fbpx
Category

Compliance

building framework

Meet the Frameworks

By | Compliance

Every organization faces different challenges when it comes to governance, risk, and compliance (GRC). Multiple frameworks can apply to the same organization, making compliance difficult to keep track of. We thought it might be nice to have all of the major frameworks in one, convenient platform called Defensix to help organizations save time, energy, and resources.

You may know which frameworks are required for your organization, but new information and updates are published every day. This presents a challenge to organizations trying to stay ahead of compliance and best-practice requirements. We thought it might be helpful to have a little insight into the requirements of the various frameworks and how they might apply to your organization now, or at some point in the future. Below you’ll find a bit about each of the frameworks that Defensix streamlines into one unified framework. Here is the breakdown.

23 NYCRR Part 500

As of March 1, 2019, financial, banking, and insurance organizations must now be compliant to the New York State Department of Financial Services regulation 23 NYCRR part 500. NYCRR stands for New York Codes Rules and Regulations, which is exactly what you think it is, published by the New York State Department of State. 23 NYCRR Part 500 applies to any entity providing financial services.

It contains risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing. The regulatory framework requires financial services organizations to assess risk and create comprehensive plans to recognize and mitigate risk. It also requires:

  • Adequately funded programs that are overseen by a Chief Information Security Officer (CISO), which can include a third-party service provider, and implemented by qualified cybersecurity personnel.
  • Effective incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.
  • Accountability provided by identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis.
  • Audit trails designed to detect and respond to cybersecurity events.
  • Annual reports covering the risks faced, all material events, and the impact on protected data.

More resources for 23 NYCRR Part 500:

CIS Critical Security Controls (CSC 20)

Spearheaded by the National Security Agency (NSA), the Critical Security Controls top 20 best-practice controls for security outline the basic, foundational, and organizational CIS controls. The controls are organized into the same three categories. CSC 20 is a general guideline for entities that range all industries. Here is a little more detail about the control categories:

  • Basic CIS Controls
    • Inventory and Control of Hardware Assets
    • Inventory and Control of Software Assets
    • Continuous Vulnerability Management
    • Controlled Use of Administrative Privileges
    • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Foundational CIS Controls
    • Email and Web Browser Protections
    • Malware Defenses
    • Limitation and Control of Network Ports, Protocols and Services
    • Data Recovery Capabilities
    • Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
    • Boundary Defense
    • Data Protection
    • Controlled Access Based on the Need to Know
    • Wireless Access Control
    • Account Monitoring and Control
  • Organizational CIS Controls
    • Implement a Security Awareness and Training Program
    • Application Software Security
    • Incident Response and Management
    • Penetration Tests and Red Team Exercises

For more information about CSC 20 visit:

FedRAMP

Federal Risk and Authorization Management Program. Besides being a fun name to say, this framework developed in collaboration with NIST, GSA, DOD, and DHS is how the U.S. government standardizes the application of the Federal Information Security Management Act (FISMA) to cloud computing services. Its aim is to “simplify security for the digital age by providing a standardized approach to security assessments, authorization, and continuous monitoring for the cloud products and services.”

FedRAMP is intended to be a “do once, use many times” framework which includes:

  • Standardized security requirements
  • Conformity assessment identifying qualified independent, third-party security assessors
  • Repository of authorization packages for secure clouds that all Agencies can leverage
  • Standardized ongoing assessment and authorization approach for Government clouds
  • Standardized contract language to help Agencies integrate FedRAMP requirements and best practices into acquisitions.

Learn more about FedRAMP here:

FFIEC IT Handbook: Information Security

The Federal Financial Institutions Examination Council published and updates their own IT handbook, which includes a thorough section on information security. It is designed to help implement best-practice solutions for common IT problems.

The FFIEC IT Handbook’s purpose is “to guide examiners on factors to assess information security risks and procedures to evaluate the adequacy of the information security program.”

The FFIEC IT Handbook covers the following:

  • Governance
  • Information Security Program Management
  • Risk Management
  • Risk Mitigation
  • Inventory and Classification of Assets
  • User Security Controls
  • Physical Security
  • Network Controls
  • Change Management within the IT Environment
  • Control of Information
  • Logical Security
  • Customer Remote Access to Financial Services
  • Application Security
  • Database Security
  • Encryption
  • Business Continuity
  • Security Operations
  • Threat Identification and Assessment
  • Incident Identification and Assessment
  • Assurance and Testing

Access more about the FFIEC IT Handbook on Information Security here

GDPR

This famous or rather infamous framework has seen a lot of attention as of late. The General Data Protection Regulation (GDPR) is the European Union’s (EU) plan to hold companies more responsible for the handling and protection of personal data privacy. It applies to any and every organization that does business in or with customers in the EU. It went into full effect on May 25, 2018, and major companies have been hit with massive penalties for lack of compliance. Don’t be one of those companies.

Here is a bit of what GDPR entails. Entities within or dealing within the EU must:

  • Establish proper security frameworks
  • Hire a Data Protection Office (DPO)
  • Receive explicit consent of customers
  • Conduct a data protection impact assessment
  • Outline and implement precise procedures and policies in case of a data breach
  • Report a breach within 72 hours after the event

Organizations who are not compliant with GDPR face severe penalties, including but not limited to a fine of 20 million Euros or 4 percent of a company’s global revenue, whichever is the highest.

Read more about GDPR and the EU’s cybersecurity policies at:

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity…requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

This framework applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction and to business associates. Definitions for certain terms can be learned here.

HIPAA is an oldie but a goodie. It went into effect as of April 20, 2005, and April 20, 2006, for small health plans. In cases of dispute between state and federal regulations, HIPAA takes precedence over state regulations.

The HIPAA Security Rule includes:

  • Administrative Safeguards
    • Security management process
    • Security Personnel
    • Information Access Management
    • Workforce Training and Management
    • Evaluation
  • Physical Safeguards
    • Facility Access and Control
    • Workstation and Device Security
  • Technical Safeguards
    • Access Control
    • Audit Controls
    • Integrity Controls
    • Transmission Security

Check out more about HIPAA Security Rule at:

HITRUST CSF

Learn more about the HITRUST CSF at:

ISO 27001

The International Organization for Standardization (ISO) has created a family series of standards to keep information assets secure. Part 27001 is the best-known of the family and covers requirements for information security management systems.

ISO 27001 is built to systematically examine an organization’s information security risks, including but not limited to threats, vulnerabilities and impacts. It outlines requirements for

  • Information security in project management
  • Restrictions on software installation
  • Secure development policy
  • Secure system engineering principles
  • Secure development environment
  • System security testing
  • Information security policy for supplier relationships
  • Information and communication technology supply chain
  • Assessment of and decision on information security events
  • Response to information security incidents
  • Availability of information processing facilities

A great, easy to understand overview of ISO 27001 can be found at:

NIST SP 800-171

The National Institute of Standards and Technology, a part of the US. Department of Commerce developed a special publication entitled, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, more commonly referred to as NIST 800-171. It was last updated as of December 20, 2017, and was designed to provide federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

It is conditional upon the following:

  • “When the CUI is resident in nonfederal information systems and organizations;
  • When the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.”

Read more here:

NIST SP 800-53

Another important special publication by the NIST is entitled Security and Privacy Controls for Federal Information Systems and Organizations, or NIST 800-53. It provides a catalog of security and privacy controls for federal information systems and organizations. It details a process for selecting controls to protect organizations and the Nation in operations and from a variety of threats. These threats include hostile cyber-attacks, natural disasters, structural failures, and human error.

This special publication originated with influence from legislation, Executive Orders, policies, directives, regulations, standards, and needs. It addresses security from both a functionality and an assurance perspective to ensure IT products and information systems that are sufficiently trustworthy.

Check out more about NIST SP 800-53 here:

NIST CSF

This ongoing collaborative effort involving industry, academia, and the government was originally released in February 2014. The Cyber Security Framework (CSF) was developed to offer a flexible way to address cybersecurity, specifically its effect on physical, cyber and people dimensions.

According to NIST, it is “applicable to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices more generally, including the Internet of Things (IoT).”

It is not a one-size-fits-all but can aid in determining activities and priorities to invest in to maximize spending.

Learn more about the NIST CSF it out here:

OECD Privacy Principles

Though not an official EU entity, the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data has been influencing privacy policy in Europe since the 1970s. It was officially adopted in 1980. The OECD strives to “provide a setting where governments compare policy experiences, seek answers to common problems, identify good practice and coordinate domestic and international policies.”

The privacy principles derived from the guidelines are as follows:

  • Collection Limitation Principle
  • Data Quality Principle
  • Purpose Specification Principle
  • Use Limitation Principle
  • Security Safeguards Principle
  • Openness Principle
  • Individual Participation Principle
  • Accountability Principle

Find more detail at:

PCI DSS 3.2

The Payment Card Industry (PCI) Security Standards Council created the Data Security Standard (DSS) as a framework to safeguard payment data before, during, and after purchase. It is designed to address growing threats to customer payment information.

Take a quick big-picture overview of PCI DSS 3.2 and see how to

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

Read more at:

SOC 2

The American Institute of CPAs (AICPA) developed the System and Organization Controls for Service Organizations: Trust Services Criteria to ensure providers securely manage data. The goal is to protect the interests of an organization and the privacy of its clients.

There are a few different SOCs—but SOC 2 is specifically designed for trust services. It includes controls regarding:

  • Security
    • Network/application firewalls
    • Two-factor authentication
    • Intrusion detection
  • Availability
    • Performance monitoring
    • Disaster recovery
    • Security incident handling
  • Processing integrity
    • Quality assurance
    • Processing monitoring
  • Confidentiality
    • Encryption
    • Access Controls
    • Network/application firewalls
  • Privacy
    • Access control
    • Two-factor authentication
    • Encryption

Read more info at:

Wrap up

If you are reading this, you survived the acronyms. We applaud your determination and stamina. We know it’s a lot of information but we hope it is a helpful overview of which frameworks are included in the Defensix GRC Unified Framework module. New rules and regulations are coming into effect every month or two and we will be adding more frameworks to the GRC module as time goes on.

Questions? Please feel free to reach out here.

 

*Please note that rules, regulations, and frameworks are updated regularly. Please frequently check with original organizations of each framework to see the most current information available.

Never Fear, Defensix Vendor Management Is Here

By | Compliance, Vendor Management

Evaluating cybersecurity risk and managing relationships with third-party vendors is often a challenge. It doesn’t have to be. Defensix vendor management is now available to minimize frustration and maximize customization in assessing, tracking, and reporting vendors.

Defensix helps simplify what is frequently a complicated process. With the vendor management module you can:

  1. Create. Customize your own vendor questionnaires, or use common best-practice templates provided by Defensix.
  2. Assess. Quickly determine vendor risk through automated due-diligence, risk scoring and reporting, and a helpful dashboard. 
  3. Approve. Maintain a standardized process for ongoing vendor risk assessments and approvals, never losing track of anyone. 
Visual graph representation of risk score; example of vendor overview dashboard
Fig. 1 – Example of third-party vendor overview on Defensix vendor management module

Defensix, now compounded with the vendor management module, provides outstanding tools to unify organizations’ compliance and manage vendor security. We know your time and resources are valuable. Defensix will streamline compliance and vendor management processes, giving you the time and resources to focus on other important security matters.

Request a demo to see the platform in action. We believe there is always room for improvement. Stay tuned for coming updates.

July Update: Making your GRC life easier

By | Compliance, PCI

We just released a Defensix update and it’s a big one! We’ve always leveraged customer feedback to drive the Defensix roadmap, and this release is no different. Before we dive in, here’s a quick overview of the notable features.

  • Control procedures – Follow control guidance by creating procedures around defined control tasks
  • Global search – Pick-up right where you left off by easily finding the procedure, roadmap task, control, policy, etc.
  • Security roadmap – Assign and map control tasks to track progress of security program
  • Added 3 frameworks, 12 controls, and 1 standard – Privacy and GDPR are getting a lot of attention. Now it’s a part of the Defensix framework!

Let’s dig into each one a bit more.

Control Procedures

Many of the controls within Defensix GRC, are not one-and-done implementation. They require ongoing maintenance and review. Let’s look at an example. Control AM.02 from Asset and Configuration Management states:

Inventories of hardware and systems, software and applications, and information and data flows are maintained, updated throughout the asset life-cycle, and periodically reviewed.

Note the control requires a “periodic review” of asset inventories. It’s easy to let a procedure like this slip through the cracks, until you’re sitting across the table from an auditor. Defensix helps security programs stay organized, proactive, and ahead of the curve with automated procedures. Let’s take a quick look.

Within each control, you can create one or more procedures. Each procedure has an owner, description, and completion frequency. At the specified interval, Defensix emails the owner the procedure instructions, who then carries out the procedure and marks the task as complete. An audit log is also maintained showing the procedure completion at each recurring interval. This really makes implementing and managing best practice security controls a snap!

Global Search

Your CFO recently went to a conference and listened to a talk on implementing two-factor authentication (2FA) to prevent financial fraud. She returns to the office and asks you what security controls you have in place that use 2FA. You go to Defensix, do a quick search for “multi-factor”, and can instantly see all your procedures that relate to 2FA, roadmap tasks that show 2FA implementation progress, and Defensix controls that require 2FA implementation. Your CFO is impressed!

 

Security Roadmap

We’ll stick with the CFO scenario…but this time she wants to know what you’re doing about two-factor authentication (2FA). You’re not caught off-guard by the question because it’s on your roadmap! In Defensix you can manage the tasks relevant to the security control, assign ownership of the tasks, and track the projected implementation date. You know what your gaps are, and you know what you’re doing about them!

New Frameworks and Controls

We’ve added 4 new frameworks, and 12 new controls to the Defensix framework. What does this mean? This means that following the Defensix security control framework will help your organization not only meet the compliance requirements of PCI, HIPAA, GDPR, and FFIEC, but also follow best practice frameworks such as ISO 27001, CSC 20, and NIST CSF. The new frameworks and controls focus specifically on the health industry and privacy frameworks such as HITRUST and GDPR. Below is a complete list of the 14 frameworks now incorporated into Defensix.

CSC 20 SOC 2
FedRAMP FFIEC IT Handbook: Information Security
GDPR HIPAA Security Rule
HITRUST CSF NIST 800-171
ISO 27001 OECD Privacy Principles
NIST 800-53 PCI DSS 3.2
NIST CSF 23 NYCRR Part 500

PCI 3.2.1 in 60 seconds or less

By | Compliance, PCI

May 17, 2018, the PCI Security Standards Council (PCI SSC) released the revised version of PCI Data Security Standards Council (PCI DSS). “This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in 3.2, as well as the migration dates for SSL/early TLS,” said PCI SSC Chief Technology Officer Troy Leach. Version 3.2.1 replaces 3.2 to account for effective dates and SSL/TLS migration deadlines that have passed. While the 3.2.1 update did not affect the Payment Application Security Standard (PA-DSS), listed below are the effects of v3.2.1.

Updates
  • Appendix A2.1-A2.3 was updated to clarify that only Point of Sales Point of Interaction (POS POI) terminals and their service provider connection points may continue to be secured by SSL/TLS controls after June 30, 2018.
  • Multi-factor authentication (MFA) is now mandatory for all non-console administrative access. Addition of one-time passwords as an alternative potential control for this scenario is also acceptable.
Removed
  • Removal of notes, within applicable requirements, referring to an effective date of February 1, 2018, as this date has passed.
Requirements
  • There are no new requirements with this update.

Remember that vendors are typically responsible for all outdated POS POI devices. If a device is vulnerable to potential exploitation, the vendor must upgrade the device or provide a compensating control. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019. Further information regarding the changes from 3.2 to 3.2.1 is available at https://www.pcisecuritystandards.org/document_library.

Be more than compliant!

Defensix helps organizations build and manage an effective information security program. Compliance alone may not be enough to effectively defend against sophisticated cyber attacks. Defensix is built by a team that understand how real-world attackers think and operate.

Learn how Defensix can help your organization become more secure.