July Update: Making your GRC life easier

By | Compliance, PCI

We just released a Defensix update and it’s a big one! We’ve always leveraged customer feedback to drive the Defensix roadmap, and this release is no different. Before we dive in, here’s a quick overview of the notable features.

  • Control procedures – Follow control guidance by creating procedures around defined control tasks
  • Global search – Pick-up right where you left off by easily finding the procedure, roadmap task, control, policy, etc.
  • Security roadmap – Assign and map control tasks to track progress of security program
  • Added 3 frameworks, 12 controls, and 1 standard – Privacy and GDPR are getting a lot of attention. Now it’s a part of the Defensix framework!

Let’s dig into each one a bit more.

Control Procedures

Many of the controls within Defensix GRC, are not one-and-done implementation. They require ongoing maintenance and review. Let’s look at an example. Control AM.02 from Asset and Configuration Management states:

Inventories of hardware and systems, software and applications, and information and data flows are maintained, updated throughout the asset life-cycle, and periodically reviewed.

Note the control requires a “periodic review” of asset inventories. It’s easy to let a procedure like this slip through the cracks, until you’re sitting across the table from an auditor. Defensix helps security programs stay organized, proactive, and ahead of the curve with automated procedures. Let’s take a quick look.

Within each control, you can create one or more procedures. Each procedure has an owner, description, and completion frequency. At the specified interval, Defensix emails the owner the procedure instructions, who then carries out the procedure and marks the task as complete. An audit log is also maintained showing the procedure completion at each recurring interval. This really makes implementing and managing best practice security controls a snap!

Global Search

Your CFO recently went to a conference and listened to a talk on implementing two-factor authentication (2FA) to prevent financial fraud. She returns to the office and asks you what security controls you have in place that use 2FA. You go to Defensix, do a quick search for “multi-factor”, and can instantly see all your procedures that relate to 2FA, roadmap tasks that show 2FA implementation progress, and Defensix controls that require 2FA implementation. Your CFO is impressed!


Security Roadmap

We’ll stick with the CFO scenario…but this time she wants to know what you’re doing about two-factor authentication (2FA). You’re not caught off-guard by the question because it’s on your roadmap! In Defensix you can manage the tasks relevant to the security control, assign ownership of the tasks, and track the projected implementation date. You know what your gaps are, and you know what you’re doing about them!

New Frameworks and Controls

We’ve added 4 new frameworks, and 12 new controls to the Defensix framework. What does this mean? This means that following the Defensix security control framework will help your organization not only meet the compliance requirements of PCI, HIPAA, GDPR, and FFIEC, but also follow best practice frameworks such as ISO 27001, CSC 20, and NIST CSF. The new frameworks and controls focus specifically on the health industry and privacy frameworks such as HITRUST and GDPR. Below is a complete list of the 14 frameworks now incorporated into Defensix.

CSC 20 SOC 2
FedRAMP FFIEC IT Handbook: Information Security
GDPR HIPAA Security Rule
ISO 27001 OECD Privacy Principles
NIST 800-53 PCI DSS 3.2
NIST CSF 23 NYCRR Part 500

PCI 3.2.1 in 60 seconds or less

By | Compliance, PCI

May 17, 2018, the PCI Security Standards Council (PCI SSC) released the revised version of PCI Data Security Standards Council (PCI DSS). “This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in 3.2, as well as the migration dates for SSL/early TLS,” said PCI SSC Chief Technology Officer Troy Leach. Version 3.2.1 replaces 3.2 to account for effective dates and SSL/TLS migration deadlines that have passed. While the 3.2.1 update did not affect the Payment Application Security Standard (PA-DSS), listed below are the effects of v3.2.1.

  • Appendix A2.1-A2.3 was updated to clarify that only Point of Sales Point of Interaction (POS POI) terminals and their service provider connection points may continue to be secured by SSL/TLS controls after June 30, 2018.
  • Multi-factor authentication (MFA) is now mandatory for all non-console administrative access. Addition of one-time passwords as an alternative potential control for this scenario is also acceptable.
  • Removal of notes, within applicable requirements, referring to an effective date of February 1, 2018, as this date has passed.
  • There are no new requirements with this update.

Remember that vendors are typically responsible for all outdated POS POI devices. If a device is vulnerable to potential exploitation, the vendor must upgrade the device or provide a compensating control. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019. Further information regarding the changes from 3.2 to 3.2.1 is available at https://www.pcisecuritystandards.org/document_library.

Be more than compliant!

Defensix helps organizations build and manage an effective information security program. Compliance alone may not be enough to effectively defend against sophisticated cyber attacks. Defensix is built by a team that understand how real-world attackers think and operate.

Learn how Defensix can help your organization become more secure.