In the cybersecurity world, most have heard of Incident Response Plans. An Incident Response Plan is basically a set of procedures that are documented and put in place to detect, describe how to respond to and, hopefully, limit the impact of any cyberattack that targets an organization’s information systems. Since no organization is immune to cyberattacks today, all organizations should have an Incident Response Plan in place.
In fact, earlier this year, President Biden signed an executive order to improve the nation’s cybersecurity. This order requires not only government agencies but also those that contract with the government to have a clear incident response plan in place. The intent is to standardize how these organizations report, investigate and mitigate any type of cyberattack, and ensure that they incorporate as many NIST standards as possible.
Another type of plan has more recently entered the discussion: Security Technical and Organizational Measures (TOMs).
What are TOMs?
TOMs are defined as the processes, controls, systems and procedures that an organization should put into place in order to protect and secure personal identifying information (PII) that the organization manages. They play a big part in the regulations set forth by the General Data Protection Regulation (GDPR), a legal framework that defines guidelines on how personal information can be collected and processed for those who live in the European Union (EU).
Unfortunately, the GDPR does not exactly spell out what specific procedures or measures should be contained within these TOMs. But since the regulations require that PII data must be protected we can assume that at a minimum TOMs should include:
- Securing PII data both in transit and at rest
- Preventing breaches
- Recording how PII data is processed every step of the way
Bottom line: securing and protecting PII data should be prioritized.
So what is the difference between an Incident Response Plan and TOMs?
For the most part they are very similar. They should both include how an organization protects their data from cyberattacks, detects when cyberattacks have occurred and defines how they will respond in the case of a breach. The main difference is in the definition of what should be protected. TOMs are meant to focus on PII data and require a full understanding of where the PII is stored and how it is processed every step along the way. An Incident Response Plan would be designed to focus on all company data not just consumer personal information.
Most companies put an Incident Response Plan in place to protect themselves from cyberattacks because a breach can mean a loss of time and money. TOMs are required by the GDPR. Unless a company is concerned about fulfilling the requirements of GDPR, they might not take the time to fully understand, document and ensure the protection of user PII data within their systems. However, since more government regulations to protect PII are being passed around the world each year and the sheer volume of customers whose data has been hacked keeps increasing, perhaps the time has come for all of us to be proactive and prioritize the protection of our customer data.