Documentation

Remote Work is Here to Stay: How to Protect Your Business

Though it existed in some capacity before the COVID-19 pandemic, working from home (WFH) exploded overnight as an acute response to worldwide lockdowns and society being all but brought to a halt. Three years later, the UN World Health Organization and other agencies have declared an end to the pandemic and offices have long since reopened, yet the ability to work remote or hybrid has shown to persist as more than just a temporary trend. To add some perspective, here are some notable statistics gathered from various sources in this article by Forbes:

  • As of 2023, 12.7% of full-time employees work from home, while 28.2% work a hybrid model.
  • By 2025, 32.6 million Americans will work remotely.
  • 98% of workers want to work remotely at least some of the time.
  • 93% of employers plan to continue conducting job interviews remotely.
  • 16% of companies operate fully remote.

Considering this shifting work structure, it is clear that businesses today need to adapt, oftentimes in ways that previously haven’t even been considered. One major area of importance is the protection of company data and assets. Theoretically, since a remote employee could be working anywhere, on any network in the world, the list of variables this introduces from a security and privacy standpoint is endless. At first, this sounds discouraging. But the good news is that many steps can be taken to reduce or eliminate the risks and better protect your business.

  1. Require (and Provide) Ongoing Training for Employees

People are overwhelmingly the #1 cause of security incidents or breaches. There are instances of employees with malicious and deliberate intent. But oftentimes it is a case of unintentional negligence or simply just a lack of knowledge or awareness. The best way to combat this is to educate employees on the risks and importance of security, best practices, and company policies. This shouldn’t be a one-and-done scenario either – ideally, it will become part of the company culture that everyone buys into.

2. Limit and Control Access to Systems and Data

It’s best to follow the zero-trust principle if your organization has employees work from home, whether full-time remote, or hybrid. Following this principle ensures that employees are granted access and permissions for the resources needed to fulfill their job duties. This applies to files, applications, and more. Does an IT administrator need access to the company’s financial operations platform? Should Legal and HR documents be universally accessible in the file storage system? If the answer to questions like these seems obvious, that’s because it should be – but knowing this and enforcing this is not the same thing. Consider actions such as managing users via an active directory and utilizing a cloud-based file storage solution such as Google Drive or Dropbox.

3. Establish Policies and Procedures for Secure Network Access

The most surefire way to protect internet traffic and fortify remote access for employees is to mandate the use of a virtual private network (VPN). When used correctly, a VPN will protect against data interception by encrypting traffic, masking location data and online activity, and even monitoring for suspicious files and malware. This is especially important if employees are working on a public Wi-Fi network, such as at a coffee shop or airport. And at home, other steps can be taken too, such as making sure the router is up to date, changing the default network password, enabling network encryption, and disabling broadcasting of the network.

4. Use a Mobile Device Management (MDM), Remote Monitoring and Management (RMM), or Similar Tool

Managing devices “in the wild” is much different than managing those on-site at a brick-and-mortar office building. Luckily, there are a plethora of MDM, RMM, and other tools available that can provide a solution for your business. While the acronyms and features vary between solutions, at the core is the ability to remotely administer and manage devices wherever they may be in the world. Some of the more common and prominent capabilities that can be leveraged include patch management, asset inventory, antivirus/malware protection, software restrictions, device encryption, remote wipe, and more. 

As you can see, remote work doesn’t have to mean poor security. It can’t be denied that working from home does introduce new risks and challenges for businesses. Protecting yourself from cyber threats is an ongoing joint effort. By using these tips as a strong foundation on which to build upon, you can be confident knowing that the flexibility of remote work AND the security of company data and systems can coexist. 

read more

Getting Started with SOC 2

You may have heard of various compliance standards and frameworks, and you may have wondered why you need a certification, or which one is right for your organization. The driver could be that a prospect or customer inquired or maybe your organization wants to assess and improve its practices. SOC2 Type II is a great place to start. The governing body, AICPA (American Institute of Certified Public Accountants) does not specify any hard and fast requirements. At its core, this certification is helpful in demonstrating that your organization has implemented the necessary controls to keep data secure. However, it is not prescriptive. Each company must determine and implement suitable controls.

What does it mean to keep data secure? A company’s data must be protected from unauthorized access and use including deletion, misuse, alteration, and disclosure. Additionally, the company must prevent unauthorized use of its systems and assets. Vendors must be properly vetted. Changes must be authorized and managed while risks must be identified and mitigated to minimize potential disruption.

There is value in proving to your customers and partners that you will handle their data responsibly. If you’re ready to get started on the path to SOC2 certification, this article will give you an overview of what to expect.

If you’ve decided to pursue the SOC certification, it’s important to have a plan. You’ll need to determine what type of SOC, which criteria, and whether to cover the whole company or a subset. SOC2 Type II is the most common report. But there are other types with slightly different objectives. Of the five Trust Services Criteria, Security is required. But you may also have a need for privacy, confidentiality, processing integrity, or availability. Depending on the type of business and your org structure, SOC2 may apply to a limited subset of systems or groups.

Achieving and maintaining certification requires a commitment. Identifying a team of stakeholders who can lead and advocate throughout the process will help ensure success. Participants will likely be members of the technology, infrastructure, security, human resources, and legal teams – as well as a project owner and executive sponsor(s).

You may also want to engage an experienced external consultant or partner who can guide your organization through the preparation and remediation phases. This partner is different from the auditor who will eventually perform the certification. Their unbiased insights can overcome any reservations the team may have about exposing and addressing any shortcomings.

Once the team is mobilized, it’s important to educate your employees on what to expect as they may notice some changes in their day-to-day tasks. While the initial preparation could take 3-6 months, the team will need to follow best practices on an ongoing basis. Two important next steps will be determining which controls to implement and documenting any existing policies and procedures. These actions will help identify any gaps that exist and new tools or processes that might be necessary.

From there, develop a plan to address any missing or deficient areas. Prior to your audit, conducting a readiness assessment is recommended. Your external partner can help so that you will have complete confidence that your audit will have a positive outcome.

read more

Fortifying with Privileged Account Management

In today’s rapidly evolving digital landscape, privileged account management (PAM) has become a cornerstone of organizational cybersecurity. This powerful approach aims to safeguard privileged accounts that carry elevated permission levels and thus pose a greater risk if compromised. A privileged account can range from administrative accounts, network equipment accounts, to service accounts running background processes. Due to their extended capabilities, these accounts are prime targets for malicious entities. Thus, managing them effectively is of paramount importance.

PAM facilitates the centralization and secure handling of privileged accounts. It offers a structured approach to prevent unauthorized access, mitigate risks, and enhance compliance with regulatory standards. In the past, companies often overlooked the threat that privileged accounts posed. However, as the frequency and sophistication of cyber-attacks have increased, so has the understanding that uncontrolled privileged access is a significant security liability. A compromised privileged account can lead to a domino effect, resulting in substantial financial and reputational damage.

PAM revolves around several fundamental principles. These include the least privileged principle, which recommends granting only the minimum necessary privileges to perform a given task. This approach reduces the potential damage if an account is compromised. Another crucial principle is just-in-time access, where privileged access is granted only when required and is promptly revoked once the task is complete. This method minimizes the window of opportunity for cybercriminals.

Successfully implementing a PAM strategy involves several key steps. The first is conducting an inventory of all privileged accounts, which may be more than expected. Every device, software, or service that needs privileged access for installation, maintenance, or administration should be accounted for. Next, an organization needs to establish a formal policy for privileged access. This policy should outline who can have privileged access, under what conditions, and for how long.

Thirdly, organizations should deploy a PAM solution to automate and streamline the processes related to privileged access. This system should facilitate password management, session recording, and real-time monitoring to promptly detect and respond to any suspicious activity. Lastly, periodic reviews should be conducted to ensure that the PAM strategy is up-to-date and aligned with the changing business environment and threat landscape.

With advancements in machine learning and artificial intelligence, PAM is set to become even more refined. Future systems will be able to predict and prevent breaches by recognizing patterns in user behavior and adapting security measures accordingly. Despite the promising future, it’s crucial to remember that PAM is not a silver bullet solution. It is a significant component of a multi-layered security strategy, supplementing measures like firewalls, intrusion detection systems, and antivirus software.

In conclusion, privileged account management is an essential part of the cybersecurity toolkit. Given the potential damage that compromised privileged accounts can cause, businesses can’t afford to overlook this critical security aspect. By implementing a robust PAM strategy, organizations can not only fortify their security posture, but also instill a culture of cybersecurity awareness and responsibility.

read more

What Does HIPAA Compliance Mean?

In the data privacy landscape, few terms carry as much weight or notoriety as “HIPAA Compliance.” However, for those outside of the healthcare sector or new to its data protection standards, the concept might seem opaque and intimidating. This post aims to demystify HIPAA Compliance, explaining what it is, what attaining it means, and its significance in the healthcare industry.

Firstly, let’s begin with the basics. HIPAA stands for the Health Insurance Portability and Accountability Act, enacted by the U.S. Congress in 1996. The primary objective of this legislation was to ensure that employees that may lose or switch jobs would not have their health insurance coverage affected for it, and so standards were set to safeguard the privacy and security of patients’ health information, especially as it pertains to electronic data communications and interchange. HIPAA Compliance, therefore, refers to the adherence to the regulations established under this Act. Any organization that deals with Protected Health Information (PHI), which includes details about an individual’s physical or mental health, provision of healthcare, or payment for healthcare, must be compliant with HIPAA standards or face an array of penalties. These organizations are broadly categorized into two terms: Covered Entities (CEs) and Business Associates (BAs). CEs include healthcare providers, health plans, and healthcare clearinghouses, while BAs are entities that perform certain functions or activities on behalf of, or provide specific services to, a CE that involve the use or disclosure of PHI.

To be HIPAA-compliant means an organization must meet several requirements stipulated over a number of rules and related acts. Let’s explore some of the key ones:

  • Privacy Rule – The Privacy Rule requires the protection of all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or oral. This rule gives the patient rights over their health information, such as rights to examine and obtain a copy of their health records or to request corrections. Additionally, the rule provides guidance over when PHI may be disclosed and requires safeguards to be implemented to protect PHI such as designating a privacy officer and conducting user training.
  • Security Rule – The Security Rule specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI). These safeguards are designed to be flexible and scalable, allowing a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to consumers’ e-PHI. Of these safeguards, some are labeled as mandatory for direct implementation, and others are considered addressable where they may be adopted by alternate measures where appropriate.
  • Breach Notification Rule – This rule requires covered entities and business associates to provide notification to affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media following a breach of unsecured PHI. These notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach to affected individuals, and this notification should be concurrently extended to the HHS if the breach involves over 500 individuals, along with the media if 500 or more residents of a specific state are involved.
  • Enforcement Rule – The Enforcement Rule contains provisions relating to HHS’ enforcement of the HIPAA Rules, and includes procedures for investigations, determination of violations, hearing rights, and the imposition of civil money penalties for violations of the HIPAA Rules. These penalties can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.
  • HITECH Act Although not technically a “HIPAA” rule, the HITECH Act is closely aligned with HIPAA and enhances it. The HITECH Act widens the scope of privacy and security protections available under HIPAA, and it increases the potential legal liability for non-compliance and provides for more enforcement.
  • Omnibus Rule – Enacted in 2013, the Omnibus Rule is a set of final regulations modifying HIPAA in accordance with guidelines set in 2009 by the HITECH Act. It holds business associates to the same standards for protecting PHI as covered entities. It also expands patients’ rights, including the right to receive electronic copies of health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.

To maintain compliance, an organization needs to maintain awareness of and compliance with these rules diligently. But the question of how exactly to comply can be complex, and finding a place to start is often challenging. Below are some critical areas that an organization should consider first as a starting point to ensure HIPAA compliance:

  • Risk Analysis and Management – Conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. This process should be systematic and ongoing, periodically reassessed to address changes in the organization’s practices or advancements in technology.
  • Policies and Procedures – Develop and implement HIPAA compliant policies and procedures. This includes guidelines on handling, accessing, and disclosing PHI. Policies should cover areas like the use and disclosure of PHI, rights of individuals, administrative responsibilities, and breach notification processes.
  • Training and Awareness – All workforce members, including employees, volunteers, and trainees, should be trained and aware of the HIPAA Rules and the organization’s policies and procedures. Additionally, a major goal is to foster a culture of compliance where employees understand the importance of protecting PHI and feel comfortable reporting potential issues without fear of retaliation.
  • Regular Audits – Audits are essential to ensure that the organization is adhering to its policies and the HIPAA rules. These audits can help identify any gaps or areas of non-compliance and provide an opportunity to address these issues proactively. Regular audits can also serve as a way to monitor the effectiveness of the organization’s training and awareness programs.
  • Incident Response – Even with thorough precautions taken, breaches can still occur. Hence, it is essential to have a robust incident response plan in place. This plan should outline the steps to be taken in the event of a breach, including identifying and containing the breach, assessing the impact, notifying the affected individuals and authorities, and taking steps to prevent future breaches. The plan should be reviewed and tested regularly to ensure its effectiveness.

Although the path to full HIPAA compliance can seem like an imposing process in terms of time and resources, it’s important to remember that the effort fulfills more than just meeting a regulatory requirement – it’s also about building trust with patients and clients. When an organization maintains compliance with exacting standards like HIPAA, it sends a message that it values and protects patients’ privacy and personal information. This trust can translate into stronger relationships with patients, improved reputation, and ultimately, better business outcomes.

Could you use additional guidance or steps to attain HIPAA Compliance? The analysts at CyberData Pros have extensive experience guiding organizations through the intricacies of HIPAA Compliance, including conducting comprehensive risk analyzes, auditing compliance status, training and more. Contact us today for a free consultation and to learn more about our services. 

read more

How AI is Helping and Hurting Cybersecurity

AI is transforming the arena of cybersecurity by providing new tools and techniques for identifying and mitigating threats. AI uses machine learning and deep learning techniques to analyze network behavior and identify deviations or security incidents from the norm. This allows for immediate response and enhances future security measures by blocking potential threats with similar traits. AI’s constant learning process also makes it challenging for hackers to outsmart its intelligence. Machine learning and AI algorithms can detect patterns and anomalies in data that may indicate a cyber-attack. Employing AI-based security solutions alone is not enough though. Cybersecurity teams must carefully evaluate potential limitations within these solutions, such as the risk of false positives or negatives, and account for these issues in their approach.

Moreover, with the increasing deployment of AI in cybersecurity, there is a concern about the potential misuse of AI by attackers. Adversarial attacks, where attackers attempt to fool AI algorithms by feeding them misleading data, can be difficult to detect and mitigate. Therefore, it is essential to ensure that AI is designed to be robust against adversarial attacks.As AI in cybersecurity continues to advance, organizations need to implement AI-based security measures while also considering the complexities and risks associated with its deployment. By doing so, they can enhance their security posture, stay ahead of cyber threats and can analyze massive amounts of data far more quickly and accurately than human analysts. This enables security teams to respond to threats more quickly and proactively.

However, AI can also be used by cybercriminals to launch more sophisticated and targeted attacks. Malware can be designed to evade traditional security measures by leveraging machine learning algorithms to learn and adapt to new defenses. Bots are one of those growing threats in cybersecurity, used for malicious activities like for spreading malware and stealing data for companies and businesses. AI can recognize and block bots by identifying their patterns, creating more secure captchas, and deploying honeypots to trap them.

So, while AI can enhance cybersecurity, it also raises new challenges and risks that must be managed. Organizations need to stay up-to-date on the latest AI-powered threats and aim to implement multilayered security strategies that incorporate AI alongside other security measures. It is important to recognize that AI is not a cure all by any means and should be used in combination with other security measures such as regular security audits, employee training, and maintaining up-to-date software and hardware. Furthermore, AI technology is not immune to vulnerabilities and can be targeted by cybercriminals. Therefore, it is crucial to have contingency plans in place to mitigate the risks associated with AI-based cybersecurity measures.

Overall, organizations should embrace AI in cybersecurity as a valuable tool but also approach its deployment with caution to ensure the protection of data and networks. The key is to strike a balance between leveraging the benefits of AI while also managing the risks associated with its implementation.

read more

2023 State Data Privacy Laws Series: UCPA

The Utah Consumer Privacy Act is the final state data privacy law to be coming into effect this year. It will become effective at the tail end of the year on December 31st, 2023. Enforcement will begin on the same day. However, one of the unique features of UCPA as it stands now, is that the Utah Attorney General and the Division of Consumer Protection will be required to submit a report evaluating the effectiveness of the statute by July 1st, 2025.Amendments  should be expected to be derived from that report to augment the effectiveness of the current statute. UCPA is one of the more unique state data privacy laws and is considered to be the most business friendly to come into effect this year. It is heavily modeled after VCDPA, but with more scope and more leniency towards violations.

The Utah law extends consumer privacy rights similar to those found in VCDPA and the other laws modeled from it. However, unlike VCDPA and CPA, UCPA does not afford consumers the right to rectify their personal data, nor does it allow consumers to opt out of data profiling. Notably, UCPA does not provide consumers a right to request a data controller to delete all personal data collected on a consumer. The data controller is only obligated to delete personal data the consumer has provided the data controller.

Another way in which UCPA differs from VCDPA and CPA is that data controllers or processors  are not required to establish an appeal process if they deny requests to exercise consumer rights. However, similarly to VCDPA and CPA businesses must respond to these data privacy right requests free of charge to the consumer, but have protections against “excessive, repetitive, technically infeasible, or manifestly unfounded.” Another area where UCPA separates itself from VCDPA and CPA is that not only does it exclude deidentified data, and publicly available information from its definition of personal data, but it also excludes aggregated data as well.

One of the parts of UCPA that separates it from its peer consumer privacy laws is the multi-layered enforcement approach. UCPA gives the Utah Attorney General exclusive enforcement authority, however that is not the first stage of enforcement. The Division of Consumer Protection is obligated to create a “system to receive consumer complaints.” If after investigating consumer complaints they believe there is “reasonable cause to believe that substantial evidence (of a violation) exists,” the director of the Division of Consumer Protection may submit a referral to the Utah Attorney General. The attorney general may then decide to take action, by notifying the offending party. The offending party then has 30 days to cure the violation or be subject to fines up to $7,500 per violation.

With the level of leniency provided in this first iteration of UCPA there are real questions about how effective the enforcement arm of law will be and whether it will provide sufficient motivation to businesses subject to the law. Activity out of the Division of Consumer Protection and the Office of the Utah Attorney General will certainly be something to compare against the California Privacy Protection Agency and the Colorado and Virginia Attorneys General.

read more

Outsourcing HIPAA Compliance

If your organization deals with any sort of healthcare-related data, chances are that you have heard of HIPAA at some point, and for good reason. HIPAA is a cornerstone US law that governs the protection and privacy of health information, and non-compliance can entail notoriously eye-watering penalties enough to warrant close attention. One catch with HIPAA compliance, however, is that the standards for compliance aren’t necessarily as cut-and-dry as other compliance frameworks, based more on the reasonability and appropriateness of measures rather than their existence or lack-thereof. This goes to make HIPAA compliance a strong option to outsource, for a number of reasons we’ll run through shortly.

Before we dive too deep into HIPAA’s minutiae, let’s quickly refresh ourselves on what constitutes HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a law in the US that aims to protect the health information of individuals (hereby known as PHI, or Protected Health Information) when said information is used by organizations. In terms of protection HIPAA generally looks to ensure that appropriate security measures are in place to avoid unintended disclosures, appropriate privacy considerations are in place to define what a fair disclosure is by patient standards, and appropriate planning and notification structures are in place to ensure a timely and effective response if privacy or security standards do get breached.  

As to why HIPAA is so critical to pay attention to, there are two major reasons. One is that non-compliance comes with a heavy price – this can range from civil penalties like suspension of processing activities, corrective action plan mandates, or per-record-violation fines of up to $50,000, all the way to criminal penalties leading to separate, higher fines or even prison time. This makes HIPAA compliance a serious concern for finances, reputation, and legal liability. The second major aspect to pay attention to is how broad the scope of who is considered to be a processor (or in HIPAA’s terminology, “covered entity”) under HIPAA, being healthcare providers, plan-handlers, clearinghouses, and as of the 2013 Omnibus rule, any subcontractors of the aforementioned parties. This can make applicability more common than many organizations would think, so if healthcare data is touched at all caution is advised.

Given the nature and criticality of HIPAA compliance, it’s clear that in most every case where applicable the process of attaining compliance is worthy of investment and high prioritization. And while a good option in this case would be hiring, training, and tasking internal staff/resources toward HIPAA compliance specialization, oftentimes companies find outsourcing these compliance checks to be a more cost-effective solution. This trend is due to a number of factors, such as:

  • Specialization – Full HIPAA compliance can be complex to identify and implement, thus making staff training a slower and more error-prone process than hiring a company that specializes in said compliance implementations. Additionally, compliance firms generally hold a keener awareness of other relevant compliance requirements that may be special to your organization.
  • Objectivity – It can be tough for internal staff to fully gauge the reasonability and appropriateness of HIPAA controls when only viewing their company’s environment in isolation, be it for lack of extra-organizational context for determining effectiveness or a reluctance to report major issues to management. A compliance firm can view your company in context of the many others that have aimed for the same controls to best make fitted-decisions and as a business-best interest are known to be straightforward and detailed in reporting.
  • Cost – When pushing toward a new compliance effort many companies underestimate the cost involved with getting internal resources ready to handle the process – between additional training, labor-hour requirements, compliance software, and the inherent risk cost for expensive HIPAA errors, the price for internal compliance checks can add up fast. An external compliance firm, on the other hand, comes with all the training, software, and experience required, and will only need to be staffed for whatever hours are required for your audit interval. For many companies, this only amounts to a handful of hours a year, making outsourcing relatively cheap in contrast to internal training in many instances.

Altogether it’s fair to say that if there’s a chance HIPAA applies to your company then there’s a guarantee that you want to get it right. And if you’re looking to ensure a quick, efficacious, and cost-effective compliance process then outsourcing HIPAA compliance is an option worth due consideration. 

Looking for an expert in HIPAA compliance to outsource to? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros’ analysts have audited systems, remediated errors, and trained staff for HIPAA compliance many times over. Contact us now for a free consultation and to learn more about our services.

read more

What is A Compliance Calendar and Why You Need One

In today’s digital age, cybersecurity is more important than ever before! With the growing number of cyber threats, it’s important to stay on top of your security measures to protect the personal information and sensitive data within your company. There are multiple ways to ensure that you are keeping up with your security and properly protecting sensitive information from cyber attacks, such as keeping up to date with quarterly vulnerability scans, annual penetration tests, risk assessments, internal security audits and more. One challenge that comes with implementing all of these services, however, is that they all require some form of time and scheduling. This scheduling element can sometimes present an obstacle for a business getting started, so in this blog we will be discussing some of the more important projects for cybersecurity and explore how your schedule may look once we begin.

Having a cybersecurity expert on your team will likely change your schedule in a few ways!

Depending on the scope of the services your business requires, your calendar may include regular meetings with the analyst to discuss ongoing security issues, project deadlines for implementing new security measures or updates, and occasional emergency meetings to respond to security incidents. For example, if your business would like to implement vulnerability scans as a service, there are multiple factors to consider for scheduling. Meetings with the analyst will be needed with some regularity, the frequency depending on scope of the vulnerability assessment. Past those meetings come performing the scans themselves – typically, vulnerability scans should be conducted every quarter, meaning you’ll need to schedule that block of time accordingly. Finally, vulnerability scans can help identify potential security weaknesses or gaps. These weaknesses may include weak passwords, outdated software and any other issues that would be easy for hackers to get into. These scan findings are important to address, so post-scan it’s best to leave some time available for the analyst to discuss the risks and remediation options.

Another service that should be added to your calendar is a ISO 27001 preparation and certification process. The frequency of these meetings can depend on a variety of factors including specific needs and goals. To achieve and maintain an ISO certification, your business may need to have regular meetings scheduled to implement and review security policies and procedures, including items like a business continuity plan, disaster recovery plan, and incident response plan. Additionally, a large part of the ISO process is the internal security audit, which typically requires walkthroughs from various business stakeholders – these can be tricky to coordinate and find time for depending what other projects are going on, which makes them important considerations for the ISO schedule. Past that, when it comes to maintaining an ISO certification, your business needs to have quarterly information risk council (IRC) meetings. IRC meetings are meant to help ensure that your business is at its best practices and ensure that your risk management strategies are up to date and often the party is expected to ultimately approve/review policies by auditors, so these routine meets are critical items to coordinate and account for. The ISO process can sound like a lot on paper, but with attentive scheduling and prioritization the process can often be accomplished fairly smoothly.

Overall, your calendar may become more structured and planned out as you work with a cybersecurity analyst to implement and maintain your security measures. It’s important to prioritize cybersecurity and set aside enough time and resources to ensure your systems and data are properly protected. All in all, there are several reasons why a business should maintain cybersecurity services. A business stores a lot of sensitive data such as financial information, customer data, employee records, and confidential business plans. A successful cyberattack can interrupt business operations, and most importantly, initiate loss of revenue. Therefore, by establishing and maintaining cybersecurity services on your calendar, you will help protect your business from cyber threats, maintain compliance, and most importantly build trust with customers.

To find out how to set up a compliance calendar and for a free consultation, please contact us. We assist hundreds of clients with their compliance calendar and perform other data privacy and cybersecurity services.

read more

How to Prepare for CMMC 2.0

In 2020 the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) to enforce the protection of sensitive unclassified information that’s shared with DoD contractors and subcontractors. However, in 2021 DoD reviewed the CMMC framework and overhauled it after input from industry leaders. After completing the overhaul, CMMC 2.0 was announced and is the current version of CMMC that will apply to all contractors and subcontractors of the Defense Industrial Base (DIB) that handle sensitive unclassified information in their work for the DoD once the rulemaking phase is complete.

When people talk about CMMC, they’re usually referring to the Level 2 certification that requires an assessment by a Certified Third Party Assessment Organization (C3PAO). CMMC Level 2 is based on NIST SP 800-171, which encapsulates the basic security requirements of FAR 52.204-21 that make up Level 1 and provides its own security controls derived from those basic security requirements. CMMC Level 3 is based on NIST SP 800-172 but is out of scope for most organizations and is not a subject for discussion in this article. CMMC Level 2 has 110 practices that an organization must implement. While that can sound like a heavy lift, current DoD contractors may already be legally required to implement these practices even before CMMC. CMMC is an enforcement mechanism for security practices already required under federal law. Many DoD contracts already require the implementation of NIST SP 800-171 under DFARS 252.204-7012. CMMC attempts to verify that these practices are being implemented through third party assessments. If you are a DoD contractor with contracts subject to DFARS 7012, 7019, or 7020 you should be implementing these CMMC practices already. If you’re not already implementing the 110 practices outlined by NIST SP 800-171, the time to implement them isn’t when CMMC begins to show up in solicitations– its now, whether to prepare for the inevitable rollout of CMMC or to bring your organization in line with the commitments its made under DFARS 7012.

As you prepare for CMMC, it is important to determine what Level certification you will likely require and what information is in scope of CMMC. CMMC Level 1 revolves around Federal Contract Information (FCI), while CMMC Level 2 revolves around Controlled Unclassified Information. The Defense Counterintelligence and Security Agency (DCSA) has a good FAQ discussing FCI and CUI and how they differ from one another. In short, FCI is “information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.” And CUI is unclassified information that may still require “safeguarding and may also be subject to dissemination controls.” Once you’ve determined what information you currently process and what information you’re likely to process in future contracts, you can prepare for the correct level of CMMC. To begin, you’ll want to map what information is within the scope of CUI and FCI and where within your organization that information is stored and processed. CMMC does not require that all controls apply to the entire organization, just the enclave in which CUI and FCI are stored or processed. For smaller organizations this is likely irrelevant as it will be negligible to implement the appropriate CMMC practices across the entire organization versus the subset within the scope of CMMC, but for larger organizations making sure the in-scope information is only found within the necessary enclave can significantly reduce the burden of CMMC.

Once you’ve assessed where CUI and FCI are stored or processed and potentially contained within an enclave in your organization, you should begin a gap assessment to determine what controls to implement in order to satisfy the appropriate practices for your organization’s Level of CMMC. Level 1 maps to FAR 52.204-21, while Level 2 maps to NIST SP 800-171 rev 2. Both are publicly available, but DoD has provided a CMMC Assessment Guide for each Level. Each CMMC Assessment Guide gives additional discussion and considerations that are useful when considering your current controls and when implementing new controls to meet the required CMMC practices. If you are a contractor currently subject to DFARS 7019, you are required to conduct self assessments against NIST SP 800-171 and submit your score to the Supplier Performance Risk System (SPRS). In this case, you may not need to conduct an additional gap assessment as you should already understand where your organization’s shortcomings are if you’ve taken these statutory and contractual requirements seriously. 

When conducting an SPRS self-assessment, you start with a score of 110 and can go down to -203 as you subtract points for missing or insufficient controls. Each practice is worth either 1, 3, or 5 points, and there is no partial credit except for two of the 5-point practices. While we are still in the final rulemaking phase of CMMC 2.0, and some minor details could change, it’s important to note that it’s currently being discussed that to receive your CMMC certification, you’ll need to have met 80% of the practices and have met all of the 5 points SPRS practices. If you fail to meet 80% of those practices along with all the 5-point SPRS practices for your CMMC Level, you will not be able to achieve your certification even with the appropriate POAMs (Plan of Action and Milestones). Once you have completed a gap or self-assessment, you should begin working on completing the Security System Plan (SSP) and a Plan of Action and Milestones. Having those documents prepared and continuously updating them as you implement more controls to meet the practices required by the Level of certification you want or need to achieve will ensure your organization is not scrambling when CMMC requirements begin to appear in DoD contracts after the final rulemaking phase has ended.

Curious if CMMC is the right path for your business? Or could you use some assistance preparing for your CMMC Certification? Either way, CyberData Pros provides you with the guidance to prepare and achieve certification. We maintain a 100% audit success rate! Contact us now for a free consultation and to learn more about our services.

read more

2023 Data Privacy State Laws Series: CTDPA

The next data privacy law coming into effect this year will be the Connecticut Data Privacy Act (CTDPA). The CTDPA  comes into effect on July 1st, 2023, with enforcement beginning on the same day. Like the remaining data privacy laws that we’ll discuss, CTDPA was largely modeled after the Virginia Consumer Data Protection Act (VCDPA) with influences from the California Privacy Rights Act (CPRA). However, the cure provision that allows organizations the opportunity to cure a violation before the Attorney General takes action will end on December 31st, 2024.

The guiding influence of VCDPA on the creation of CTDPA is apparent when you look at the privacy rights protected by CDPA. CDPA protects a consumer’s right to access, right to data portability, right to delete, right of rectification, right to opt-out of sale, right to opt-out of profiling, and the right to opt-out of targeted advertising. However, unlike CPRA, CTDPA does not protect the right to opt out of automated decision-making. This means if you do not opt out of profiling an organization can make choices based on that profile without human input. An area where CTDPA has superior consumer privacy protections over CPRA is with processing sensitive personal data. CTDPA requires opt-in for data processors to process a consumer’s sensitive personal data, whereas CPRA allows consumers to opt-out. Sensitive personal data for CTDPA is defined as “personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”

Much like CPRA and VCDPA, CTDPA will require data protection assessments under certain circumstances. Fortunately, CTDPA states that if a data controller conducts a data protection assessment for the purpose of complying with a similar regulation, that assessment will satisfy the CTDPA requirements as long as it is similar in scope and effect. Therefore, conducting a thorough data protection assessment is critical as it will eliminate the need for redundant assessments. Additionally, it would be advisable for any organization subject to CTDPA to conduct a privacy impact assessment. A PIA assesses how an organization handles personal data and will tell whether the organization will be in compliance with new state data privacy laws or not.

read more