Truvantis Data Privacy Consulting

Truvantis - Data Privacy Consulting

Your business faces an array of international, federal, state, and contractual obligations. How can a company maintain multi-compliance in an efficient, cost-effective manner?

The answer is to build a centralized risk-based privacy program that maps to your matrix of laws and contractual requirements in a customized, apply-once and comply-many solution.  Our Compliance == Security & Privacy approach optimizes your investment by building and managing a single program to satisfy compliance, cybersecurity, data privacy and business risk.

To help you secure client data and avoid penalties and fines, Truvantis will examine your privacy policies, protocols and procedures the same way as regulators and class action attorneys.

Understand Your Legal Exposure – Avoid Unnecessary Penalties and Fines

The landscape of privacy regulations is vast and continuously evolving, forcing organizations to select and track the applicable requirements for collecting and managing that valuable data annually. Many organizations are subject to multiple jurisdictions (e.g., GDPR, CCPA, HIPAA, GLBA) requiring a central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations. Truvantis can help you quickly build and implement an adaptable privacy program that maintains compliance with the frequent changes.

Manage the Risk of 3rd Party Vendor Contracts

Your business relies on a growing network of technological products and services to do business. Unfortunately, your system can be put at risk for a cyberattack or data breach by your vendors connecting to your network. It’s your responsibility to screen and continuously monitor the security of third-party products and services. This time-consuming process of regular due diligence can require manpower and expertise that many organizations don’t have on staff.

The Truvantis team provides vendor risk management (VRM) services on behalf of organizations around the world. Our senior-level security experts perform a thorough review of third-party service providers and the business risks they introduce. Our team of consultants has decades of experience across the whole gamut of cybersecurity and business. We have developed a proven methodology for vetting service providers using the industry’s best security risk analysis tools and hands-on techniques.

Simply send us your long list of vendors and walk us through what features and offerings are important to you. Once we receive additional data from the prospective vendors, Open Source Intelligence (OSINT), scanning tools, and informational websites, we analyze it using best-in-class tools and our own techniques for accurate verification.

You’ll receive a full report of our findings and expert recommendations in language that your whole team can understand. For each of our vendor risk management clients, we create custom security questionnaires specific to their security needs and systems. Then, we issue them on behalf of our clients during the consideration of a new service and at regular intervals for consistent monitoring.

Effectively Manage Consumer Requests - Reputation & Trust

CIA, Privacy Risk Assessment and the Consumer

In a privacy risk assessment context, assets relate to one or more of CONFIDENTIALITY, INTEGRITY and AVAILABILITY (CIA). Privacy regulatons assign consumer rights related to the use, collection and management of their personal data.

Following is a typical list of consumer rights for managing data, defined in laws or regulations like the CCPA, HIPAA and GLBA. Essentially, these are security & privacy controls protecting the identified aspects of CIA.

Consumer Rights

C

I

A

Right to Know the data businesses collect and how it’s used or shared.

Right to Delete personal data that has been collected and/or shared with third parties.

Right to Opt-out of data collection and sharing.

Right to Correct inaccurate data.

Right to Portability - Exporting or moving data.

A Privacy Program Built for Long-Term Success

Appropriately done, privacy risk assessments can help set you up for success in the long term. With an adaptable privacy program that combines security and data privacy, you can ensure your business is protected against the changing privacy legal environment, both now and in the future.

“You’re not building a privacy program as a final destination. Instead, you’re building a privacy vehicle that will take you wherever you need to go.”

— Andy Cottrell, CEO and Founder, Truvantis

Compliance == Security

If compliance doesn't achieve security and data privacy, then what's the point?

Here at Truvantis, we have a passion for building, operating and testing security and privacy programs that work, compliance tasks that do not achieve security are pointless at best and possibly an unnecessary burden on the organization. Attacks have become well-thought-out adversarial campaigns with structure innovation and continuous improvement. Defense needs to be the same. We recommend a three-pronged approach:

One: Formal Risk Assessment.

We live in a budget-constrained world, so picking which battles to fight and when to walk away is crucial. Running any organization involves risk. Anybody who tells you to remove all risk to achieve absolute security has a loose grip on reality.

At Truvantis, we want to lead a conversation about balancing budget with risk tolerance to achieve business objectives.

Two: Risk-based Approach to Controls and Oversight Frameworks

We are fortunate to have a rich tapestry of standards that exemplify different perspectives and approaches on how to manage security and privacy risk. It's important to select the right framework or blend of frameworks for your organization and use it wisely.

Without the insight and experience to tie controls back to risk and business objectives. You're just taking shots in the dark. Truvantis believes in helping you to do things that improve your business, not just checking boxes.

Three: Adversarial Testing

The value of a true penetration test and what distinguishes it from a vulnerability assessment is the application of human cunning. If the test does not involve an exceptionally smart human, it's not a penetration test. We normally find corners of risk that the organization was unaware of, forgotten about or thought were decommissioned. This is your real risk surface. The one that your adversaries can see. Once you have found it you can test it for weaknesses. You can feed that information back into your risk assessment and appropriately adjust your controls.

Truvantis can help you with all of these tasks and much more in the field of security and privacy, both on a project basis or as part of our vCISO program.

At Truvantis, we have a real passion for this stuff. So do you. So let's work together.

– Andy Cottrell CEO, Truvantis