On November 2, Senate Bill 220, known as the Ohio Data Protection Act, came into effect. The Act was signed by Ohio governor John Kasich back in August of this year. The Act is designed to legally incentivize organizations to implement cybersecurity programs.
Organizations must implement a cybersecurity program that protects:
- The security and confidentiality of personal information
- Against potential threats or dangers to the security or integrity of personal information
- Against unauthorized access and obtaining personal information
The organization’s program must also conform to one of the following frameworks:
- The NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework)
- NIST SP 800-171, or 800-53 and 800-53a
- The Federal Risk and Authorization Management Program’s Security Assessment Framework
- The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense
- The ISO 27000 family of standards
Achieving compliance with the Ohio Data Protection Act
The NIST CSF is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risks based on existing standards, guidelines, and practices. However, the Framework has proven to be flexible enough to also be implemented by non-U.S. and non-critical infrastructure organizations.
The ISO standards are set by the International Organization for Standardization, which promotes global industrial and commercial standards. ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an ISMS (information security management system). Complying with ISO 27001 helps your organization improve its information security practices.
You can discover how to prepare for a data breach by visiting our #BreachReady page. We break the process down into six simple steps and recommend tools and services you can use to complete each task.