Co-authored by Ross Hosman from Drata and Alfredo Hickman from Obsidian Security.
With the expansion of privacy regulations around the world, the pandemic, and the immense amount of data organizations collect daily, it’s safe to say that even full-fledged security and compliance teams have had a busy past few years.
Building a comprehensive privacy program—from proper data classification to quick turnaround processes for data subject requests—can be an intimidating task for teams of any size. However, if you want to stay compliant with recent laws and ensure customers and partners that you care about protecting their data, you have to start somewhere.
To help, we’ve gathered seven best practices and recommendations from two industry leaders—Alfredo Hickman from Obsidian Security and Ross Hosman from Drata. Below, read a little about their experience and dive into their top advice for small teams looking to prioritize data privacy.
Alfredo Hickman, Director of Information Security at Obsidian Security
Alfredo Hickman is Director of Information Security at Obsidian Security, the first truly comprehensive security and compliance solution built for SaaS.
Alfredo has a wide range of experience as a security leader and practitioner. Prior to Obsidian, Alfredo led security product engineering at Rackspace, where he helped build a successful global managed security services business. Earlier in his career, Alfredo held roles at a major Washington D.C. think tank focused on national cybersecurity policy, worked in the U.S. Defense Department, founded a cybersecurity consultancy, and served in uniform in the United States Marine Corps.
Ross Hosman, Chief Information Security Officer at Drata
Ross Hosman serves as Drata’s Chief Information Security Officer. As CISO of the most advanced security and compliance automation platform, he enjoys playing a key role in building software that will facilitate the lives of his fellow infosec professionals.
Ross has built and led enterprise-level security teams from the ground up at companies like Sigma Computing, Recurly, J.P. Morgan, and Cisco. He also has extensive experience enabling and automating new compliance initiatives like SOC 2, HIPAA, and FedRAMP.
Saying, “Let’s secure all of the things!” is easy. But as any security professional will tell you, actually doing this isn’t possible all of the time–even if your team is well-funded and fully staffed.
As the volume of sensitive data entrusted to SaaS applications continues to grow, it’s important to take a holistic approach to secure your environment.
To be more efficient and effective, spend some time with leaders throughout your organization and really dig these questions:
In the same way that understanding your network is critical to securing your network, knowing the content and location of your organization’s sensitive data is imperative to ensuring its security and privacy.
In other words, you should know:
This is especially important in SaaS companies. Security teams often lack adequate visibility and control over what applications are deployed, how they’re configured, and the data those systems contain.
In this case, we suggest prioritizing your approach by organizational risk tolerances and identifying and securing the “crown jewels.” Take an inventory of your critical systems, as well as your data and knowledge stores. Figure out what data they contain, where it comes from, and where it goes. This is fundamental to helping you keep that information secure and private.
Understanding your company’s risk tolerances, data privacy and security requirements, and where your sensitive data resides is a solid first step.
Next, you’ll want to determine who can access the data and how that data is or could be accessed. Ensuring data privacy from either malicious or accidental exposure starts with continuous monitoring of access to your sensitive data and hardening the security posture of the systems that contain it. Don’t forget to monitor for session hijacking of SaaS tokens or OAuth abuse by third-party applications.
It can be tremendously helpful to step back and take a critical external perspective on your organization’s security. From inside, you’re able to ensure that information security and privacy policies are being followed, check for settings that are conducive to data privacy, and monitor for suspicious or risky activities.
But until you take an outside look at your organization, you may be overlooking significant external vulnerabilities.These data risks can come in various forms, including publicly shared documents, infrastructure with overly permissive access policies, DNS subdomains that leak customer names, and publicly listed job descriptions that might reveal sensitive information.
Continuously verifying both internal and external requests to access information can help you ensure tighter data privacy across your organization.
New legislation is constantly being proposed and implemented at state, federal, and regional levels. You’ll need to stay on top of these to determine whether they’re applicable to your business.
If they are, pinpoint any added business obligations you don’t currently comply with, and work on key policy and operational changes that will help maintain compliance. Not being compliant with these regulations can have a big impact on your business—including fines of up to 4% of your revenue.
Instead of trying to figure out if the data subject falls under CCPA, GDPR, or other regulatory regimes, follow the most stringent regulations and allow individuals to remove their data if so requested. This makes it easier for your team to build a process and doesn’t require extensive identity verification requirements.
For example, if a data subject makes a request to have an email deleted, verify their identity by asking them to send you an email from that address. This will help you avoid asking for more sensitive documentation such as a national ID or passport.
You don’t need to start from scratch. Many companies have done extensive work around their privacy programs and are even willing to share their best practices. Gather some tribal knowledge by reaching out to privacy and compliance teams with robust programs in place—ideally from companies similar to your organization in terms of size and industry.
Lastly, and if you’re not already, be sure to to follow infosec and compliance professionals on LinkedIn for important privacy-related issues, updates, and trends.