Contact Us



Actions to Take and Verifying Your Readiness

This is part 2 of a two-part series on CCPA readiness.  Read Part 1.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

What action should you take?

The GDPR and now the CCPA seem to be part of a wider trend towards greater individual data privacy and so it would be wise to prepare for further legislation and reassess your strategy with regards to personal data collection.

Begin by fully mapping all the personal data you collect and make sure that you know precisely how it is collected, how it’s used, who it’s shared with, and where it’s stored. Interrogate the reasons behind your data collection. If there’s no clear business benefit, then you may want to reconsider collecting that data in the first place.

Put processes in place so that your systems can securely handle data requests in a timely manner. Remember that you’ll need to provide access to data, delete data when required, and share specific information on the sharing or sale of any personal information. Allowing opt-outs on the sale or sharing of data may also require tweaks to your existing systems and/or end-user agreements.

The law requires that the business provides consumers with two or more designated methods for submitting requests for information.  A minimum requirement is a toll-free telephone number and if the business has an Internet Web Site, a website address.  In addition, the business must update its online privacy policy, and/or any California-specific description of consumer’s privacy rights and these updates must be done at least once every 12 months.  The Business is required to provide a clear and conspicuous link on the Business’ Internet homepage titles “Do Not Sell My Personal Information” that allows the consumer, or a person authorized by the consumer to opt out of the sale of the consumer’s personal information for 12 months (Note: Business can require the consumer to opt out after every 12 months).  The law requires that the request be submitted through a password-protected account maintained by the consumer if the consumer maintains an account with the business or that the business allow information request through the business’ authentication of the consumer’s identity.

Businesses and their data service providers will be required to implement technical safeguards and business processes that prohibit reidentification of the consumer to whom the information may pertain.  This will be a major burden to organizations that do not already have these controls in place.

Verify your readiness

Along with redesigning your data handling rules and systems you should update all policies pertaining to data and be prepared to train any employees who might be responsible for data. It’s not enough to ensure compliance internally, you also need to reach out to third parties and partners to ensure they follow suit.

Expect to update your systems and applications to implement additional data controls and/or monitoring of data access.  Implement new technical safeguards and business processes to prohibit reidentification of the consumer who has opted out.

Greater transparency in how personal data is collected and used is a good thing for consumers, but it also presents security challenges, so make sure you factor that in. With new policies, systems, and training in place, it’s advisable to complete a full audit that encompasses internal and external systems. Test for different scenarios and ensure that you’re in compliance with the new rules well before they come into effect.

If the Business plans to continue maintaining consumer personal information, then it would be best to have all the data encrypted at rest with the ability to de-identity the data if requested.

Expect to move from a compliance validation framework to a continuous security monitoring approach to establish your CyberPosture that can be reported daily.



California Privacy Act

Does the CCPA Apply to You and Consumer Rights

This is part 1 of a two-part series on CCPA readiness.  Read Part 2.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

The dust has barely settled on the GDPR and businesses have new legislation to worry about. The California Consumer Privacy Act (CCPA) stipulates that California residents should have greater access to and control over personal information held by businesses (Note: this excludes financial services, healthcare, and/or other regulated businesses).  The law seems targeted to online social media firms.

Non-compliance carries civil penalty fines of up to $7,500 for each violation for any person, business, or service provider that intentionally violates this law.  Individuals can claim up to $750 per incident in damages (minimum is $100) if the business/service provider transgressor does not rectify any issue after being given 30 days to rectify the issue (the "business" can request additional time to resolve the matter).  Note: All legal actions need to be brought by the California Attorney General and only if there is no action after six months can an "individual" bring their own legal action against the transgressor.

INTERESTING FACT: This law formally places responsibilities and liabilities on the data service processors as well.  This is a major change.  Traditionally, non-regulated data service processors were required to comply based on business contract language while this law codifies their role.  Note: Financial Services data processors do have FFIEC defined responsibilities but does not have defined consumer liabilities.

CCPA is due to come into effect on January 1, 2020, so now is the time to assess exposure and start working towards compliance.

Does the CCPA Apply to you?

The new legislation applies to you if you have a for-profit business (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California and that falls into one of these categories:

  • Annual gross revenue more than $25 million;
  • Process the personal information of 50,000 or more California residents, households, or devices every year (Note: Definition of a device is any physical object that is capable of connecting to the Internet [directly or indirectly] or another device – i.e. think of a USB stick; mobile phone; vehicle diagnosis information; etc.);
  • Derives at least 50 percent of gross revenue by selling personal information; or
  • Any entity that controls or is controlled by a business that has the power to exercise a controlling influence over the management of a company.

It doesn’t matter where your business is located, but there are some exclusions pertaining to information that’s already covered by other Federal laws such as GLBA (mainly Financial Services firms); HIPAA or CMIA for health data; and/or CA Driver Privacy laws.

The definition of personal information for the CCPA is quite broad and covers anything that “could be reasonably linked, directly or indirectly, with a particular consumer,” so it’s best to take a cautious approach and cover as much data as possible.

This law does not require the business to retain any personal information if there is only a single, one-time transaction, and the information is not sold or retained by the business.

Third parties that purchased consumer data are restricted from selling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

If a business collects consumer data but is unaware of the consumer’s age then the business is considered to know the consumer age and be required to have the consumer to opt-in for usage of the data.

New Consumer Rights

The new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored, and shared within the previous 12-months (Note: This can be done twice in any 12-month period at no cost but after that the "company" can charge for additional requests). Consumers can find out exactly what data a business has collected, they can prevent the sale of that data, and they have the right to delete it (Note: There are defined purposes that allow the company to maintain your data even if you request that it be deleted – example: Data Breach investigation).

The law was very specific of the identifiers included: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, e-mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  The other items that may be new to businesses:

  • Products and/or services purchased, obtained, or considered or other purchasing or consuming histories or tendencies;
  • Biometric information that includes an individual’s physiological, biological, or behavioral characteristics, including an individuals deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity, In addition, Biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein pattern, and voice recordings from which an identifier template can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; sleep, health or exercise data that contain identifying information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information that is not publicly available personal information per the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

The law also restricts the business from storing personal information a consumer when the consumer is in California then collecting (extracting) that personal information when the consumer and the stored personal information is outside of California.  Examples: Mobile Phone, Tablet, Electronic Reader, etc.

Businesses will also have to inform consumers when they intend to change data collection processes, share details on which categories of third parties have access to data, and elucidate on the business or commercial reasons for collecting it in the first place.   In addition, this law limited the usage of the consumer data to the stated purposes.

The legislation also introduces a strict opt-in requirement for minors, so businesses need to obtain parental consent to sell personal information belonging to anyone aged 16 years or under. There’s also protection against businesses trying to get consumers to sign waivers or otherwise discriminating against consumers who decide to opt out of any future sale of their personal data.

Note: The Business can charge the consumer a different price or rate, or provide a different level of quality good or service if the difference is reasonably related to the value provided by using the consumer’s data.

IMPORTANT: Sales of personal information to or from a consumer reporting agency (i.e. Equifax, Trans Union, Experian, etc.) is excluded from this law.  This is cover under Federal Law (Fair Credit Reporting Act).


Black Hat 2018

Everything CISO and Cybersecurity During Black Hat 2018

Black Hat celebrated its 21st anniversary this year, bringing together over 15,000 cybersecurity professionals to learn and network in Las Vegas.  At the Cavirin booth, people flooded to get their “Got CyberPosture” t-shirt and learn how the Cavirin CyberPosture Intelligence platform provides “credit like” scoring, with actionable insights, helping enterprises align their security resources to more effectively address pressing threats of cyber attacks in their hybrid environments (multi-cloud, containers, and on-premise). 

Additionally, BrightTALK was at the heart of the action, streaming live panel sessions and engaging in conversations with some of the world's top security leaders. These panels offer a collaborative atmosphere, enhanced by speaker presentations and insights. Cavirin’s CSO, Joe Kucic participated in two of the thought-provoking panels:  Key Factors for CISO Success & Managing Your Cyber Risk!  If you were unable to join us in Vegas, we highly recommend tuning into these two panels available on the BrightTALK website. Here is a little more information about the webinars: 

The Key Factors for CISO Success was a Part 1 of 2 CISO panels during Black Hat. This panel was an in-depth focus on the ever-changing role of the CISO and the factors influencing their success. There was also a focus on why identifying your organization’s security culture matters. With the huge shift to cloud services, CISOs are needed to recruit, develop, and retain strong security talent.  Today’s cyber threats and the introduction of the hybrid cloud is forcing CISO’s to build a new arsenal of talent and tools to accommodate its present complexity. Kucic believes that CISO’s are beginning to adapt the continuous security model to address the frequency and acts of today’s threats.  CISO’s are required to know what their levels of exposures are based on different assets. Further, they must be able to prioritize the remediation actions that help improve the overall security posture of an organization.  Taking that data and being able to present it to leadership is key for a CISO’s success.   Lots more great insight from Joe and other members of the panel: Mark Weatherford (vArmour), Azi Cohen (WhiteSource) and Mark Whitehead (Trustwave).

The second panel that Cavirin’s CSO, Joe Kuicic, was featured on was Managing Your Cyber Risk lead by ITSPmagazine, based on detecting and responding to threats within your organization. This panel was a Q&A based around managing security risk. The key takeaway was that every company has it whether they want to acknowledge it or not. Kucic says that “risk management has evolved to be a business enabler, a differentiator if they do it right.  It allows companies to move quicker with technologies and go to market faster than their competitors if they look at it the right way and not just as a compliance requirement”. Continuous visibility is important because risks and breaches are ongoing and not just a single occurrence.  Finally, he adds that remediation and mitigation are things that companies continue to struggle with today.  Both webinars are available on BrightTALK for free! Tune in for the full coverage.

Overall, Cavirin’s participation at Black Hat was awesome due to the relationships built, conversations enjoyed, and insights gained this year. To continue the BH momentum, if you want to see a demo of our CyberPosture Intelligence Platform, This email address is being protected from spambots. You need JavaScript enabled to view it.!  We would love to keep the connections going! We even might be able to get you the hot “Got CyberPosture” t-shirt.  See you soon.


vote tampering


Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!

Cybersecurity Scoring Blog Series

This is the second in three-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture.  Over the course of the series, we will present the concept of cybersecurity posture along with a framework and an approach to calculate your overall posture score.  

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring
  3. Using a Security Framework to Measure Your CyberPosture Score

Comparing Cyber Security Posture Scoring to Cyber Security Risk Scoring

 When building a cybersecurity program to defend your digital assets, the plan should be developed by assessing three critical aspects:

  • Step One: What assets are you trying to protect?

Identifying the systems, applications, data, business processes and end-users that need to be protected

  • Step Two: What are the risks?

Determining through cyber risk scoring which assets are left open to cyber-attacks, and the impact of each system going offline and/or leaking data

  • Step Three: How well are you protected?

Documenting the controls in place to protect the assets and the strength of those controls by using CyberPosture scoring

Many security-mature businesses adequately address Step One, identifying the assets to be protected. And a variety of methods and tools have been around a long time for Step Two, determining the risks. But in our discussions with clients, we find that many have not taken that important Step Three, finding out just how well they are protecting the things that matter to the business by using posture scoring. 

An Overview of Risk Scoring

An important part of going through all three steps is gaining an understanding of how CyberPosture scoring compares to cyber risk scoring. When conducting cyber risk scoring, you analyze what could go wrong. You first take an inventory of your systems, applications, data, business process, and end users (Step One) and the role they play in allowing you to run the business. Then you assess their weaknesses and vulnerabilities:

  • What systems can be hacked and taken offline?
  • What data can be stolen, leaked or changed?
  • Can private information or intellectual property be lost or stolen?

Risk scoring combines the extent of the weakness and the value of the asset. The assessment requires an understanding of the CIA triad (confidentiality, integrity, and availability), which measures the business impact of an asset that’s taken down or experiences a data breach. Those that play a critical role in running the business and lack sufficient cybersecurity mechanisms will score as a high risk. Those that aren’t mission-critical, and those with few weaknesses and/or with limited exposure, will score as a low risk.

Using a scoring system for each asset—which may be as simple as Red-Yellow-Green, or as granular as a scale of 1-100 - allows IT to prioritize which risks to address first. By having a risk scoring method and system, IT can also more easily communicate the overall level of risk for assets to the business leaders. This is particularly important when additional resources need to be purchased to address those risks!

Risk Scoring Leads to Posture Scoring

The risk scoring process then drives the compensating security controls that will be deployed to address the vulnerabilities and weaknesses, to reduce their exposure, and to ultimately mitigate the risks. These may be a combination of hardware and software systems as well as corporate policies that govern end-user activities when utilizing company devices. It could even include end-user awareness training to minimize the impact humans can have on the systems, data, and surrounding processes.

After the compensating policies and controls are in place, the cybersecurity posture scoring then comes into play to determine how strong those controls are in mitigating the risks. It’s essentially a reassessment of the IT environment to see how strong it is in defending against potential threats. As with risk scoring, posture scoring can be based on a three-color scheme or a wide-ranging numbered scale.

The leading cybersecurity posture platforms generate results that are comprehensible to personnel with minimal cybersecurity training. The results represent the strengths of the compensating controls in order to adequately drive prioritized action plans for upgrading or replacing inadequate controls.

The scoring results are based on industry-standard cybersecurity frameworks. In addition, they incorporate all the risk signals that an organization is aware of and then compare those risks to the controls in place to mitigate the risks.

Cybersecurity posture scoring can also be integrated with other security management applications. This makes it possible to incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

An On-Going Scoring Process

As your cybersecurity posture score increases, your cybersecurity risk score will decrease. Ideally, you want to find a balance of controls that justifies the investment in hardware and software and returns the required digital-asset protection value. The two-pronged risk/posture scoring process also needs to be conducted on a recurring basis as new business processes are introduced creating more exposure and new cyber threats emerge, creating new risks that current controls cannot mitigate.

In the final blog, we present the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture - including what you need to do to prepare before you can start scoring. 

Download our whitepaper on the topic: Your CyberPosture Score.



© 2019 Cavirin Systems, Inc. All rights reserved.