IT Risk Blog | The official blog of risk3sixty


Articles, Posts, and Insights into IT Audit, Cyber Risk, IT Compliance, and Information Security

Executive Summary of the California Consumer Privacy Act (CCPA)

On June 28, 2018, California signed into law Assembly Bill 375, the California Consumer Privacy Act (“CCPA”).  Scheduled to be effective January 1, 2020, the CCPA is based on the principles that, “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against[…]

GDPR: Understanding the Impact of Automated Decision Making and Profiling (Whitepaper)

Profiling and automated decision-making are not prohibited under GDPR.  However, both of these activities are subject to detailed requirements on when they can legitimately be performed and what must be communicated to data subjects. Key Questions: 1| How are automated decision-making and profiling defined under GDPR? 2| How do the general rules of GDPR apply[…]

GDPR: Understanding the Roles and Responsibilities of Cloud Service Providers (Whitepaper)

Whether it is a software or infrastructure as a service (SaaS/IaaS) almost everyone is relying on the cloud. Have you considered how this impacts your GDPR strategy? In this whitepaper we set out to clarify the role of cloud service providers as well as users of cloud services.  Key Questions: 1) What is your role(s)[…]

New Guidance Clarifies GDPR’s Data Protection Impact Assessment (DPIA) Requirements

The Data Protection Impact Assessment (DPIA) is a significant new burden on data controllers under GDPR.  As many have noted, GDPR does not clearly outline when a DPIA is required, instead referring to processing “likely to result in a high risk to the rights and freedoms of natural persons.” Article 35(4) charges supervisory authorities with[…]

Build a Security Program and Run It Like a Business

I recently finished the book “Traction” by Gino Wickman. Next to Scaling-Up by Verne Harnish, I think it is one of the most actionable business books I’ve ever read. Our team has informally adopted both books as part of the risk3sixty cannon. While the book is largely about building a great running business – I[…]

How to Turn the Risk Committee Meeting into the Most Valuable Meeting on Your Calendar

Mention “Risk Committee” or “Enterprise Risk” to upper management and you will probably get an eye role. If you suggest a standing meeting about risk – it might get you fired. BUT – I believe the risk committee meeting can be the most valuable meeting on your calendar. Here’s how: Why Risk Committee Meetings Are[…]

Security Researchers Identify Critical Vulnerabilities in AMD Chips: Chimera, Ryzenfall, Masterkey and Fallout

Critical Vulnerabilities in AMD Chips Security researchers at CTS-Labs, based out of Israel, disclosed 13 critical vulnerabilities and backdoors in certain AMD chips used in workstations, laptops and servers. Successful exploitation of these vulnerabilities could grant deep system access to attackers from which they could launch malware attacks undetected. The vulnerabilities are four in name:[…]

Navigating the CMS Enhanced Direct Enrollment Audit (Whitepaper)

Beginning enrollment period 2019, all qualified health plan issuer or web-broker in the Federally-facilitated Exchange must follow the Direct Enrollment rules and obtain a CMS audit from an independent auditor to host application and enrollment services on your website. What is in the Whitepaper: 1 | CMS Requirements including business requirements audit, the security and[…]