In light of the MOVEit breach, what additional controls are you advising for your clients? Should they try to move to an API (where possible)? What about zipping and password protecting files before sending them via SFTP? I would like to think MOVEit is an outlier but we had a similar issue with Accellion FTA issue in 2021.

like
Posting as :
works at
You are currently posting as works at

Focus on privacy applied to data governance.

It’s way more important than chasing the latest.

Research a bit of GRC approach to data controls and interplay with privacy.

Thinking and action about privacy by design at SDLC lv.

Take the CIPT.

like

These are just buzzwords.

like

Recommend focusing on laying out the framework and how clients can engage tech vendors to advise on best practices. These things are a matter if if, not when. All you can do is try to stay ahead of them but it’s more about taking reasonable steps toward risk mitigation and maintenance of that than trying to advise on a silver bullet, especially depending on the client’s business model and exposure.

What are the control objectives? Are they using a framework already? Unless you are a security engineer or qualified to be one, I’d work directly with those folks. Think enterprise architects, or security architects.

Check out OWASP top 10. A01:2017-Injection and A03:2021-Injection. MORE new controls make no difference for orgs that refuse to do the basic house keeping… SQL injection also comes up in just about any and every security cert or training or lab. also, if you are an azure shop, do you actually have sufficient full time staffing to utilize Azure compliance and security modules?

Further a quick search online shows a HISTORY of SQLi vulnerabilities going back to September 2019 looks like.

So to me, any control gap means they have chosen to opt out of even the most BASIC system hygiene.

Yes. That’s exactly what I’m saying. quick search, and goes back to 2019, and then in 2020. The post was regarding what controls, as if that would affect anything. But the post was assuming that suggesting more controls was the route to go. I’m suggesting there are other questions to ask, and other route to go, because of an org was impacted by the breach, more controls will do nothing to mitigate the risk if orgs are doing basic security hygiene. suggest all the controls, or new controls, but that means nothing, and is too generic given the circumstances. if they haven’t adopted NIST already and don’t have a good grasp now, there’s no way they would be competent or mature enough as an org to implement anything else. hope that help. :)

You could also advise them to have a form of a right to audit clause for any vendors.

What’s up with the snark? You posted jumping right into controls, when those means nothing if they aren’t sufficiently designed or functioning already. All I’m suggesting is that orgs may not need MORE controls, any maybe should focus on sufficient design and implementation of what they already have. hope this is helpful.

Related Posts

Why did you decide to leave your first firm job? If you had a chance to jump ship but stayed, why did you stay?

like

How many days Servicenow usually takes to release the offer letter?

like

Where are good companies to apply for to get into data science? My offer right now for data science in the big4 is only 66k and I definitely can’t go that low. Industrial engineering background with experience in analytics.

like

Does anyone have any insight into the Layoffs from a SCNO perspective? (Numbers, duration, etc.)

like

Hello! I’d like to share an experience and hopefully receive guidance.

I spent two years as an executive, and while I was providing what I believe was impactful work, and receiving praises across the board, I got fired from one day to the other without any explanation.

After a few weeks, some managers (who were under me) shared that there had been a while campaign raised against me for a couple of months by others VPs and shareholders. 1/2

like

My 2023 media budget was just rejected and I was told I need to cut 20-30%...but our growth goals are 10-15% next year...not sure how upper management thinks we are going to do that without advertising...

like

Hi fishes,
I am currently working as a Data Science Analyst in Amex and would like to make a switch to Fraud detection/Credit risk modelling in future.(not in a hurry but would like to start preparing for the same)
How should I go about preparing for it? Is MBA the only course?
My current tech stack is Python, Pyspark, Hive, SQL, ML, DL(specifically NLP based). I have already done MS in CS from IIT Kgp.
I am confused mainly cause the tech stack requirement is similar to my role in the company.

like

Any online services that diagnose adhd ? Based in the uk and the wait it weeks if not months.

Running my first half-marathon mid-October, How many weeks should I give myself to train? I was thinking 14. Not trying to PR, and can run 4/5 miles comfortably right now. Any advice or training plans you recommend?

like

How do I deal with a parent who has become bitter and shrewd as they age? It’s exhausting and disheartening to be around because they used to be positive and happy. I’d like to help them be positive again but also want to give them space to feel how they feel. I just want them old version of my parent back 😞

like

Can someone refer me to CITI ?

like

Is it worth the rent to stay in west village socially? Or just stay in exchange place in jersey and commute to midtown?

like

Best Marriott in Boston? Ideally cat 5 or 6. Headed up there for a weekend to be touristy with the gf.

helpful

I have a boneheaded question I’m pretty sure I know the answer to. My partner can’t use my Hilton Honors account for an upcoming stay he is going to book, right? He doesn’t need my discount or anything - was just hoping that he could get my diamond benefits.

like

Hi,

If we survive the notice period in BNP are we allowed to take block leaves?

like

Any one here based out in the Middle East? If so, what's your experience. Would you recommend it. I am 32F - African Descent planning to relocate to the UAE.

like

I doubt this will ever happen, but after seeing the Aston Martin launch. I’d love to see a day where the likes of Porsche, Audi, Maserati, Lamborghini entered F1.

like

I will be traveling with my 15 lb dog. He is a smidge too big to be under seat. Anyone know the requirements for bringing a pet onboard? Does he need to be a certified support animal? What about as checked luggage. Is it as stressful as I’ve heard? This is for LA to a small airport in Europe so there will be at least one unavoidable connection

like

Additional Posts in Privacy Law

Mid/big law privacy associates- how much do you bill a month on average? is your workload predictable?

like

Govt attorney here. Trying to jump into privacy now. In house or big law ? Pros and cons in the world of privacy ?

like

Can anyone share a salary range for a Privacy Manager role in the private sector for someone with a JD and several years of experience?

Can you incorporate SCCs by reference in a DPA?

like

In terms of taking the next step to elevate your career- what items are you heavily focusing on? I have speciality in data governance as well as product counseling, but curious to know what others find most helpful in their practice areas.

likehelpful

Any associate privacy roles open in Austin, TX?

like

Anyone here work at Meta? Looking for a referral for a privacy role

like

Best law firms in NYC for privacy law, especially if you’re a judicial law clerk with no experience but studying for the CIPP/US?

like

Hi all! I’m inclined on taking up the CIPM training and certification exam. I’m already a certified Data Protection Officer in the Philippines. I intend on skipping CIPP as it applies to the US and EU.

How difficult was the exam? Can you share your experience studying for the CIPM exam? Is it advisable to skip CIPP?

Many thanks in advance.

like

How Much Can You Sue an
Employer for Not Paying You?

like

What industry in Atlanta offers the best prospects (most demand) for privacy law/compliance exits?

like

Has anyone been successful negotiating a “breach notification costs” provision in contracts with vendors? What are some good args to include it? I feel like vendors generally flat out say “no”, but I have seen some contracts where vendors were willing to include it and I’m wondering how that happened 😁

like

Low billable, low pressure work in privacy law? Slowly realizing that as my boys get older, the money isn’t worth what I’m missing out on. Currently a tech litigation associate with lots of hearing, depo and trial experience (I’ve appeared on my own at hearings/depos) at a well respected firm. I have limited privacy experience despite being hired for that reason… Have my CIPM and CIPP/US /E and /C. Remote preferred; hubs is pilot with cool intl transfer opportunities. Money isn’t issue.

funnylike

I feel like a mega nerd saying this but I just got staffed on my first data breach response and I'm having so much fun! 🥸😅

likeuplifting

What circumstances under the Gramm Leach Bliley Act would trigger reporting to the FTC, if at all?

like

Is it normal for a California employer to include a very detailed notice in the employee handbook about employee monitoring practices and the company’s right to search your stuff? Or do I need to look for a new job immediately….. 🚩

like

Firms hiring in Texas, Iowa or remote? Junior associate with CIPP (US +E), CIPM, and a post-grad fellowship in cybersecurity.

like

Planning to take the CIPP and CIPM. Will be doing self-study. What is the “book” everyone refers to for studying? Is it just the “study guide” the IAPP sells? Does anyone know if the study guides and sample questions you can buy on amazon are sufficient to use for passing? Appreciate any and all advice.

like

Anyone else dying this week 😅

like
like

New to Fishbowl?

Download the Fishbowl app to
unlock all discussions on Fishbowl.
That was just a preview…
Sign Up to see all discussions
  • Discover what it’s like to work at companies from real professionals
  • Get candid advice from people in your field in a safe space
  • Chat and network with other professionals in your field
Sign up in seconds to unlock all discussions on Fishbowl.

Already a user?
Login here

Share

Embed this post

Copy and paste embed code on your site

Preview

Download the
Fishbowl app

See what’s happening in your industry
from the palm of your hand.

A phone with Fishbowl app

Scan your QR code to download
Fishbowl app on your mobile

Download app

Sign up for free to view this conversation on Fishbowl

By continuing you agree to Terms of Use and Privacy Policy

Already have an account? Log in

Sign up for free to continue using Fishbowl

By continuing you agree to Terms of Use(New) and Privacy Policy(New)
Messaging rates may apply

Already have an account? Log in

For account settings, visit Fishbowl on Desktop Browser or

General

Legal