InfoSecSherpa Newsletter — 24 June 2021
- Amid cyberattacks, Alaska’s top cybersecurity official quietly left his job
(Alaska Public Media, 24 June 2021)
Alaska’s top cybersecurity official quietly left his job last month, as the state was grappling with a pair of cyberattacks that forced systems operated by the court system and the Department of Health and Social Services offline.
- Updating Your “Reasonable Security” During the “Ransomware Outbreak”
(JD Supra, 23 June 2021)
“Reasonable Security” is a term that is becoming more important due to the continued increase in ransomware incidents over the past few years, which the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) has described as the “ransomware outbreak.”
- Thinking Beyond the Law: If Our Organization Adopts the ISO 27701 Privacy Framework, How Many Controls Do We Need to Address?
(The National Law Review, 23 June 2021)
The requirements and controls of the ISO 27701 framework are divided into four sections. The first two sections identify which of the ISO 27701 and ISO 27002 security controls are adopted (either directly or with slight modification or additional guidance) for purposes of the privacy framework.
- Rethinking Research Security
(Lawfare, 24 June 2021)
As part of these efforts, the department should establish a dedicated research security initiative distinct from the China Initiative, and the Federal Bureau of Investigation (FBI) should reestablish its National Security Higher Education Advisory Board (NSHEAB) as part of these efforts.
- The Department of Labor Issues its First Cybersecurity Guidance for Plan Sponsors, Fiduciaries and Service Providers
(JD Supra, 23 June 2021)
Employers with operations outside the United States are already subject to more stringent regulatory data privacy and security requirements (e.g., the European Union’s General Data Protection Regulation) and these more stringent data privacy and security requirements often already impact U.S. retirement plans with participants residing outside the United States.
- Medicaid Contractor Data Breach Affected 334,000 Providers
(Gov Info Security, 23 June 2021)
Maximus Corp., a global provider of government health data services, says a data breach exposed the personal information of more than 334,000 Medicaid healthcare providers nationwide.
- SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls
(JDSupra, 23 June 2021)
With cyberattacks ever present and constantly evolving, it is only a matter of time that a company’s cybersecurity risk management efforts and related controls, as well as corporate governance, will be exposed to regulatory scrutiny.
- Pentagon Cybersecurity Maturity Model Certification review aims to address small biz cost concerns, ‘restore trust’ in assessment processes
(Federal News Network, 24 June 2021)
The Pentagon’s high-level review of the Cybersecurity Maturity Model Certification remains ongoing, but officials are intent on addressing small business concerns about compliance costs among other changes to the much-debated program.
- FBI Investigates Georgia Health System Ransomware Attack
(Government Technology, 24 June 2021)
Nearly a week after a ransomware attack was first detected at St. Joseph’s/ Candler, the Savannah, Ga., area’s largest health-care system is still not yet back to normal as officials work with the FBI on the incident.
- Japan police take page from FBI with national cybercrime team
(Nikkei Asia, 25 June 2021)
Japan will establish a centralized police unit as early as fiscal 2022 to investigate serious cybercrimes, following the lead of countries taking a national-first approach to serious threats.