Category: Compliance

Categories
Compliance

Understanding CMMC

As cybersecurity threats continue to evolve, the U.S. Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC) framework to protect sensitive government data throughout the entire Defense Industrial Base (DIB) — an ecosystem of over 300,000 companies, which includes not only the large prime contractors, but also subcontractors, managed service providers (MSPs/MSSPs), cloud vendors, software developers, staffing firms, and other suppliers.  Many of these organizations may not have historically had to implement such stringent cybersecurity measures, so understanding the CMMC is crucial for future contract eligibility. 

In this post, we’ll break down what CMMC is, debunk common myths, and help you understand what it takes to prepare. 

What Is CMMC? 

The Cybersecurity Maturity Model Certification (CMMC) is a compliance standard built primarily on NIST SP 800-171 to assess and enhance the cybersecurity posture of organizations within the DoD supply chain, with the primary focus of protecting Controlled Unclassified Information (CUI) in non-federal systems. 

The CMMC has three compliance tiers: 

  • Level 1 (Foundational): Focuses on 17 basic safeguarding practices for Federal Contract Information (FCI) and requires an annual self-assessment and affirmation by company leadership. 
  • Level 2 (Advanced): Encompasses the 110 controls from NIST 800-171 for protecting CUI.  Some organizations may be eligible to conduct self-assessments; others will require third-party assessments conducted by a C3PAO. 
  • Level 3 (Expert): Adds enhanced requirements based on NIST 800-172, for contractors with highly sensitive DoD work (primarily reserved for select primes) and required government led assessments. 

The required level an organization must meet is dictated based on the type and sensitivity of the information being handled, and their role in the supply chain. 

Common Misconceptions About CMMC 

Even though the CMMC is largely based on NIST 800-171, which has been around for quite some time, there are still several widespread misconceptions about CMMC compliance that can lead to confusion or mislead organizations: 

  1. “The CMMC only applies to large defense contractors.”

Not true.  The CMMC applies to all organizations in the defense supply chain, including small businesses, subcontractors, cloud vendors, and managed services providers, especially those responsible handling, processing, or protecting CUI. 

  1. “The CMMC is just a checklist or paperwork exercise.”

The CMMC is about demonstrating mature, repeatable, and enforceable security practices, and requires technical implementation, governance, and evidence of real-world implementation and ongoing effectiveness.  Documentation is critical but so is demonstrating your controls in practice. 

  1. “I’m NIST 800-171 compliant, so I should be CMMC compliant.”

Although the CMMC is largely based on NIST 800-171, many organizations assume compliance with NIST 800-171, and submit self-assessments, without reviewing the individual assessment objectives.  With the CMMC, an organization must prepare to be audited by a third party and should gather appropriate evidence against each of the 300+ assessment objectives.  

  1. “We can pass with partial implementation or just a plan.”

Wrong.  While Plans of Action and Milestones (POA&Ms) allow organizations to defer some controls, they are temporary, so they must be closed within a defined period.  Additionally, many key controls cannot be deferred, and organizations must meet a minimum score and close all critical gaps before certification. 

  1. “Using Microsoft GCC or AWS GovCloud makes us compliant.”

Using FedRAMP compliant services helps to support compliance, but there are several controls around those services which still need to be implemented, managed, and documented.  CMMC compliance is about your organization’s entire environment, not just your tools. 

How Organizations Can Prepare for CMMC 

Preparing for CMMC isn’t a one-and-done checklist, it is a strategic initiative that requires resources, a clear understanding of what’s in scope, careful planning and execution, and long-term maintenance.  Here’s some tips to get started: 

  1. Understand Your CMMC Scope

Identify where FCI and/or CUI resides, and map out all users, systems, processes, and vendors that interact with or process this data.  This helps to define your assessment boundary. 

  1. Conduct a Gap Assessment

Conduct a self-assessment to compare your current cybersecurity posture against the required controls for your target level.  Most organizations seeking certification will require Level 2 compliance and should use NIST 800-171A to perform a control-by-control assessment (don’t forget to examine each of the control assessment objectives). 

  1. Build Your System Security Plan (SSP)

Your SSP is a living document that outlines your system architecture and should include details on how each control is implemented across your environment, network diagrams, asset inventory, and policies.  The SSP will be required for both self-assessments as well as for the third-party assessment, and it is one of the first things assessors will ask for. 

  1. Submit Your SPRS Score

If you’re pursuing Level 2, you must perform a NIST 800-171 self-assessment and submit your Supplier Performance Risk System (SPRS) score.  A perfect score is 110, and any score less than that should be supported with a POA&M (where allowed). 

  1. Remediate and Harden Your Environment

Fix identified gaps through the implementation of technical controls and/or the development of additional documentation / policy.  Validate that all security protections are operational and monitored, and track remediation in a formal POA&M, and be sure to close out non-negotiable controls before your assessment. 

  1. Engage Expert Help

Consider working with an experienced third party to help guide your compliance efforts, and if a third-party assessment is required, coordinate with a Certified Third-Party Assessment Organization (C3PAO). 

  1. Plan for Continued Compliance

Once you have prepared your environment, documentation, and personnel for review, and selected a Certified Third-Party Assessment Organization (C3PAO) you should be nearly ready for your assessment; however, you should realize that the CMMC is not a one-time audit.  It’s about building sustainable security practices and implementing a continuous monitoring strategy to maintain readiness and maturity over time. 

Final Thoughts 

While the CMMC requirements may seem daunting, they are ultimately a positive shift toward stronger, more resilient systems.  Organizations that act early and invest in robust security will not only meet the CMMC requirements, they’ll be more competitive and more secure in the long run. Contact us for your CMMC requirements inquiry@securit360.com

Categories
Compliance

From Compliance to Competitive Advantage: Leveraging Cybersecurity Standards

Compliance

Cybersecurity compliance is often viewed as a necessary burden—a checklist to avoid penalties and legal ramifications. However, forward-thinking organizations are flipping the script, transforming their compliance efforts into a competitive advantage, and avoiding penalties, sanctions, and embarrassing news headlines. By exceeding basic compliance and embracing cybersecurity standards, businesses can differentiate themselves in the market, build trust with customers, and pave the way for innovation. 

The Compliance Baseline 

Cybersecurity compliance typically involves adhering to regulations and standards such as the General Data Protection Regulation (GDPR) in the EU, the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector, the Family Educational Rights and Privacy (FERPA) for educational institutions, or the Payment Card Industry Data Security Standard (PCI DSS) for businesses that process credit card information. While compliance is critical, it represents the minimum requirement for protecting sensitive data. 

Beyond the Checklist 

To transition from compliance as a mere requirement to a strategic asset, organizations must view cybersecurity standards not as the ceiling but as the floor. By adopting a proactive approach to cybersecurity, businesses can not only meet but exceed regulatory requirements, positioning themselves as leaders in data protection and security. The first step in improving compliance would be to identify all laws, regulations, and standards that apply to the organization. 

Enhancing Trust and Reputation 

In a marketplace where consumers are increasingly aware of and concerned about data privacy and security, demonstrating a commitment to robust cybersecurity measures can significantly enhance trust and loyalty. Organizations that transparently communicate their cybersecurity efforts and achievements, such as certifications or adherence to international standards like ISO 27001, can differentiate themselves from competitors and build a reputation as a trusted partner. 

Enabling Business Innovation 

Far from being a hindrance, a strong cybersecurity framework can enable innovation. With a solid security foundation, organizations can more confidently explore innovative technologies and business models, such as cloud services, Internet of Things (IoT) applications, digital platforms, and Artificial Intelligence. Cybersecurity thus becomes an enabler of digital transformation, supporting the organization’s agility and capacity to innovate. 

Reducing Costs and Risks 

Investing in cybersecurity measures beyond the minimum required for compliance can lead to significant cost savings over time. By preventing cyber incidents and data breaches, organizations can avoid the associated costs, such as fines, legal fees, and remediation expenses. Moreover, a proactive cybersecurity stance can reduce the risk of operational disruptions, maintaining business continuity and safeguarding against reputational damage. 

Strategic Integration 

For cybersecurity to be a competitive advantage, it must be integrated into the organization’s overall business strategy. This involves: 

  • Leadership Commitment: Executive leadership must champion cybersecurity as a strategic imperative, ensuring it receives the necessary resources and attention. 
  • Stakeholder Engagement: Communicating the value of cybersecurity investments to shareholders, customers, and employees is crucial for garnering support and understanding. 
  • Continuous Improvement: Cybersecurity is not a one-time achievement but a continuous process. Organizations must stay abreast of the latest threats and technological advancements, adapting their strategies accordingly. 

Conclusion 

By shifting the perspective on cybersecurity from compliance to competitive advantage, organizations can not only safeguard their assets and reputation but also gain a strategic edge over their competition. This approach requires commitment, investment, and a culture that values security as a cornerstone of business success. In doing so, companies not only protect themselves from cyber threats but also unlock new opportunities for growth and innovation. 

Categories
Compliance

Navigating the Future: Embracing NIST’s AI Risk Management Framework

NIST AI Risk Management Framework

Artificial intelligence (AI) is no longer a futuristic concept but a present-day reality reshaping industries across the board. As a vCISO, I’ve witnessed firsthand the transformative power of AI and the accompanying challenges it brings. One such challenge is effectively managing the risks associated with AI deployment. Enter the National Institute of Standards and Technology’s (NIST) AI Risk Management Framework (AI RMF), a pivotal tool designed to guide organizations in harnessing AI responsibly and securely.

Why AI Risk Management Matters

AI technologies offer unprecedented opportunities—from enhancing cybersecurity defenses to driving operational efficiencies. However, with these opportunities come significant risks, including data privacy concerns, biases in responses, and the potential for unintended consequences. Organizations may face regulatory penalties, reputational damage, and operational disruptions without a structured approach to managing these risks.

NIST’s AI RMF addresses these concerns by providing a comprehensive framework that helps organizations identify, assess, and mitigate AI-related risks. It serves as a roadmap for integrating AI safely into business processes, ensuring that innovation does not come at the expense of security and trust.

Understanding the NIST AI Risk Management Framework

At its core, the NIST AI RMF is designed to be flexible and adaptable, catering to organizations of all sizes and industries. The framework is built around four primary functions: Govern, Map, Measure, and Manage. Let’s delve into each of these components to understand how they contribute to effective AI risk management.

  1. Govern

Governance is the foundation of the AI RMF. It involves establishing policies, procedures, and oversight mechanisms to guide AI development and deployment. Effective governance ensures that AI initiatives align with an organization’s values, ethical standards, and regulatory requirements.

Key Elements:

    • Leadership Commitment: Senior management must champion AI governance, fostering a culture that prioritizes responsible AI use.
    • Policy Development: Clear policies outlining acceptable AI practices, data usage, and accountability measures are essential.
    • Stakeholder Engagement: Users are not the only stakeholders; a diverse group, including legal, compliance, and technical teams, ensures comprehensive oversight.
  2. Map

Mapping involves understanding the AI system’s context, including its intended use, operational environment, and potential impact. This step requires a thorough assessment of where and how AI will be integrated into business processes.

Key Elements:

    • Use Case Identification: Clearly defining the AI applications, the sphere of information, and their objectives helps in assessing relevant risks.
    • Contextual Analysis: Evaluating the environment in which AI will operate, including external factors like market conditions and regulatory landscapes.
    • Stakeholder Mapping: Identifying all parties affected by the AI system, from end-users to third-party vendors.
  2. Measure

Measurement involves evaluating the AI system’s performance and associated risks. This involves technical assessments and ethical considerations to ensure the AI operates as intended without adverse effects and meets organizational goals.

Key Elements:

    • Risk Assessment: AI tools have unique potential threats alongside opportunities requiring vigilance for reducing vulnerabilities and overreliance.
    • Performance Metrics: Establishing benchmarks to monitor AI effectiveness, accuracy, and reliability.
    • Bias and Fairness Evaluation: Ensuring that AI decisions are equitable and do not perpetuate existing biases.
  2. Manage

Managing AI risks involves implementing strategies to mitigate identified risks and continuously monitoring the AI system’s performance. This is an ongoing process that adapts to new threats and evolving business needs.

Key Elements:

    • Mitigation Strategies: Developing and deploying measures to address identified risks, such as access to new data sources or bias correction algorithms.
    • Continuous Monitoring: Regularly reviewing AI performance and risk factors to detect and respond to issues promptly.
    • Incident Response Planning: Prepare for potential AI-related incidents by incorporating them into plans and procedures.

The Benefits of Adopting NIST’s AI RMF

Embracing the NIST AI RMF offers numerous advantages for organizations:

  • Enhanced Security Posture: Organizations can strengthen their security framework by systematically identifying and addressing AI risks.
  • Regulatory Compliance: The framework helps ensure that AI deployments meet current and emerging regulatory standards, reducing the risk of non-compliance penalties.
  • Trust and Transparency: Demonstrating a commitment to responsible AI use fosters trust among customers, partners, and stakeholders.
  • Operational Efficiency: Proactive risk management minimizes disruptions and overreliance, ensuring that AI systems contribute positively to business objectives.
  • Ethical AI Deployment: The framework promotes ethical considerations, helping organizations avoid biases and ensure fair AI outcomes.

Implementing the AI RMF: Practical Steps for Your Organization

Adopting the NIST AI RMF may seem daunting, but breaking it down into manageable steps can facilitate a smooth implementation:

  1. Assess Current AI Initiatives

Begin by evaluating existing AI projects to understand their scope, objectives, and potential risks. This initial assessment provides a baseline for applying the framework.

  1. Establish Governance Structures

Form a dedicated AI governance committee comprising representatives from key departments. Develop policies that outline AI usage guidelines, ethical standards, and accountability measures.

  1. Conduct Comprehensive Risk Assessments

Utilize the framework’s mapping and measurement functions to identify and evaluate risks associated with each AI initiative. This includes technical vulnerabilities and ethical considerations.

  1. Develop Mitigation Strategies

Based on the risk assessments, strategies can be implemented to address identified risks. This may involve technical solutions, process changes, or additional training for staff.

  1. Implement Continuous Monitoring

Set up systems for ongoing monitoring of AI performance and risk factors. Regular reviews and updates ensure that the AI systems remain secure and effective over time.

  1. Foster a Culture of Responsibility

Encourage continuous learning and awareness around AI risks and best practices. Providing training and resources empowers employees to engage with AI responsibly.

Real-World Applications and Success Stories

Many organizations have already begun leveraging the NIST AI RMF to bolster their AI risk management strategies. For instance, a leading financial institution integrated the framework to enhance its fraud detection systems. By systematically identifying potential biases and implementing robust security measures, they not only improved detection accuracy but also ensured compliance with stringent financial regulations.

A Legal industry client we work with has developed assessment tools for the numerous AI tools or existing solutions that are adding AI capabilities.  By leveraging elements of the NIST AI RMF into their processes, the firm has developed methods to integrate AI tools safely maintaining client confidentiality and ethical standards.

Similarly, a healthcare provider employed the AI RMF to manage risks associated with patient data analysis tools. Through rigorous governance and continuous monitoring, they safeguarded sensitive information while enhancing patient care outcomes.

These success stories underscore the framework’s versatility and effectiveness across diverse sectors, demonstrating its value as a cornerstone of responsible AI deployment.

Looking Ahead: The Future of AI Risk Management

As AI technologies continue to advance, so too will the complexity of associated risks, including opportunities. The NIST AI RMF is designed to evolve alongside these changes, providing a dynamic tool that adapts to new challenges and innovations. Organizations that embrace this framework today will be better positioned to navigate the AI-driven future with confidence and resilience.

At SecurIT360, we are committed to guiding our clients through the intricacies of AI risk management. By leveraging the NIST AI RMF, we help organizations not only protect their assets but also unlock the full potential of AI in a secure and ethical manner.

Conclusion

The integration of AI into business operations is inevitable, offering immense benefits alongside significant risks. NIST’s AI Risk Management Framework serves as a crucial guide for organizations striving to balance innovation with security and responsibility. By adopting this framework, businesses can navigate the complexities of AI deployment, ensuring that their AI initiatives are not only effective but also secure, ethical, and compliant.

As we stand on the brink of an AI-driven era, the importance of robust risk management cannot be overstated. Embracing the NIST AI RMF is a proactive step towards building a secure and trustworthy AI ecosystem, fostering a future where technology and security go hand in hand.

At SecurIT360, we are here to support your journey in AI risk management, providing expertise and solutions tailored to your unique needs. Let’s work together to harness the power of AI responsibly and securely, driving your business forward with confidence.

Categories
Compliance

Why SOC 2 Compliance Isn’t The Same As Security

Achieving SOC 2 compliance has become a badge of honor for organizations, signaling they’re dedicated to protecting customer data. However, as valuable as compliance reports like SOC 2 are, they’re not synonymous with actual security. Checking the boxes for compliance doesn’t necessarily mean a company is safe from threats. Security is a moving target that requires vigilance across multiple areas, not just an annual audit.

While compliance frameworks help establish a minimum level of data protection, proper security goes beyond these requirements, addressing risks dynamically as they evolve. Let’s look closer at why compliance is just one piece of the puzzle and what a more holistic approach to security looks like.

SOC 2 Compliance: What It Really Means

A SOC 2 (System and Organization Controls 2) report is a compliance framework focusing on a service provider’s ability to manage data securely. This report evaluates a company’s controls across criteria like security, availability, processing integrity, confidentiality, and privacy. By following these guidelines, an organization can demonstrate to clients and stakeholders that it has protocols in place for data protection.

However, SOC 2 attests to controls at a specific point in time. While the report verifies compliance with certain standards, it doesn’t account for threats and vulnerabilities that may have developed since the audit. In other words, just because a company passed a SOC 2 audit doesn’t mean it’s immune to cyber risks.

Compliance vs. Security: Where the Gaps Exist

Compliance frameworks like SOC 2 focus on specific standards, but security is far more expansive. Cyber threats don’t wait for your next audit—they evolve constantly. Security is about proactively identifying, assessing, and mitigating risks as they emerge. Here are some of the gaps where compliance falls short of true security:

1. Dynamic Threats Aren’t Covered 

Compliance frameworks are typically retrospective. They assess security measures based on past criteria and performance while cyber threats continuously evolve. Real security requires active threat intelligence, continuous monitoring, and real-time responses to address new attack vectors as they emerge.

2. Limited Focus on Incident Response 

SOC 2 may require an organization to have an incident response plan, but it doesn’t necessarily evaluate how effective or current that plan is. Security, conversely, involves having a response plan and regularly testing and updating it to ensure it’s effective in a crisis.

3. Emphasis on Controls, Not Culture 

Compliance is often a “check-the-box” activity, but security requires a culture of awareness and accountability. Employees must be trained regularly on security best practices, and security must be woven into every aspect of the organization, from hiring to daily operations.

4. Lack of Comprehensive Vulnerability Management 

Compliance standards might set requirements for vulnerability scans or regular patches, but true security involves more than just scanning. It includes active vulnerability management, risk prioritization, and immediate remediation. A company that relies solely on compliance guidelines may be unaware of critical vulnerabilities that emerge between audits.

5. Absence of Advanced Threat Detection and Response 

Compliance frameworks may not mandate sophisticated detection systems like intrusion detection/prevention systems (IDPS), endpoint detection and response (EDR), or threat-hunting programs. However, organizations are less equipped to detect and respond to advanced threats without these tools. Real security demands more proactive defenses that go beyond basic controls.

What Real Security Looks Like

So, if compliance isn’t enough, what does a well-rounded security program entail? Security is a holistic, continuous approach that addresses an organization’s technical and human elements. Here are the key pillars of a truly secure organization:

1. Proactive Threat Intelligence and Monitoring 

Staying secure requires constant vigilance. This includes investing in threat intelligence to understand current risks, implementing 24/7 monitoring to catch potential intrusions, and deploying technology that helps identify unusual behavior before it escalates into a full-blown breach.

2. Regular Security Audits and Assessments 

Rather than waiting for a yearly compliance audit, organizations committed to security conduct regular internal and external audits. Penetration tests, red team exercises, and continuous vulnerability assessments help them uncover and address weaknesses before they become threats.

3. Effective Incident Response and Recovery 

Real security means regularly testing an up-to-date incident response plan through simulated exercises. Organizations should practice scenarios to ensure everyone—from executives to IT staff—knows their role during an attack. Additionally, having a disaster recovery plan is crucial to ensure business continuity.

4. Comprehensive Data Protection 

Security-minded organizations go beyond access control and encryption to ensure data privacy and protection. This includes data loss prevention (DLP) strategies, strict access management controls, and data anonymization techniques to protect customer data from multiple angles.

5. Employee Awareness and Training 

A secure organization recognizes that humans are often the weakest link. Regular security awareness training is essential to equip employees to recognize phishing attempts, suspicious links, and other common threats. Security becomes stronger when employees actively participate in the defense.

6. Zero Trust Architecture 

Traditional security models assume that everything inside the organization’s network is safe, but Zero Trust assumes that threats can come from anywhere. A zero-trust model helps limit potential breaches and improve overall security resilience by verifying every user and device at each access point.

7. Comprehensive Risk Management and Continual Improvement 

Proper security involves continual risk assessment and adaptability. A secure organization assesses internal and external risks, adjusting its strategy as threats change. This adaptability is crucial as security landscapes evolve. Routine reviews ensure policies and tools stay current and effective against emerging threats.

Why This Matters More Than Ever

Cyber threats are growing in both frequency and sophistication. Organizations can no longer afford to rely on annual audits as proof of security because these frameworks can’t keep pace with the speed at which threats develop. Relying solely on compliance is like locking the front door but leaving all the windows open—it creates a false sense of security.

When organizations embrace a security-first mentality rather than a compliance-only approach, they’re not just protecting data but building trust with clients, partners, and employees. People care about how organizations handle their information and expect that security is woven into every decision and process, not just checked off on an audit report. In a world where data breaches, ransomware, and supply chain attacks are daily news, organizations prioritizing security beyond compliance set themselves apart, fostering a safer and more resilient digital environment.

Ultimately, SOC 2 compliance is a valuable step, but it’s just the beginning. By adopting a proactive, comprehensive security strategy, organizations can protect against threats, adapt to new risks, and build a foundation of trust that compliance alone can’t achieve. Security isn’t just about passing a test; it’s about vigilance, adaptability, and a commitment to safeguarding what matters most.

Categories
Compliance

Check The Expiration Date

The Payment Card Industry (PCI) Security Standards Council (SSC) develops standards and resources that help protect the people, processes, and technologies across the payment ecosystem to help secure payment transactions worldwide.  The PCI SSC is led by a policy-setting Executive Committee composed of representatives from the Founding Members and Strategic Members which includes American Express, Discover Financial Services, JCB International, Mastercard, UnionPay, and Visa Inc.

The PCI Data Security Standard (DSS) is a global standard that was established to protect payment account data. The PCI DSS is comprised of twelve technical and operational requirements that are spread across six different goals.

If an entity stores, processes, or transmits the payment card Primary Account Number (PAN), then a Cardholder Data Environment (CDE) exists to which PCI DSS requirements will apply.

The current version of the PCI DSS is 4.0.  This version was officially released in 2022 with a transition period of two years.  The previous version, 3.2.1, expires on 3/31/2024.  Some requirements in v4.0 are considered best practices until 3/31/2025, after which they will be required and must be fully considered during a PCI DSS assessment.

Some of the changes incorporated into Version 4.0 of the PCI DSS include:

  • Continue to meet the security needs of the payment industry.
  • Promote security as a continuous process.
  • Increase flexibility for organizations using different methods to achieve security objectives.
  • Enhance validation methods and procedures.

For a comprehensive view of changes in the new version as well as other standards and supporting documentation, please refer to the PCI SSC Document Library

Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after the standard is retired on 3/31/2024, should be directed to the organizations that manage the compliance program, such as payment brands and acquirers.

Categories
Compliance

New NY DFS Cyber Regulation Proposed Amendments

New NY DFS Cyber Regulation Amendments

On July 29th, 2022, The New York State Department of Financial Services (NY DFS) published pre-proposal amendments to their landmark Cybersecurity Regulation, 23 NYCRR 500. The “DFS Cyber reg” as it’s often referred to, was a first-in-the-nation when it was published in 2017 and has since been a model that’s been used in countless other regulations.

As much as there’s some disagreeable points in this reg, you can’t argue with the fact that it has and continues to raise the bar of Cybersecurity for the financial services industry. The proposed amendments are clearly designed to do the same, made evident by the fact that nearly every section has new or amended requirements.

Although it’s early on in the process, if only a small portion of the amendments make it to the final version, this updated regulation will no doubt impose significant new requirements on covered entities. This blog post is going to describe each of the changes, new requirements and definitions so you can begin to prepare and plan for what is inevitably to come.

Comment Period

According to the NY DFS, comments will be accepted through the NY DFS website until Monday August 8th. The NY DFS Executive Deputy Superintendent also stated on LinkedIn that, “This will not be the only opportunity to comment, as there will also be a full 60-day notice and comment period before the amendments are final.”

You can read the amendments in all its glory here: https://dfs.ny.gov/system/files/documents/2022/07/pre_proposed_draft_23nycrr500_amd2.pdf. When reading the amendments (linked above) keep in mind that additions are marked with underscores and items that are planned to be removed are marked in brackets.

New Applicability

Due to changes in the definition of “covered entity” there could be organizations that have to comply with the cyber reg that have not previously had to. The part highlighted below is new.

  • Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, including entities that are also regulated by other government agencies.

Limited Exemptions

Covered entities that meet the following are excluded from the requirements of sections: 500.4, 500.5, 500.6, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16.

  • Fewer than 20 employees (up from 10) and includes employees, employees and independent contractors of the covered entities affiliates whose work is located in New York, and employees and independent contractors of the covered entities affiliates who are responsible for the business of the covered entity regardless of their location

  • Less than $15,000,000 in year-end total assets

Also newly exempt categories of companies are:

  • Reciprocal jurisdiction reinsurer that has been recognized pursuant to 11 NYCRR Part 125

  • Individual insurance agents who are deemed to be inactive under Insurance Law section 2103

  • Individual licensees placed in inactive status under Banking Law section 599-i

Effective Dates

Covered entities have 180 days from the effective date to comply with the new requirements, with several requirements having different transitional periods. Those are:

  • 500.17 – 30 days from the effective date to comply

  • 500.7(b), 500.12(c) and 500.14(b) – 1 year from the effective date to comply

Violations & Penalties

Section 500.20 is essentially all new and it describes what constitutes a violation of the regulation and how penalties for violations will be determined.

  • Violation – The commission of a single act prohibited by the reg or failure to act to satisfy an obligation of the reg. This includes failure to secure or prevent unauthorized access to nonpublic information due to non-compliance, or failure to comply with any section or subsection for any 24-hour period.

  • Penalties – When assessing a penalty for violation, the superintendent may take into account a wide array of information. There are 15 categories of items that may be taken into consideration such as: good faith of the covered entity, cooperation with the superintendent’s investigation, was the violation a result of a failure to remediate previously identified issues, the extent of harm to consumers, and much more.

New Requirements

As I stated above, nearly every section has amendments or new requirements. We’re going to step through each of the requirements and describe what’s new.

500.2 Cybersecurity Program

  • Independent audit – Class A companies (a new definition targeting larger organizations) are required to perform an independent audit of their cybersecurity programs at least annually, which can be done by an internal or external auditor so long as they are NOT influenced by the covered entity.

500.3 Cybersecurity policy

  • Cybersecurity policies – They must now be approved annually by the senior governing body, and they must now also address end of life management, remote access control, and vulnerability and patch management.

    • Senior governing body definition – the covered entity’s board of directors or equivalent governing body or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program.

500.4 Chief information security officer

  • CISO – The CISO must now have adequate independence and authority to ensure cybersecurity risks are appropriately managed.

  • The CISO Report – Must now be a written report and include plans for remediating inadequacies. The CISO must also timely report material cybersecurity issues, such as updates to the risk assessment or cyber events to the senior governing body.

  • Board of Directors – If the covered entity has a board, they (or an appropriate committee) must have knowledge and experience to oversee the cybersecurity program and they must require executive management to develop, implement and maintain the cybersecurity program.

500.5 Penetration Testing and Vulnerability Assessments

  • Annual penetration testing – Must now be performed by a qualified independent party

  • Regular vulnerability assessments – Must now be performed regularly. Class A companies must conduct scans or reviews at least weekly.

  • Reporting – Material gaps found in testing must be documented and reported to the senior governing body and senior management.

500.7 Access privileges and management (amended title)

  • User access – Must be restricted to those necessary to perform the user’s job.

  • Privileged accounts – (which now has a definition) Must be a limited number of them, they must be restricted to only functions needed to perform the user’s job, and they must only be used when elevated functions are required.

    • Privileged account definition – any authorized user or service account that can be used to: perform security-relevant functions that ordinary users are not authorized to perform or affect a material change to the technical or business operations of the covered entity.

  • Access reviews – Periodic review and removal of all unnecessary accounts.

  • Remote control protocols – Protocols that permit remote control of devices must be disabled or securely configured.

  • Strong passwords – The covered entity must ensure strong passwords are used.

  • Monitor privileged access – Class A companies must monitor privileged access activity, implement a password vaulting solution for privileged accounts, and use automated methods to block commonly used passwords.

500.8 Application Security

  • Documentation updates – Procedures, guidelines and standards must now be reviewed, assessed and updated at least annually.

500.9 Risk Assessment

  • Risk assessment – The definition is much more comprehensive than the current version of the reg. Also, the risk assessment must be updated annually or after any material change to the covered entities cyber risk. Class A companies must have a risk assessment performed by external experts at least once every three years. Lastly, the CISO must timely report changes in the risk assessment to the senior governing body (also a new definition).

  • Risk assessment definition – the process of identifying cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. Risk assessments shall take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place.

500.12 Multi-factor authentication

  • Remote access – The wording has been amended to say “Multi-factor authentication must be used for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible.”

  • Multi-factor for priveleged accounts – MFA must now be used by all privileged accounts, except for accounts that prohibit interactive login and where the CISO has approved in writing the implementation of compensating controls that achieve a reasonably equivalent alternative.

500.13 Asset and data retention management (amended title)

  • Policies and procedures – the section requires written policies and procedures designed to ensure a complete, accurate, and documented asset inventory. It has to include all information systems and their components, and should also include infrastructure devices, APIs and cloud services.

    • The policies should at minimum address tracking key information for each asset such as: owner, location, classification or sensitivity, support expiration date, and recovery time requirements. The policies should also address the frequency required to update and validate the asset inventory.

500.14 Monitoring and training (amended title)

  • Email filtering – Emails must be filtered and monitored in order to to block malicious content.

  • Phishing – Cybersecurity awareness programs must include phishing training, exercises and simulations when appropriate.

  • EDR and SIEM – Class A companies must implement endpoint detection and response solution as well as centralized logging and security event alerting.

500.15 Protection of nonpublic information (amended title)

  • Encryption policy – An encryption policy is required that must meet industry standards.

  • Compensation controls – The possibility of using a compensation control has been removed for encryption in transit, however, it’s still an option for encryption at rest. The CISO must approve in writing, and it must be reviewed by the CISO at least annually.

500.16 Incident response plan

  • Incident plans – The incident plans must be written and contain proactive measures to mitigate disruptive events and ensure operational resilience, including but not limited to incident response, business continuity, and disaster recovery plans.

  • Incident Response Plan – The IR plan must now address ransomware incidents, recovering from backups and how the plan will be updated, as necessary.

  • Business Continuity and Disaster Recovery (BCDR) – This is an entirely new subsection and requirement in the proposed amended reg. This requirement is quite verbose, so we will save this for another blog post.

  • Plan dissemination, training and testing – The incident plans must be distributed to those who have responsibilities within the plans, there must be training for all relevant parties on the plans and their responsibilities. Lastly, IR and BCDR plans must be tested, as well as the ability to restore systems from backup.

  • Isolated backups – Covered entities must now have offline backups.

500.17 Notices to superintendent

  • Cybersecurity events – Notices of cybersecurity events must now be done electronically using the departments website. Two new events have been added to the list of reportable cybersecurity events: unauthorized access to a privileged account, or deployment of ransomware within a material part of the covered entity’s information system.

  • Compliance – Notice of compliance (certification) must be submitted electronically by April 15th. Compliance must be based on data and documentation sufficient to accurately determine and demonstrate such compliance.

  • Non-compliance – Notice of non-compliance (acknowledgement) must also be submitted by April 15th. It must include acknowledgement of non-compliance, the provisions that are not fully in compliance and the nature of non-compliance, and all areas, systems and processes that require material improvement, updating, or redesigning.

  • Sign off – The notice of compliance/non-compliance must be signed by the covered entities CEO and CISO or equivalent.

  • Maintenance of records – All documentation and data that supports the compliance/non-compliance notice must be preserved for the same 5 year period. In the case of non-compliance, thorough documentation must be maintained, and it must include remediation plans and a timeline of those plans.

  • Notice of extortion – Covered entities must now report when an extortion payment has been made in connection with a cybersecurity event. It must be reported electronically within 24 hours of the extortion payment. Within 30 days of the extortion payment a written description of the reasons, alternatives and all diligence performed must also be submitted.

Plan For Tomorrow, Today

There’s no doubt that even if a small portion of these amendments were to pass it would impose significant new requirements on covered entities cybersecurity programs. Regardless of what makes it to the final regulation, it pays to be prepared and plan ahead for what could potentially be a new requirement.

Categories
Compliance

NY DFS Cyber Regulation Proposed Amendments Target Ransomware Notification

NY DFS Cyber Regulation Amendments

On July 29th, 2022, The New York State Department of Financial Services (NY DFS) published pre-proposal amendments to their landmark Cybersecurity Regulation, 23 NYCRR 500. The “DFS Cyber reg” as it’s often referred to was a first-in-the-nation when it was published in 2017 and has since been a model that’s been used in countless other regulations. The proposed amendments are clearly designed to do the same, made evident by the fact that nearly every section has new or amended requirements.

In this blog post we’re going to describe one of the most significant proposed amendments to the reg. That is, the NEW requirements related to ransomware, extortion and the reporting of those cybersecurity events.

Notice of Ransomware Event

The proposed amendments to Section 500.17 would incorporate two new definitions of a cybersecurity event, one of which specifically addresses ransomware. Should any of the events described in this section occur, electronic notification to the superintendent, within 72 hours, is required.

  • 500.17 (a)(4) – cybersecurity events that resulted in the deployment of ransomware within a material part of the covered entity’s information system.

Under the current rule, reporting cases of ransomware would be required if: there is a required notice to a government body, self-regulatory agency or any other supervisory body or if there was a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.

Notice & Description of Extortion Payment

The proposed amendments to Section 500.17 would also incorporate a requirement to notify the superintendent of extortion payment, within 24 hours of the payment. A written description sent to the superintendent would also be required within 30 days. This written description would have to include:

  • A written description of the reasons payment was necessary

  • A description of alternatives to payment considered

  • All diligence performed to find alternatives to payment

  • All diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control

Plans are nothing Planning is Everything

There’s no doubt that if these amendments were to pass it would impose significant new requirements on covered entities cybersecurity event reporting policies and procedures. If your Incident Response plan does not specifically address the companies policies and procedures for responding to and reporting ransomware events, then it would be worthwhile to begin that process now. With the impact ransomware has had the last several years, there’s little doubt that some form of ransomware notification will make it to the final regulation. The time to prepare is now.

Categories
Compliance

What IT Managers Need To Know About GLBA Before December 2022

What to know about GLBA

Did you know that the new GLBA Safeguards Rule take effect in just 5 short months? That’s right. As of December 9th, 2022, financial institutions must implement additional Safeguards in order to protect customer data. In this article, we’re taking a look at what’s NEW and what that means for IT Managers.

Related Article: “New Technical Security Assessment Requirements For GLBA”

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. You can read the Act and specifically the Safeguards Rule in all it’s glory here: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314?toc=1. The website even has a neat way to show the differences between the old version and the new version. You can check that out here: https://www.ecfr.gov/compare/current/to/2021-12-31/title-16/chapter-I/subchapter-C/part-314/section-314.4

5 Modifications to the GLBA Safeguards Rule

On January 10th 2022 the Federal Trade Commission (FTC) issued a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule). The Final Rule contains five main modifications to the existing Rule, which are:

1. More information security requirements

The rule adds guidance (aka requirements) on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.

2. Improve information security program accountability

It adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.

3. Exemptions from certain requirements

The following sections of the Rule do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers:

· Written risk assessment – [(b)(1)]

· Annual penetration test and semi-annual vulnerability assessment – [(d)(2)]

· Written incident response plan – [(h)]

· Annual report to your board – [(i)]

4. Expanded “financial institution” definition

It expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the Rule.

5. Added definitions & examples

Finally, it defines several terms and provides related examples in the Rule itself rather than incorporates them from the Privacy of Consumer Financial Information Rule (“Privacy Rule”).

What this means for IT managers

Compliance with GLBA may be a NEW requirement for you

The latest amendments to the Safeguards Rule expands the definition of “financial institution”, therefore, entities such as mortgage brokers, payday lenders, auto dealers, collections agencies, real estate appraisers, professional tax preparers, and many others are now be covered by the law.

You have NEW information security requirements to COMPLY with

The amended Safeguards rule adds several new elements to Section 3.14.3 Standards for safeguarding customer information. These are the new requirements that are mentioned in item #1 above. These are very similar to what NY DFS has required within their Cyber Regulation. They are:

1. Oversight

The individual responsible for overseeing and implementing your information security program no longer needs to be an employee. This can be a 3rd party, so long as there is proper oversight and direction of this individual. Keep in mind responsibility for security still lies with your firm!

2. Risk Assessment

Your information security program now needs to be based on a written Risk Assessment. That Risk Assessment must identify internal and external risks to the security, confidentiality and integrity of customer information and assesses the sufficiency of any safeguards in place to control those risks. The Rule also states that organizations must

periodically perform risk assessments with documented criteria for assessing, prioritizing and treating risks.

3. Security Safeguards

Implementation of additional security controls (safeguards) are also now required. Those are:

o Access control reviews & least privilege access

o Inventory and classification of data and systems

o Encryption of customer information

o Secure development practices for in-house built software

o Multifactor authentication

o Secure disposal of customer information, 2 years after use for most cases!

o Change management

o Monitor and log user activity

4. Technical Assessments

Continuous monitoring or an annual penetration test along with a vulnerability assessment once every six months, or after significant changes to the environment.

5. Ensure people are trained & kept up-to-date

Security awareness training is now a requirement along with maintaining qualified information security professionals as well as keeping them trained and up-to-date on the latest threats.

6. Evaluate service Providers

You must now take steps to periodically assess your service providers based on the risk they present and the continued adequacy of their safeguards.

7. Have a written incident response plan

A written incident response plan (IRP) that’s designed to help you promptly respond to and recover from any security event, that could materially impact your organization or customer data, is also now a requirement. Elements of your IRP must include communications, roles and responsibilities, documentation of incidents and lessons learned.

8. Annual report to your board

The individual responsible for your security program must now report in writing at least annually to your board of directors or equivalent governing body. This report must describe the overall status of the security program including compliance to GLBA as well as identify any material risks and the recommended remediations for such risks.

When this takes effect

If you’re reading this before December of 2022, and you feel like you’re missing the mark on some of these. There’s good news! There is still time to implement these Safeguards, since these do not go into effect until December 9th, 2022.

Effective as of December 9th, 2022:

· Oversight of the security program from a qualified individual – [314.4(a)]

· Written risk assessment – [(b)(1)]

· Security Safeguards – [(c)(1) through (8)]

· Annual penetration test and semi-annual vulnerability assessment – [(d)(2)]

· Ensure people are kept up-to-date, including security awareness training and professional security training – [(e)]

· Periodic assessment of service providers – [(f)(3)]

· Written incident response plan – [(h)]

· Annual report to your board – [(i)]

What you should do now

If you’re not sure where you stand with these requirements and how they fit into your security program, that’s ok. Whether compliance with the new Safeguards Rule is new for you or not you likely already have some of these requirements already in place. Here’s a simple 3 step process you can use to evaluate where you stand with the amended Safeguards Rule.

1. Evaluate – Begin by reviewing each of the elements described in the Safeguards rule and evaluate whether or not your current security program meets the requirement.

2. Identify – Identify and document gaps, which are, places where your current processes do not meet the requirement.

3. Implement – Then develop a plan to implement those missing pieces over the next 5 months. Make sure you’re setting deadlines and tracking key milestones to make sure you stay on track. It’s not an easy task, but a doable one.

Our team of Cybersecurity professionals here at SecurIT360 conduct hundreds of Security and Gap Assessments every year and if at any point you’re unsure where you stand, you want help identifying those gaps, or are looking for advice on how to best implement these requirements, please reach out to us. We would be more than happy to help.

Categories
Compliance

UPDATED GLBA Safeguards Rule Implements NEW Technical Security Assessment Requirements

New Security Assessment Requirements for GLBA

Did you know that the new GLBA Safeguards Rule that takes effect in December 2022 includes new requirements for technical security assessments? If you’re a financial institution that must comply with GLBA, then this article is for you. We’re going to review what those technical security assessments are, what they mean for you, and how to best implement them into your security program. 

Related Article: “What IT Managers Need To Know About GLBA Before December 2022”

What is Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. You can read the Act and specifically the Safeguards Rule in all its glory here: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314?toc=1. The website even has a neat way to show the differences between the old version and the new version. You can check that out here: https://www.ecfr.gov/compare/current/to/2021-12-31/title-16/chapter-I/subchapter-C/part-314/section-314.4

GLBA Safeguards Rule Amendments

On January 10th, 2022 the Federal Trade Commission (FTC) issued a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule). The Final Rule contains five main modifications to the existing Rule. In this article, we’re going to take a look at a small subset of the first modification. The Penetration Testing and Vulnerability Assessments requirement.

NEW REQUIREMENT – Penetration Testing and Vulnerability Assessments

The first modification to the existing rule adds additional “guidance”, aka Safeguards or security control requirements. Most notably in the context of this discussion is the requirement to implement either continuous monitoring OR annual penetration testing and semi-annual vulnerability assessments. Most organizations are going to opt for the penetration test and vulnerability assessments, and that is what we’re going to be talking about from here on out.

Annual Penetration Testing

The new Rule states that you must have a penetration test performed once a year.

you shall conduct: (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment;”

Unlike continuous monitoring, the Rule does include a definition for Penetration Testing. I’ve highlighted the important parts to pay attention to:

a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.

To be honest, that’s quite an interesting definition of a penetration test. It’s not how I would have written it, but nonetheless, that’s what we have to work with. Now let’s focus on the important parts.

According to the Rule, the penetration test must:

  1. Include attempts to circumvent (aka: evade, bypass, etc.) or defeat(aka: disable, impair etc.) security features

  2. Include attempts to penetrate, from inside or outside

Semi-annual Vulnerability Assessments

The new Rule also states that you must perform semi-annual vulnerability assessments.

you shall conduct: (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program

Unlike penetration testing, the Rule does not include a definition for vulnerability assessment.

According to the Rule, the vulnerability assessment must:

  1. Be performed twice a year, OR after any material (aka: significant) change to the business, network or infrastructure

  2. Be able to identify publicly known security vulnerabilities

When this takes effect

If you have not performed a penetration test or vulnerability assessment yet this year, then, according to only the GLBA Safeguards Rule, you’re ok. The effective date for these assessments is not until December 9th, 2022, which is when the other requirements in the Safeguards Rule take effect.

What does this all mean?

The GLBA Safeguard Rule was constructed in such a way to instruct organizations on the difference between a vulnerability assessment and a penetration test. We’ve written about the differences before in this article, so we won’t go into detail here. However, put simply, a vulnerability assessment is meant to discover any and all vulnerabilities, and a penetration test is meant to discover and validate via “penetrating”(aka exploiting) those vulnerabilities in order to prove the effectiveness, severity, and impact of those vulnerabilities to the organization.

It is likely no surprise that our security recommendations would fall in line with the GLBA Safeguard Rules because annual penetration testing and regular vulnerability assessments are best practices. We recommend clients have an annual internal and external penetration test performed as well as regular vulnerability assessments. Some clients, who have the resources, even opt to perform these vulnerability assessments quarterly. This is something that our cybersecurity professionals assist clients with on a regular basis.

Not only are we seeing regulatory requirements modified to specifically address this, but cyber insurers are also looking for these assessments to be done regularly. As a matter of fact, for some insurers, it could be a determining factor for getting a cyber insurance policy or not.

What to do next?

Again, if you have not performed a penetration test or vulnerability assessment yet this year, then, according to only the GLBA Safeguards Rule, you’re ok. For now. However, in reality, your organization is likely subject to other regulations and/or requirements so there’s a good chance you may have already had or plan to have a penetration test and vulnerability assessment performed this year. That’s great!

If you’ve never had a penetration test or a vulnerability assessment before and the GLBA Safeguards Rule is all new to you, that’s ok too! Start planning those assessments now. Many firms that offer penetration testing services book several months, sometimes 6-8 months out. So, begin planning, budgeting and scheduling of those activities now. If you are planning a penetration test and you’re not sure what to expect, check out our blog post that talks about what to expect during your upcoming external penetration test.

Lastly, our Offensive Security Team here at SecurIT360 conducts hundreds of penetration tests every year and if at any point you’re unsure where you stand, you want help identifying those gaps, or are looking for advice on how to best implement these requirements, please reach out to us. We would be more than happy to help.