July Update: Making your GRC life easier

By July 10, 2018Compliance, PCI

We just released a Defensix update and it’s a big one! We’ve always leveraged customer feedback to drive the Defensix roadmap, and this release is no different. Before we dive in, here’s a quick overview of the notable features.

  • Control procedures – Follow control guidance by creating procedures around defined control tasks
  • Global search – Pick-up right where you left off by easily finding the procedure, roadmap task, control, policy, etc.
  • Security roadmap – Assign and map control tasks to track progress of security program
  • Added 3 frameworks, 12 controls, and 1 standard – Privacy and GDPR are getting a lot of attention. Now it’s a part of the Defensix framework!

Let’s dig into each one a bit more.

Control Procedures

Many of the controls within Defensix GRC, are not one-and-done implementation. They require ongoing maintenance and review. Let’s look at an example. Control AM.02 from Asset and Configuration Management states:

Inventories of hardware and systems, software and applications, and information and data flows are maintained, updated throughout the asset life-cycle, and periodically reviewed.

Note the control requires a “periodic review” of asset inventories. It’s easy to let a procedure like this slip through the cracks, until you’re sitting across the table from an auditor. Defensix helps security programs stay organized, proactive, and ahead of the curve with automated procedures. Let’s take a quick look.

Within each control, you can create one or more procedures. Each procedure has an owner, description, and completion frequency. At the specified interval, Defensix emails the owner the procedure instructions, who then carries out the procedure and marks the task as complete. An audit log is also maintained showing the procedure completion at each recurring interval. This really makes implementing and managing best practice security controls a snap!

Global Search

Your CFO recently went to a conference and listened to a talk on implementing two-factor authentication (2FA) to prevent financial fraud. She returns to the office and asks you what security controls you have in place that use 2FA. You go to Defensix, do a quick search for “multi-factor”, and can instantly see all your procedures that relate to 2FA, roadmap tasks that show 2FA implementation progress, and Defensix controls that require 2FA implementation. Your CFO is impressed!


Security Roadmap

We’ll stick with the CFO scenario…but this time she wants to know what you’re doing about two-factor authentication (2FA). You’re not caught off-guard by the question because it’s on your roadmap! In Defensix you can manage the tasks relevant to the security control, assign ownership of the tasks, and track the projected implementation date. You know what your gaps are, and you know what you’re doing about them!

New Frameworks and Controls

We’ve added 4 new frameworks, and 12 new controls to the Defensix framework. What does this mean? This means that following the Defensix security control framework will help your organization not only meet the compliance requirements of PCI, HIPAA, GDPR, and FFIEC, but also follow best practice frameworks such as ISO 27001, CSC 20, and NIST CSF. The new frameworks and controls focus specifically on the health industry and privacy frameworks such as HITRUST and GDPR. Below is a complete list of the 14 frameworks now incorporated into Defensix.

CSC 20 SOC 2
FedRAMP FFIEC IT Handbook: Information Security
GDPR HIPAA Security Rule
ISO 27001 OECD Privacy Principles
NIST 800-53 PCI DSS 3.2
NIST CSF 23 NYCRR Part 500