Solutions



SB 1386 Compliance


The California Breach Disclosure Act (CA 1798.82), also known as SB 1386 requires State Agencies and private businesses to report cyber security breaches that may have compromised confidential information. Organizations that fail to comply with SB 1386 face civil or class action lawsuits. The law covers not only California-based agencies, but all private enterprises doing business in California. The law requires that customers be notified if any unauthorized individuals have acquired their personal and/or financial information, thereby giving them the opportunity to take proactive steps to ensure that they do not become victims of identity theft.

Agiliance IT GRC 5-step process


SB 1386 Compliance using FFIEC or ISO 17799 frameworks

Many companies use FFIEC (Federal Financial Institutions Examination Council) guidelines or ISO17799 as a framework to comply with the information security requirements of SB 1386. In order to comply, companies are taking a top-down risk-based approach to ensure that all assets (including hardware, software, physical IT infrastructure, and IT processes) that contain consumer information are in compliance with such frameworks. The Agiliance IT-GRC platform enables organizations to comply with SB1386 using FFIEC or ISO 17799 frameworks.


Agiliance's Key Capabilities:

  • Maintain a repository of all assets (hardware, software, physical IT infrastructure, IT processes) that contain relevant data. Asset information can either be imported from external systems or populated through asset discovery technology. The system supports a comprehensive asset data model to document relationships between assets, organizations, processes and people.
  • Enabling the organization to evaluate how critical an asset is to maintaining the integrity and confidentiality of relevant information and then assess its overall risk.
  • Maintain a library of controls based on FFIEC or ISO17799
  • Provide an infrastructure for assessing compliance with controls
    • Automate the process of distributing and collecting periodic surveys and self assessments to evaluate compliance
    • Integrate with monitoring tools, compare asset configuration against controls and policies to identify non-compliance on a continuous basis
  • Report on asset compliance scores – both for status purposes, as well as evidence of compliance for internal and external auditors.
  • Compute an asset’s composite risk score based on multiple criteria, including business impact of its impairment, compliance with policies, including security policies, and its vulnerability based on external feeds. The risk score allows users to prioritize which non-compliant assets need to be addressed first for remediation.
  • Trigger the remediation process.
Live Demo Sign Up