8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-questions-every-ciso-should-be-ready-to-answer-a-10357

Gottlieb Targets Drug Development Costs, Clinical Development Efficiencies

Posted 11 September 2017 By Zachary Brennan

placeholder+image

FDA commissioner Scott Gottlieb on Monday explained to attendees of RAPS’ Regulatory Convergence conference some steps FDA is taking to make the clinical end of drug development more efficient and effective.

Opening with a discussion of the ways in which the gap of time between the discovery of the science behind new treatments and the adoption of such treatments has been shrinking, Gottlieb outlined a few of the ways in which the agency is modernizing its approach to collecting and evaluating clinical information.

And on a day when the discussion of how much it costs to develop a new oncology drug is being hotly debated with the release of a new study, Gottlieb also discussed how the costs of drug development “are also high, and growing.

“There’s been criticism of the various estimates of how much it costs to develop a new drug,” he said, according to the transcript of his speech. “Moreover, on a relative basis, in many cases the costs of early stage drug development has grown at a proportionally faster rate than the cost of late stage drug development. In other words, inflation in early stage drug trials is rising faster than inflation in late stage development.

“By front-loading the cost of drug discovery, the broader biomedical community is making it harder to advance new ideas. It’s economically harder to capitalize the cost of an early stage drug program, relative to funding a later stage project. So frontloading the costs are a recipe for reducing the amount of new ideas that can be advanced.”

 

Read More information: http://snip.ly/6ude0#http://www.raps.org/Regulatory-Focus/News/2017/09/11/28442/Gottlieb-Targets-Drug-Development-Costs-Clinical-Development-Efficiencies/

Which universities are pushing the boundaries in life sciences?

If you had to name the branch of university research that has the most tangible impact on mankind’s day-to-day activities, it is likely that the life sciences would be near the top of the list: not many days go by without the announcement of a new drug or gene discovery that has the potential to change lives or tackle disease.

Much of the best research in these fields takes place in the ultra-elite universities that excel in subjects across the board.

But analysis by Times Higher Education of the institutions that make up the World University Rankings reveals that there is a cluster of institutions just below this elite that are particularly strong in the life sciences and in driving forward innovation.

The 120 “life science challengers” tend to pitch much higher in the subject rankings related to clinical research and life sciences, as might be expected, with the bulk of them achieving overall scores in the middle to upper ranges (see below).

Which universities are pushing the boundaries in life sciencesHowever, they also perform very strongly in terms of the citation impact of their research, something that can be credited to their excelling in fields where journal article activity is key. Unlike the “technology challengers” (another cluster in the rankings), they also tend to be older universities, with few having been established less than 50 years ago.

Beyond these similarities though, the factors that drive the individual successes of the institutions are varied. In some cases excellent strategic decisions taken by the university are a factor; in others the local or regional ecosystem for research plays a part.

Sweden, which has five institutions in the list (headed by the medical research specialist Karolinska Institute), is one example where the ecosystem for life sciences appears to be a key factor.

Ulf Landegren, professor of molecular medicine at Uppsala University, another of the Swedish institutions in the list, said that the country had historically excelled in many life science fields, but that it was now taking its performance to another level with the help of collaborative programmes. The Science for Life Laboratory is one such programme – government-funded, it is based in Uppsala and also in Stockholm.

The SciLifeLab, as it is known, allows researchers from across Sweden to use cutting-edge and often expensive technology without paying for the privilege (apart from the costs of “disposables” used in lab work). Companies and scientists based outside Sweden can also use the facilities, but must face the full cost of doing so.

Professor Landegren, who was heavily involved in setting up Uppsala’s SciLifeLab site, said the effect of the scheme “has been that Swedish scientists now have ready access to advanced techniques that they may not themselves have the economy or the skills to set up”.

“Increasingly we see that life science is going the way of physics, in that technology is getting a little too expensive and complicated for individuals to have all the resources they need to answer their research questions so you might as well centralise it,” he explained.

He added that as well as making “generic” technology and techniques available to all Swedish scientists, SciLifeLab went a stage further by also identifying emerging “beyond state-of-the-art” approaches to research and capitalising on them before they spread to other countries and universities.

Access to expensive technology and the latest techniques is a theme carried across to other institutions that make the list.

Ross Coppel, director of research in the Faculty of Medicine, Nursing and Health Sciences at Australia’s Monash University, puts its success down to past strategic decisions to invest properly in the best academic staff and equipment, but also to the skilled technicians who operate facilities.

He said universities’ research strategies “are often very similar and it [success] comes down to your capacity to implement and execute your vision. I think we were in the fortunate position of having the financial resource to do it [and] the determination to do it and it’s worked out for us very well”.

On the role of technicians, he said Monash had focused on their field being a career path in its own right, with good job security and benefits. In return, in terms of testing new techniques and advancing research technology, “we look to them also to be pushing the boundaries of what is achievable”, explained Professor Coppel.

Beyond smaller research nations like Sweden and Australia, the life science challengers cluster is dominated by institutions in the US and UK.

With 35 institutions of the 120 (the UK has 24), the US is out in front, with a number of private institutions excelling in research. Here, the unique position that some American universities occupy – having strong ties to hospitals and the general healthcare system – is an obvious explanation for their success.

Emory University in Atlanta, for instance, is behind the state of Georgia’s biggest healthcare system – not-for-profit Emory Healthcare – while the US’ Centers for Disease Control and Prevention has its headquarters adjacent to the university’s campus. This geographic proximity between researchers and the practical application of their findings has obvious collaborative benefits.

But the university is also keen to stress the importance of its global reach through its success in spinning out research into the healthcare market and its academic links overseas.

David Stephens, vice-president for research at Emory, said that the institution had “realised its greatest success in commercialising research discoveries in the field of infectious diseases. For example, nine out of 10 US HIV/Aids patients, and thousands more globally, are on life-saving drugs discovered at Emory”.

Meanwhile, an effect of its international collaborations can be seen in the recent joint set-up with the University of Queensland – another life science challenger institution – of a multimillion-dollar biotech company developing cancer treatments.

simon.baker@timeshighereducation.com

Seminar Calendar of Upcoming Courses – June to July – 2017

Upcoming-Courses-for-French-Circles-Club

GlobalCompliancePanel’s seminars are a wonderful opportunity for professionals in the regulatory compliance areas to understand the latest happenings and updates in the regulatory compliance areas and to implement them, something they need to climb in their professions. GlobalCompliancePanel brings together a few of the best recognized names in the field of regulatory compliance on its panel of experts. The result: Learning that is effective, valuable and helpful.

GlobalCompliancePanel’s experts help you unravel all the knowledge you need in all the areas of regulatory compliance. At these seminars which are held all over the globe, you get to interact with them in person, so that any doubt or clarification you have is sorted out by none other than the honcho. They help professionals like you implement the regulations and stay updated, so that regulatory compliance causes no stress for you.

GlobalCompliancePanel’s experts offer their insightful analysis into the issues that are of consequence to regulatory professionals in their daily work. Their thoughts help you implement the best practices of the industry into your work. They also offer updates on the latest regulatory requirements arising out of a host of the laws and issues related to regulatory compliance, including, but not limited to medical devices, food and beverages, pharmaceuticals, life sciences, biotechnology and pharmaceutical water systems.

Take a look at our upcoming webinars from GlobalCompliancePanel, which will put you on the road to learning about any area that is of importance to your profession. You can plan your learning from GlobalCompliancePanel by looking at our seminars in the next few weeks at locations of convenience to you. You can choose from a whole range of topics. See which among these trainings suit you: Design of Experiments (DOE) for Process Development and Validation, Writing and implementing effective SOP’s, new FSMA rules, risk management and device regulations, data integrity, combination products, and what have you!

Contact us today!
NetZealous LLC DBA GlobalCompliancePanel
john.robinson@globalcompliancepanel.com
Toll free: +1-800-447-9407
FAX : 302 288 6884
Website: http://bit.ly/Courses-June-to-July-2017

GlobalCompliancePanel announces Seasonal offers for Professionals with Flat 50% OFF on all Seminars

9ad816e7329ad74d53132accd3156c40

Do celebrations need a cause and a reason? Yes, and GlobalCompliancePanel, a leading provider of professional trainings for the regulatory compliance areas, is having a solid cause and reason for doing so. It is celebrating the many years of its relationship with its customers spread all over the world by offering its trainings at a massive 50% discount!

Yes, that is right. GlobalCompliancePanel’s seminars will be available for a huge 50% discount till April 30. Regulatory professionals who want to augment their knowledge of regulatory compliance can now do so by paying just half the price of these trainings from GlobalCompliancePanel. All that is needed to do walk away with a rare offer such as this is to visit https://www.globalcompliancepanel.com/seminar?wordpress_SEO and use MGCP50 Promo Code.

This offer is valid till April 30, 2017. Regulatory professionals who want to take any of GlobalCompliancePanel’s trainings can book their trainings for an area of their interest by this date. From April 1 onwards, this offer will cease, meaning that the original price will apply from then.

So, why is GlobalCompliancePanel offering this discount? It is for a simple, but profound reason: It wants to thank its huge customer base for the support they have been extending to this company over the many years for which it has been in business. During the course of the 10 years for which GlobalCompliancePanel has been in business, it has trained thousands of regulatory compliance professionals from around the world.

These professionals, belonging to such varied geographies as the US and Japan and India and Canada, have been able to meet their regulatory compliance challenges on account of these trainings. These trainings are relevant, focused and valuable, and are from some of the best known regulatory compliance Experts found anywhere on this planet.

It is these trainings that have been hoping these professionals in the regulatory compliance arena gain more insights into regulations from the FDA, the EMA and other such bodies around the world. These trainings have been consistently helping them to meet these challenges, as they give them a better and sharper understanding of the implementing these requirements.

These regulatory requirements can pose hurdles to the most experienced and brightest of regulatory compliance professionals in the medical devices, pharmaceutical, life sciences and food and biologicals areas, but not to those who undertake professional trainings from GlobalCompliancePanel. GlobalCompliancePanel’s panel of experts is here to help them overcome these challenges and hurdles.

This trend has been being witnessed from the time GlobalCompliancePanel entered the line of professional trainings. Any wonder then, that no fewer than 50,000 professionals have benefited from these trainings? What could be a better way of thanking such a huge base of customers than with this offer? GlobalCompliancePanel believes that a celebration should also be useful, and this is that this offer is!

Hurry up and enroll today. Happy learning!

 

 

Unravelling the DHF, Technical File and Design Dossier

technical

Design History File (DHF), Technical File and Design Dossier are important regulatory documents for a medical device. Design Control and Design History File are regulatory documents for medical devices in the FDA, while the Technical File and Design Dossier serve the same purpose for the EU’s regulatory body, the MDD.

The Design History File

The history of the Design History File is an interesting one. It evolved out of the FDA’s realization, over time and experience; that the major part of a device’s problems was happening during the design stage and change phases, regardless of whether it was a new product or a changed one. This led to the birth of the concept of Design Control, aimed at tracking, monitoring and correcting the design elements at every stage from start to finish.

 

dhftechnicalfileanddesigndossier

Outstanding characteristics of the Design History File

dhftechnicalfileanddesigndossier1

What should the Design History File contain?

The DHF should contain the following:

dhftechnicalfileanddesigndossier2

 

Now, the Technical File and Design Dossier

In short and simple terms, one can understand the Technical File and the Design Dossier as the EU’s version of the Design Control and the DHF. In other words, what Design Control and Design History File are for the FDA; the Technical File and Medical Device (MDD) are for the Medical Device Directive.

What should the TF and DD contain?

These files should have all the basic sections needed to support the requirements of the Medical Device Directive (MDD), Essential Requirements (for that product), and the company’s “Declaration of Conformity” for that product:

  • General Information/Product Description/EC Authorized Representative
  • Classification Determination
  • Essential Requirements
  • Risk Analysis
  • Labeling
  • Product Specifications
  • Design Control
  • Clinical Evaluation
  • System Test Reports
  • Functional Bench Testing
  • Lab Testing
  • Sterilization validation (or AAMI TIR 28 Analysis)
  • Packaging Qualifications
  • Manufacturing
  • Sterilization
  • Conclusion
  • Declaration of Conformity
  • Appendix

Differences between the Technical File and Design Dossier

At a broad level, in general terms, while the Technical File is for MDD Class I and Class II a or II b; the Design Dossier is for MDD Class III devices

While Technical Files are retained in the premises of the manufacturer or the Authorized Representative for review of the Competent Authorities or/and Notified Body; Design Dossiers need to be submitted to the Notified Body for review before the product gets its CE-marking.

 

Learn more on this topic by visiting  :  http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900746SEMINAR?wordpress-SEO

 

 

Article on FDA 21 CFR Part 11 Compliance

FDA-regulated industries electronic signatures and other records are considered authentic. From 2007, a strong body of opinion has emerged challenging the stringency of these requirements, but nothing major has been diluted from these.

The regulations under FDA 21 CFR Part 11 Compliance set out criteria that the Food and Drug Agency (FDA) considers in order to deem electronic signatures authentic. The electronic records, electronic signatures, and handwritten signatures executed to electronic records of several FDA 21 CFR Part 11 Compliance sets out benchmarks by which FDA-regulated industries have to be compliant with the standards set out in FDA 21 CFR Part 11 Compliance to prove that these are authentic, safe and trustworthy. The operative factor is that the FDA has to consider these signatures as being on par with those done on paper.

Which industries are included in FDA 21 CFR Part 11 Compliance?

FDA 21 CFR Part 11 Compliance applies to nearly all FDA-regulated industries, including but not restricted to:

  • Medical device manufacturers
  • Drug makers
  • CROs
  • Biotech companies, and
  • Biologics developers

The Aim of FDA 21 CFR Part 11 Compliance

The aim of FDA 21 CFR Part 11 Compliance is to ensure that specified FDA-regulated industries such as those mentioned above (with specific exceptions) implement controls -which could include audits, audit trails, documentation, system validations, and electronic signatures -for software and systems involved in processing electronic data that are:

  • Required to be maintained by the FDA predicate rules or
  • Used to demonstrate compliance to a predicate rule. The FDA describes a predicate rule as any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11. FDA 21 CFR Part 11 Compliance also applies to submissions made to the FDA in electronic format, such as a new drug application.

Which industries are exempt from FDA 21 CFR Part 11 Compliance?

Interestingly, exceptions are allowed within the same industry, based on the format of filing. For example, while FDA 21 CFR Part 11 Compliance applies to submissions made to the FDA in electronic format; it does not apply to a paper submission for the same made in electronic format, such as fax.

Also, FDA 21 CFR Part 11 compliance is not required for record retention for trace backs by food manufacturers. Similar to the logic used in the mode of filing as noted above; most food manufacturers are not otherwise explicitly required to keep detailed records, but when organizations keep electronic documentation for HACCP and similar requirements; this documentation must meet these requirements.

Learn more on this topic by visiting : http://www.globalcompliancepanel.com/control/globalseminars/~product_id=900774SEMINAR?linkedin-SEO