Good Enough IT Risk Management

Why You Should Be Carrying Out a Risk Assessment

[fa icon="calendar'] Saturday, 08 July 2017 / by Jakob Holm Hansen under Risk management, ISO 27001

[fa icon="comment"] 0 comments

Most organisations know that performing a risk assessment is good practice. However, not all organisation actually do risk assessments, and those who do, often approach them in the wrong way. All too often, risk assessments are treated as a project that can be finished and that will be that, whereas the reality is that risk assessment and risk treatment are an ongoing process.

Risk Assessment And Risk Treatment Are a Process

Risk assessment is a process, not a one-off project. The reasons for this can be boiled down to these three points:

More [fa icon="long-arrow-right"]

GDPR Compliance: You do not need to carry out an exhaustive dataflow analysis

[fa icon="calendar'] Wednesday, 28 June 2017 / by Jakob Holm Hansen under GDPR, eu general data protection regulation

[fa icon="comment"] 0 comments

- Registering your data processing activities is enough.

Are you busy preparing for the GDPR, but getting stuck carrying out a dataflow analysis? Then you need to read this: When it comes to complying with the GDPR, a comprehensive and detailed dataflow analysis is not necessary or mandatory!

It is uncertain where the speculation started, but at some point, people started talking about the necessity of performing lengthy dataflow analyses to be compliant with the GPDR. 

Likely, this resulted from an embellishment of the regulation requirements, and somehow it seems to have stuck around. The fact is - the Data Protection Regulation does not explicitly mention nor require you to carry out a dataflow analysis! It does however state that you need to “maintain a record” of your relevant “processing activities”. One could argue semantics here, but it is easy to see where exaggerations and embellishments can be easily introduced. 

More [fa icon="long-arrow-right"]

The EU GDPR: Three tips that will save you time, money, and worrying.

[fa icon="calendar'] Thursday, 08 June 2017 / by Jakob Holm Hansen under GDPR, eu general data protection regulation, compliance

[fa icon="comment"] 2 comments

In less than a year, the EU Data Protection Regulation comes into force. That’s ample time – if you manage it wisely, that is. Here are three useful tips that will help you prioritise your tasks and effectively make sure your organisation is prepared come 25th of May, 2018.

The EU data protection regulation is about getting those who process personal data used to the right processes. However, when it comes to compliance, the GDPR is very much about getting used to doing what is necessary. No more, no less.

At Neupart we have identified three areas in which you can save time, money, and worrying:

More [fa icon="long-arrow-right"]

Continuous Compliance with the GDPR

[fa icon="calendar'] Tuesday, 25 April 2017 / by Jakob Holm Hansen under eu gdpr, compliance, eu general data protection regulation

[fa icon="comment"] 0 comments

Climbing that mountain of compliance, over and over again.

The GDPR has been with us for a year, and everyone is (still) panicking. Becoming compliant and staying compliant are two very different things. In this blogpost, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.

For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fear mongers have also told us about the huge fines we will be subject to, and just how far away from being compliant we all are.

So, there has been a lot of talk about what the requirements we will be hit with are, but there has not been as much talk about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and - in many cases - an unfounded over-implementation of the regulation.

More [fa icon="long-arrow-right"]

Data Protection Officers - Who Needs Them?

[fa icon="calendar'] Monday, 13 March 2017 / by Jakob Holm Hansen under eu gdpr, eu general data protection regulation, compliance, DPO

[fa icon="comment"] 0 comments

Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we actively start to prepare for the implementation of the GDPR, but who really needs them?

Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder, really, given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy, but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.

 

Download our 7-step guide to implenting the EU GDPR

 

Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with sudden focus on the legality of data protection, it only makes sense that we start focusing more on the their role. In fact, the International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?

More [fa icon="long-arrow-right"]

Personal Data Protection - How Hard Can It Be?

[fa icon="calendar'] Monday, 05 December 2016 / by Lars Neupart under eu gdpr, ISO Standards, eu general data protection regulation, Compliance and task management

[fa icon="comment"] 0 comments

Haven’t we had enough? It feels like there’s been an endless stream of GDPR offers lately. Courses and certificates, as well as attorneys and consultancies which offer an array of services. Services which are then presented as absolute necessities in order not to be hit by enormous fines as soon as May 2018 hits us.

Of course proper protection of our personal data is vital, and it’s important for companies to comply with the law, so perhaps this barrage of offers is justifiable. But then again, just how difficult can it be to comply with the EU’s new general data protection regulation?

More [fa icon="long-arrow-right"]

How to comply with the EU GDPR

[fa icon="calendar'] Wednesday, 28 September 2016 / by Lars Neupart under eu gdpr, eu general data protection regulation

[fa icon="comment"] 0 comments

The new EU GDPR is one of the most substantial security initiatives in many years. This is on the one hand due to the scope of the regulatory work in the EU has been comprehensive and a long time coming. On the other hand, this is also due to the consequences of the EU GDPR having important implications for both the private and public sectors in Europe.

More [fa icon="long-arrow-right"]

Risk Assessments - What are they for?

[fa icon="calendar'] Monday, 27 June 2016 / by Jakob Holm Hansen under Risk management, Risk assessments, risk treatment

[fa icon="comment"] 0 comments

It is now considered good practice to perform risk assessments - or at very least to acknowledge that they should be done.

Unfortunately, far too often we see that businesses only conduct risk assessments in order to satisfy some sort of compliance requirement or other types of requirements (audit, contract, statute etc.). If you are lucky, you might have the resources to conduct them once per year. 

Typically, you will conduct your risk assessment, speak with your organisation and then finally you submit a fancy report. And then your "project" is done. However, it would be wrong to consider the risk assessment as a project. Risk assessments should be a process. It is a process that involves feedback and continual adjustments.

More [fa icon="long-arrow-right"]

EU Data Protection Regulation - How Hard Can It Be?

[fa icon="calendar'] Tuesday, 12 April 2016 / by Lars Neupart under Best practice, Information Security Management, ISMS

[fa icon="comment"] 0 comments

Granted, the wording of the new Data Protection Regulation we have just received
is complex. The new act entails many requirements as to how companies must process and protect personal data, and not least which processes must function within the companies. The Neupart team is experienced in finding practical solutions in simplifying compliance with information security requirements. We would like to present Neupart’s approach employed in the development of this application.

 

Download our 7-step guide to implenting the EU GDPR

 

The EU regulation requirements are incorporated into the SecureAware ISMS application. Using our latest addition you can conduct your first gap analysis of the EU directive.

In the below SecureAware window, the regulations are shown on the left-hand side, while on the right-hand side you will see a series of links to your information security manual. 

If your information security manual is in SecureAware ISMS, a large part of your
manual is already mapped to the new personal data requirements.

 

The reason why you can do the gap analysis so easily is that we have placed the EU regulations into the requirements library in SecureAware along with the other requirements already within.

The EU Data Protection Regulation is located in the SecureAware ISMS requirement library. 

 

However, there is even more good news. Once you know where the "holes" are in relation to the new regulations, we have made it possible to connect an efficient task management to your gap analysis. The task management allows you automatically to monitor and easily to report on your compliance status.

Efficient task management: Tasks are connected to the particular requirements. A task
can be anything from a simple "execute" task to a recurring process.

 

You can also use the task management to control ongoing, recurring tasks. Tasks related to your ongoing compliance with the new regulations.

Large companies supervise by means of periodically conducting an internal audit; this is also an area that is supported by the task management function within the application. 

It is easy to verify, inspect and conduct an internal audit. 
There is a history of who-what-when on the red-yellow-green progress.

 

This way, the processes that will run in each company that handles personal data can be facilitated. 

PS! We have an added benefit for those companies having their IT manuals in SecureAware: We have mapped a large part of your manual onto the new personal data requirements in advance.

At the present moment, the most recent revision of the regulation is placed in SecureAware ISMS. Now the final text is complete, SecureAware will soon be updated with that.

 

Learn more

Take part in our webinar and receive a number of shortcuts to how your company can more easily follow the new rules for personal data protection.

Learn more and register

 

Learn about SecureAware ISMS

More [fa icon="long-arrow-right"]

Hacking online meetings

[fa icon="calendar'] Monday, 09 November 2015 / by Lars Neupart under Information risk management, Risk assessments, Risk management

[fa icon="comment"] 0 comments

By Gaffri Johnson, Neupart

Why risks related to information sharing via calendars and online meeting tools should be included in your annual it risk assessment.

More [fa icon="long-arrow-right"]

Good enough IT risk management

The Neupart blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts