CONSULTING

 

You can have your own “Chief Privacy Officer”

Hiring a Chief Privacy Officer is a best practice for privacy and information security matters across a business enterprise.

Some businesses created a “CPO” because it was required by law. Others lean on their CPO for these needs because it is the best way to effectively handle these arcane or difficult matters. We understand that many businesses either do not need a full time Chief Privacy Officer or do not want to completely “outsource” the function of a privacy office.

Redpoint offers businesses the flexibility of a part-time or co-sourced CPO at a fraction of the cost of a full-time, in-house officer. In addition, we operate the Redpoint CPO program with multiple sets of trained eyes and experiences. While a traditional CPO might have experience in one technical discipline or area of the law, the Redpoint CPO program  offers the combined perspective of lawyers, Certified Public Accountants, Certified Information Privacy Professionals, forensic investigators, and a host of other experiences right along side your existing IT and Security professionals. . . coordinated together to look out for these privacy and data security issues in your organization.

A truly comprehensive Information Security Program

A reasonable yet comprehensive information security program is the centerpiece of data protection and information security. And, it is required by law for many businesses.

A comprehensive, written information security program may very well be required by law. But a WISP is also a clear-cut best practice for privacy & data security. There is no clearer indication of this than the spate of Federal Trade Commission rulings concerning data security incidents. The FTC makes it absolutely unmistakeable that the key to data security and protection is a comprehensive, written information security program.

So, what makes Redpoint different? As the FTC advice highlights, there is more to data protection than additional purchase and layers of IT/technical safeguards. Rather, a comprehensive policy incorporates physical, administrative, and technical safeguards from across all functions and departments of an organization. Redpoint devised and implemented a system that showcases our combined expertise and experience from many different disciplines to engage the entire organization in data protection.

Guide your Information Security Assessments

An assessment of your current information security program and the risks or vulnerabilities that you may not see. We see them.

One core aspect of a comprehensive information security program is the “Risk Assessment.” We don’t like that phrase. It is about as appealing as “audit” or “root canal.” But, that is the name that the lawmakers, regulators, examiners, and administrative agencies settled on. Risk Assessment. Whatever the naming convention, a risk assessment is often the first phase of a data protection project. In short, the issues are identifying the data that you have and examining the legal, technical, or other risks and liabilities associated with that information. Redpoint is guided by the mantra of “Trust, but Verify.” We have developed plans to examine the risks of information practices for all manners and sizes of businesses.

Coordinate Data Breach Incident Response Plans

Calm, cool, and collected in crisis management for an information security incident.

Redpoint has a combination of legal, technical, process, strategic communication, and forensic expertise. We have tested these layers of expertise in the chaos of data breaches. Redpoint has been through the fire of data breach crisis and response planning. We have some very first-hand thoughts and experiences to pass on to make data breach laws and data breach compliance as efficient and painless as possible. Redpoint can help you to proactively plan for the inevitable data security incident with a Strategic Response Plan (a “nuclear football”) as well as help you deal with the bombardment of issues if your hair is already on fire.

Strategic Communication Programs

Protection of business and personal information is more than an IT or technical issue. Data protection is a communication issue.

Privacy & Data Security is about communication. You need to effectively communicate your Privacy Practices to your customers. You need to communicate your policies and procedures to your employees. Your employees need to communicate among themselves to maintain information privacy and compliance. Your legal team must communicate with Human Resources and IT. And vice versa. At times, your organization might need to communicate with law enforcement or regulators. Everyone should be able to understand and take action. All of the Redpoint programs are designed to be easily and effectively understood and applied.

Policies & Procedures . . . That People Understand

A good set of company policies and procedures is a powerful weapon in the protection of business and personal information.

Unfortunately, most company policies and procedures are vague, boring, dense, tragically over-lawyered, out of date, or a product of a cut-and-paste project in an attempt to reach some notion of “compliance.” Simply stated, your policies and procedures for protecting business information must be created so that all of your employees can understand and apply your objectives. If your businesses guidance documents are not good, clear, and actionable, you are forfeiting your company’s greatest protection against loss.

Gauge your Defenses with Penetration Testing, Ethical Hacking, And Social Engineering

Test yourselves before someone tests you from the outside.

Our experts in protection and intrusion methods work with you and your teams to duplicate real-world threats and vulnerabilities. But we do not just test and run. Redpoint works with you ahead of the testing programs to gain the benefit of your first-hand insight and understand your goals and fears. Likewise, Redpoint works with you on the back end of a testing program to make sure that your business has the solutions it needs — whether those are purely IT/Network Security or other administrative safeguards that can be applied in other areas of the organization such as HR, Legal, Accounting, Customer Service, or outside service providers.

Leveraged Protection for Business Information

When “information” is are your biggest business asset, we help you leverage the protections and experiences that you have within your organization to build cross-functional information security.

What does that mean? Simply stated, too many organizations build independent silos of protection for business assets. There is one silo for “Intellectual Property” or “Trade Secrets” . . . one silo for “Employee Personnel Files” . . . and yet another silo for “Customer Accounts” for example. Unfortunately, we have found that these silos do not communicate effectively and share their collected knowledge. They fail to use these information protection measures to their highest potential. As a result, they lose an optimized return on the protection investment and leave open holes in the network and its security.

Manage Your Vendors and Service Providers

Under most data protection regulations, you are responsible for the information practices of your vendors.

You may not know it, but you are responsible for oversight of the information practices and data security programs of those that help you run your businesses. If you give access to your personal or business information to vendors or third-party service providers, you are on the hook for their information practices. If they have an issue, you have an issue. This legal requirement necessitates a trained set of eyes for privacy and data security issues — in your business and those of your service providers. Vendor Management and coordination of Service Provider contracts can be a daunting task for those unaccustomed to identifying the privacy issues and using appropriate risk management measures within those contracts and agreements.