Related Posts
Can someone refer me to CITI ?
Additional Posts in Privacy Law
Can you incorporate SCCs by reference in a DPA?
Any associate privacy roles open in Austin, TX?
Anyone else dying this week 😅
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.



Enthusiast
Focus on privacy applied to data governance.
It’s way more important than chasing the latest.
Research a bit of GRC approach to data controls and interplay with privacy.
Thinking and action about privacy by design at SDLC lv.
Take the CIPT.
These are just buzzwords.
Recommend focusing on laying out the framework and how clients can engage tech vendors to advise on best practices. These things are a matter if if, not when. All you can do is try to stay ahead of them but it’s more about taking reasonable steps toward risk mitigation and maintenance of that than trying to advise on a silver bullet, especially depending on the client’s business model and exposure.
What are the control objectives? Are they using a framework already? Unless you are a security engineer or qualified to be one, I’d work directly with those folks. Think enterprise architects, or security architects.
Check out OWASP top 10. A01:2017-Injection and A03:2021-Injection. MORE new controls make no difference for orgs that refuse to do the basic house keeping… SQL injection also comes up in just about any and every security cert or training or lab. also, if you are an azure shop, do you actually have sufficient full time staffing to utilize Azure compliance and security modules?
Further a quick search online shows a HISTORY of SQLi vulnerabilities going back to September 2019 looks like.
So to me, any control gap means they have chosen to opt out of even the most BASIC system hygiene.
Yes. That’s exactly what I’m saying. quick search, and goes back to 2019, and then in 2020. The post was regarding what controls, as if that would affect anything. But the post was assuming that suggesting more controls was the route to go. I’m suggesting there are other questions to ask, and other route to go, because of an org was impacted by the breach, more controls will do nothing to mitigate the risk if orgs are doing basic security hygiene. suggest all the controls, or new controls, but that means nothing, and is too generic given the circumstances. if they haven’t adopted NIST already and don’t have a good grasp now, there’s no way they would be competent or mature enough as an org to implement anything else. hope that help. :)
You could also advise them to have a form of a right to audit clause for any vendors.
What’s up with the snark? You posted jumping right into controls, when those means nothing if they aren’t sufficiently designed or functioning already. All I’m suggesting is that orgs may not need MORE controls, any maybe should focus on sufficient design and implementation of what they already have. hope this is helpful.