an internet attorney at your earliest convenience.