Issue link: http://viewer.e-digitaledition.com/i/1062971
THIS ARTICLE CONCLUDES my series on Cybersecurity, ta king what I've dis- cussed over the previous f ive a r ticles on Cybersecurit y a nd turning it into an effective Cybersecurity Compliance Program. There are seven primary parts to a Prog ra m. 1. Unders t a ndi n g t he Applic able Laws. You need to understa nd the laws that apply to your business in order to have a ba seline of compo- nents to your Prog ra m. 2. Conducting a Risk Assessment. A risk assessment gathers and ana lyzes t he ex isting complia nce ef for ts a s well as gaps or areas for improvement in the Prog ra m. 3. Action Pla n . Once you have con- ducted a risk assessment, an effective action plan should prioritize the gaps a nd r isks a f fecti ng your abi lit y to comply with applicable laws as well as to implement best practices beyond simply complying with laws into steps a nd timeline to implement improve- ments to the Prog ra m. 4. Document Changes to the Program. As you work through and complete the action plan, documenting the changes made to the Program is key. My advice is not to wait until you have completed the steps in the action plan to begin docu- menting what has changed. Document as you work through the action plan so that the documentation is less at risk of omitting actions taken. 5. Com municate a nd Tra in . You r Program is ineffective if you simply make changes and then throw it into a drawer. The audience, employees, off icers, directors and contractors should be made aware of the changes to the Program. Depending on your business or practice, there may not be one-size-fits-all training. You need to analyze the functions of the business and determine the level and content of the training. 6. Evaluate Effectiveness. Seeking feedback from the target audience of the Program is important to understand whether the changes that the Program has undergone are understandable, and that the target audience is able to comply with the updated Program. 7. Rinse and Repeat. These steps should be repeated each time that a new law or change occurs in applicable laws. If there have not been any changes during the previous year, it is advisable to have a regularly scheduled review of applicable laws, followed by a risk assessment and so on to ensure that the Program is kept relevant and up to date. Even if there have been no changes to the business and applicable laws, you should plan to reinforce the Program on a regular basis by communication and training. Be sure and contact your attorney for questions or if you are ready to get started on a new or updated evaluation of your Cybersecurity Compliance Program. NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice. Allison Cole is an attorney with the law firm of Krugliak, Wilkins, Griffiths & Dougherty Co., LPA, in Canton, Ohio. n Documenting and Implementing a Cybersecurity Compliance Program BY ALLISON E. COLE, ESQ. 1 8 1 8❱❱❱❱❱ l E G A l- E A S E