Category Archives: legal

What is the “new” value proposition for Enterprise Agreements?

Leave a reply

Does your company have legacy or systems with unsupported operating systems?  Of course, you understand the compliance and cyber risk of having systems with unsupported operating systems in your environment.  For example, you are probably aware of the $150,000 2014 HHS settlement with Anchorage Community Mental Health Services.  The resolution agreement states:

From January 1, 2008, until March 29, 2012, ACMHS failed to implement
technical security measures to guard against unauthorized access to e-PHI that
is transmitted over an electronic communications network (See 45 C.F.R. §
164.312(e)) by failing to ensure that firewalls were in place with threat
identification monitoring of inbound and outbound traffic and that information
technology resources were both supported and regularly updated with
available patches.

The WannaCry malware is a good example of a real threat that exploits systems running unsupported operating systems.

So, why not replace these archaic and “thorn-in-your-side” systems? Here are some of the reasons: 1) cost. In some instances, the vendor will not allow you to update just the operating systems. You have to buy an entirely new solution.  This can result in a price  tag into the six figures; 2) lack of expertise on the system.  Technical expertise on the unsupported OS or potentially the application that runs on top of it may be absent or sparse.

So, what are some of your options or “Take aways”  in the short-term?

  1. Define your risk tolerance.
  2. Ensure your asset inventory includes systems with unsupported OS. This inventory needs to have IT and business owners over the assets. The asset inventory should be dynamic and proactively discover new systems with unsupported operating systems or software.
  3. Understand and document what compensating controls can be applied to these systems
  4. Involve IT and business owners over these systems into the exemption process. Ensure that the risks are explained in their language
  5. Ensure there is a policy and legal/contract language that address systems with unsupported software.  Ensure that this policy and legal language is known and understood throughout the organization.
  6. Potentially revise your thinking about leveraging Enterprise Agreements.

 

Ben Boswel, at SC Magazine, wrote the following on EAs:

One way to tackle this problem is to change the relationship between organisations and the software and hardware providers they buy from. Many rely on Enterprise Agreements (EAs) whereby vendors agree to sell a specified amount of software and hardware over a certain timeframe. But EAs have been evolving in recent years to offer more support to customers. Many EAs have expanded to include security and software updates.

Large and complex organisations need EAs with a Software as a Service Offering, a contract between customer and supplier whereby hardware and software are fully supported on a rolling basis.

Instead of companies simply buying IT infrastructure from a provider and then having to update, maintain and replace it themselves, under an evolved EA this is largely the vendor’s responsibility. To ensure the best user experience and encourage users to renew, it is always in a vendor’s interests to ensure that their customers are making use of the most up-to-date versions of their software. Vendors can then manage the continued maintenance of these systems. This takes away the burden domestically maintaining systems over a vast and sprawling business network of different systems.

Although used in many areas, in recent years EAs have evolved to better accommodate the changing needs of businesses, who are looking for increasing flexibility. Many EAs now include security, network and other hardware support in the same package as well as being available on a pay-by-usage policy. This means firms can accelerate innovation into their IT systems through just one agreement.

I shared this view of EAs with a VP over IT Infrastructure and Operations.  The VPs response:

Didn’t that used to be called a “Managed Service”? Lots of pro(s) and con(s)…

Very true.

The Take Aways:

  1. The review and act on the short term TTAs above
  2. Contemplate how to leverage and update the use of EAs.

Do you know your data breach notification requirements?

Leave a reply

This is a difficult question.  Snell & Wilmer have launched an interactive data breach notification site to help organizations answer this question. No doubt the site is marketing tool, but this law firm is contributing to the community.

Here is excerpt from S& W:

By clicking on a state, you will see a summary of the key features of its notification statute; highlights include PII and breach definitions, respectively, along with notification requirements, including the circumstances in which the state Attorney General’s Office or a similar consumer protection agency is required to be notified as well as timing requirements for the notifications to individuals. We’ve also included links to both the data breach statutes themselves and relevant state agency websites.  Additionally, the second tab on the Data Breach Map provides a visual summary for those states that require notification when PII has merely been accessed as compared to those states that only require notification when PII has been acquired.

The Takeways

  • Ensure and invest in your relationship with peers in compliance and privacy departements
  • Ensure that you cyber incident and management team is aware of data breach notification requirements and has incorporated these timelines into their playbooks
  • Ensure that you socialize data breach notification requirements and timelines with your IT peers.

How can we improve IoT security?

Leave a reply

Read interesting article on securityweek.com by Lance Cottrell. I think that the following comment is spot on:

It is easy to vilify the IoT makers, but they are simply responding to the constraints and market realities in front of them. Moral persuasion will not meaningfully change their behavior. To get better IoT security, that needs to actually be a priority for the business, and that means changing the regulatory and liability landscape to make it so.

 

This not only applies to IoT makers. What about biomedical makers? What about manufacturers of computer software in general?

Take aways

  • In the absence of regulation, you need to collaborate with your Legal, Risk Management and IT teams to encode your standards into terms of legal contracts.  These terms can be negotiated and exception granted (and monitored).