Privacy

What a Hacker Thinks about Your Business

In today’s digitally driven world, businesses of all sizes rely heavily on technology to operate efficiently and reach their customers. While relying on technology offers numerous benefits, it also exposes businesses to potential risks. One big risk is the threat posed by hackers. These individuals possess the skills and knowledge to exploit vulnerabilities in your business’s digital infrastructure. In this blog post, we will take a glimpse into the mind of a hacker and understand what they might think about your business.

Hackers are often driven by the potential value of the data they can obtain. Your business, regardless of its size, possesses valuable information such as customer data, financial records, and intellectual property. From a hacker’s perspective, this data represents a potential goldmine. They understand that this information can be sold on the dark web and potentially used for various malicious purposes. The buyers can then use this data for their own criminal gain.

In addition to this, hackers are always on the lookout for weaknesses in a business’s digital defenses. They analyze your systems, networks, and applications, searching for vulnerabilities that can be exploited. These vulnerabilities could include outdated software, weak passwords, or misconfigured security settings. Hackers appreciate businesses that lack a well-defined incident response plan. Without a plan in place, it becomes challenging to contain and mitigate the damage caused by a cyberattack. Hackers are more likely to target businesses that are unprepared, as it allows them to go undetected and maximize their impact.

Furthermore, hackers know that employees are often the weakest link in the security chain. They actively search for businesses that do not prioritize cybersecurity training. Without proper education on phishing attacks, social engineering, and other common tactics, your employees are more likely to fall for scams and unintentionally provide access to sensitive data. For example, if your employees are not practicing good password hygiene, your business is at risk. Hackers are very aware that many people use simple and easy-to-guess passwords like “123456” or “password.” Weak passwords are an open invitation to access sensitive information. This is the easiest point of entry, allowing them to gain unauthorized access to your sensitive data.

All in all, there are a few ways to effectively safeguard a business against hackers. One example is regular vulnerability assessments and yearly penetration testing. These two should be conducted to identify and address any weaknesses. Additionally, implementing strong access controls, such as two-factor authentication can help mitigate the risk of unauthorized access. Continuous employee training and awareness programs are crucial to fostering a security-conscious culture within the organization. Lastly, maintaining up-to-date software and immediately patching vulnerabilities are essential to prevent exploitation. By adopting a proactive and multi-faceted approach, businesses can significantly reduce the likelihood of successful hacking attempts and protect their valuable assets and sensitive data.

Understanding what a hacker thinks about your business sheds light on the importance of cybersecurity in today’s world. Hackers see businesses as potential targets for valuable data and are constantly searching for vulnerabilities to exploit. By adopting robust cybersecurity practices, staying informed about emerging threats, and educating employees, you can significantly reduce the risk of falling victim to a cyberattack. Protecting your business’s digital assets is not just a technological necessity; it is an essential component of safeguarding your reputation and maintaining the trust of your customers.

read more

Fortifying Your Organization with Privileged Account Management

In today’s rapidly evolving digital landscape, privileged account management (PAM) has become a cornerstone of organizational cybersecurity. This powerful approach aims to safeguard privileged accounts that carry elevated permission levels and thus pose a greater risk if compromised. A privileged account can range from administrative accounts, network equipment accounts, to service accounts running background processes. Due to their extended capabilities, these accounts are prime targets for malicious entities. Thus, managing them effectively is of paramount importance.

PAM facilitates the centralization and secure handling of privileged accounts. It offers a structured approach to prevent unauthorized access, mitigate risks, and enhance compliance with regulatory standards. In the past, companies often overlooked the threat that privileged accounts posed. However, as the frequency and sophistication of cyber-attacks have increased, so has the understanding that uncontrolled privileged access is a significant security liability. A compromised privileged account can lead to a domino effect, resulting in substantial financial and reputational damage.

PAM revolves around several fundamental principles. These include the least privileged principle, which recommends granting only the minimum necessary privileges to perform a given task. This approach reduces the potential damage if an account is compromised. Another crucial principle is just-in-time access, where privileged access is granted only when required and is promptly revoked once the task is complete. This method minimizes the window of opportunity for cybercriminals.

Successfully implementing a PAM strategy involves several key steps. The first is conducting an inventory of all privileged accounts, which may be more than expected. Every device, software, or service that needs privileged access for installation, maintenance, or administration should be accounted for. Next, an organization needs to establish a formal policy for privileged access. This policy should outline who can have privileged access, under what conditions, and for how long.

Thirdly, organizations should deploy a PAM solution to automate and streamline the processes related to privileged access. This system should facilitate password management, session recording, and real-time monitoring to promptly detect and respond to any suspicious activity. Lastly, periodic reviews should be conducted to ensure that the PAM strategy is up-to-date and aligned with the changing business environment and threat landscape.

With advancements in machine learning and artificial intelligence, PAM is set to become even more refined. Future systems will be able to predict and prevent breaches by recognizing patterns in user behavior and adapting security measures accordingly. Despite the promising future, it’s crucial to remember that PAM is not a silver bullet solution. It is a significant component of a multi-layered security strategy, supplementing measures like firewalls, intrusion detection systems, and antivirus software.

In conclusion, privileged account management is an essential part of the cybersecurity toolkit. Given the potential damage that compromised privileged accounts can cause, businesses can’t afford to overlook this critical security aspect. By implementing a robust PAM strategy, organizations can not only fortify their security posture, but also instill a culture of cybersecurity awareness and responsibility.

read more

What Does HIPAA Compliance Mean?

In the data privacy landscape, few terms carry as much weight or notoriety as “HIPAA Compliance.” However, for those outside of the healthcare sector or new to its data protection standards, the concept might seem opaque and intimidating. This post aims to demystify HIPAA Compliance, explaining what it is, what attaining it means, and its significance in the healthcare industry.

Firstly, let’s begin with the basics. HIPAA stands for the Health Insurance Portability and Accountability Act, enacted by the U.S. Congress in 1996. The primary objective of this legislation was to ensure that employees that may lose or switch jobs would not have their health insurance coverage affected for it, and so standards were set to safeguard the privacy and security of patients’ health information, especially as it pertains to electronic data communications and interchange. HIPAA Compliance, therefore, refers to the adherence to the regulations established under this Act. Any organization that deals with Protected Health Information (PHI), which includes details about an individual’s physical or mental health, provision of healthcare, or payment for healthcare, must be compliant with HIPAA standards or face an array of penalties. These organizations are broadly categorized into two terms: Covered Entities (CEs) and Business Associates (BAs). CEs include healthcare providers, health plans, and healthcare clearinghouses, while BAs are entities that perform certain functions or activities on behalf of, or provide specific services to, a CE that involve the use or disclosure of PHI.

To be HIPAA-compliant means an organization must meet several requirements stipulated over a number of rules and related acts. Let’s explore some of the key ones:

  • Privacy Rule – The Privacy Rule requires the protection of all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or oral. This rule gives the patient rights over their health information, such as rights to examine and obtain a copy of their health records or to request corrections. Additionally, the rule provides guidance over when PHI may be disclosed and requires safeguards to be implemented to protect PHI such as designating a privacy officer and conducting user training.
  • Security Rule – The Security Rule specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (e-PHI). These safeguards are designed to be flexible and scalable, allowing a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to consumers’ e-PHI. Of these safeguards, some are labeled as mandatory for direct implementation, and others are considered addressable where they may be adopted by alternate measures where appropriate.
  • Breach Notification Rule – This rule requires covered entities and business associates to provide notification to affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media following a breach of unsecured PHI. These notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach to affected individuals, and this notification should be concurrently extended to the HHS if the breach involves over 500 individuals, along with the media if 500 or more residents of a specific state are involved.
  • Enforcement Rule – The Enforcement Rule contains provisions relating to HHS’ enforcement of the HIPAA Rules, and includes procedures for investigations, determination of violations, hearing rights, and the imposition of civil money penalties for violations of the HIPAA Rules. These penalties can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.
  • HITECH Act Although not technically a “HIPAA” rule, the HITECH Act is closely aligned with HIPAA and enhances it. The HITECH Act widens the scope of privacy and security protections available under HIPAA, and it increases the potential legal liability for non-compliance and provides for more enforcement.
  • Omnibus Rule – Enacted in 2013, the Omnibus Rule is a set of final regulations modifying HIPAA in accordance with guidelines set in 2009 by the HITECH Act. It holds business associates to the same standards for protecting PHI as covered entities. It also expands patients’ rights, including the right to receive electronic copies of health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.

To maintain compliance, an organization needs to maintain awareness of and compliance with these rules diligently. But the question of how exactly to comply can be complex, and finding a place to start is often challenging. Below are some critical areas that an organization should consider first as a starting point to ensure HIPAA compliance:

  • Risk Analysis and Management – Conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. This process should be systematic and ongoing, periodically reassessed to address changes in the organization’s practices or advancements in technology.
  • Policies and Procedures – Develop and implement HIPAA compliant policies and procedures. This includes guidelines on handling, accessing, and disclosing PHI. Policies should cover areas like the use and disclosure of PHI, rights of individuals, administrative responsibilities, and breach notification processes.
  • Training and Awareness – All workforce members, including employees, volunteers, and trainees, should be trained and aware of the HIPAA Rules and the organization’s policies and procedures. Additionally, a major goal is to foster a culture of compliance where employees understand the importance of protecting PHI and feel comfortable reporting potential issues without fear of retaliation.
  • Regular Audits – Audits are essential to ensure that the organization is adhering to its policies and the HIPAA rules. These audits can help identify any gaps or areas of non-compliance and provide an opportunity to address these issues proactively. Regular audits can also serve as a way to monitor the effectiveness of the organization’s training and awareness programs.
  • Incident Response – Even with thorough precautions taken, breaches can still occur. Hence, it is essential to have a robust incident response plan in place. This plan should outline the steps to be taken in the event of a breach, including identifying and containing the breach, assessing the impact, notifying the affected individuals and authorities, and taking steps to prevent future breaches. The plan should be reviewed and tested regularly to ensure its effectiveness.

Although the path to full HIPAA compliance can seem like an imposing process in terms of time and resources, it’s important to remember that the effort fulfills more than just meeting a regulatory requirement – it’s also about building trust with patients and clients. When an organization maintains compliance with exacting standards like HIPAA, it sends a message that it values and protects patients’ privacy and personal information. This trust can translate into stronger relationships with patients, improved reputation, and ultimately, better business outcomes.

Could you use additional guidance or steps to attain HIPAA Compliance? The analysts at CyberData Pros have extensive experience guiding organizations through the intricacies of HIPAA Compliance, including conducting comprehensive risk analyzes, auditing compliance status, training and more. Contact us today for a free consultation and to learn more about our services. 

read more

How AI is Helping and Hurting Cybersecurity

AI is transforming the arena of cybersecurity by providing new tools and techniques for identifying and mitigating threats. AI uses machine learning and deep learning techniques to analyze network behavior and identify deviations or security incidents from the norm. This allows for immediate response and enhances future security measures by blocking potential threats with similar traits. AI’s constant learning process also makes it challenging for hackers to outsmart its intelligence. Machine learning and AI algorithms can detect patterns and anomalies in data that may indicate a cyber-attack. Employing AI-based security solutions alone is not enough though. Cybersecurity teams must carefully evaluate potential limitations within these solutions, such as the risk of false positives or negatives, and account for these issues in their approach.

Moreover, with the increasing deployment of AI in cybersecurity, there is a concern about the potential misuse of AI by attackers. Adversarial attacks, where attackers attempt to fool AI algorithms by feeding them misleading data, can be difficult to detect and mitigate. Therefore, it is essential to ensure that AI is designed to be robust against adversarial attacks.As AI in cybersecurity continues to advance, organizations need to implement AI-based security measures while also considering the complexities and risks associated with its deployment. By doing so, they can enhance their security posture, stay ahead of cyber threats and can analyze massive amounts of data far more quickly and accurately than human analysts. This enables security teams to respond to threats more quickly and proactively.

However, AI can also be used by cybercriminals to launch more sophisticated and targeted attacks. Malware can be designed to evade traditional security measures by leveraging machine learning algorithms to learn and adapt to new defenses. Bots are one of those growing threats in cybersecurity, used for malicious activities like for spreading malware and stealing data for companies and businesses. AI can recognize and block bots by identifying their patterns, creating more secure captchas, and deploying honeypots to trap them.

So, while AI can enhance cybersecurity, it also raises new challenges and risks that must be managed. Organizations need to stay up-to-date on the latest AI-powered threats and aim to implement multilayered security strategies that incorporate AI alongside other security measures. It is important to recognize that AI is not a cure all by any means and should be used in combination with other security measures such as regular security audits, employee training, and maintaining up-to-date software and hardware. Furthermore, AI technology is not immune to vulnerabilities and can be targeted by cybercriminals. Therefore, it is crucial to have contingency plans in place to mitigate the risks associated with AI-based cybersecurity measures.

Overall, organizations should embrace AI in cybersecurity as a valuable tool but also approach its deployment with caution to ensure the protection of data and networks. The key is to strike a balance between leveraging the benefits of AI while also managing the risks associated with its implementation.

read more

2023 State Data Privacy Laws Series: UCPA

The Utah Consumer Privacy Act is the final state data privacy law to be coming into effect this year. It will become effective at the tail end of the year on December 31st, 2023. Enforcement will begin on the same day. However, one of the unique features of UCPA as it stands now, is that the Utah Attorney General and the Division of Consumer Protection will be required to submit a report evaluating the effectiveness of the statute by July 1st, 2025.Amendments  should be expected to be derived from that report to augment the effectiveness of the current statute. UCPA is one of the more unique state data privacy laws and is considered to be the most business friendly to come into effect this year. It is heavily modeled after VCDPA, but with more scope and more leniency towards violations.

The Utah law extends consumer privacy rights similar to those found in VCDPA and the other laws modeled from it. However, unlike VCDPA and CPA, UCPA does not afford consumers the right to rectify their personal data, nor does it allow consumers to opt out of data profiling. Notably, UCPA does not provide consumers a right to request a data controller to delete all personal data collected on a consumer. The data controller is only obligated to delete personal data the consumer has provided the data controller.

Another way in which UCPA differs from VCDPA and CPA is that data controllers or processors  are not required to establish an appeal process if they deny requests to exercise consumer rights. However, similarly to VCDPA and CPA businesses must respond to these data privacy right requests free of charge to the consumer, but have protections against “excessive, repetitive, technically infeasible, or manifestly unfounded.” Another area where UCPA separates itself from VCDPA and CPA is that not only does it exclude deidentified data, and publicly available information from its definition of personal data, but it also excludes aggregated data as well.

One of the parts of UCPA that separates it from its peer consumer privacy laws is the multi-layered enforcement approach. UCPA gives the Utah Attorney General exclusive enforcement authority, however that is not the first stage of enforcement. The Division of Consumer Protection is obligated to create a “system to receive consumer complaints.” If after investigating consumer complaints they believe there is “reasonable cause to believe that substantial evidence (of a violation) exists,” the director of the Division of Consumer Protection may submit a referral to the Utah Attorney General. The attorney general may then decide to take action, by notifying the offending party. The offending party then has 30 days to cure the violation or be subject to fines up to $7,500 per violation.

With the level of leniency provided in this first iteration of UCPA there are real questions about how effective the enforcement arm of law will be and whether it will provide sufficient motivation to businesses subject to the law. Activity out of the Division of Consumer Protection and the Office of the Utah Attorney General will certainly be something to compare against the California Privacy Protection Agency and the Colorado and Virginia Attorneys General.

read more

Outsourcing HIPAA Compliance

If your organization deals with any sort of healthcare-related data, chances are that you have heard of HIPAA at some point, and for good reason. HIPAA is a cornerstone US law that governs the protection and privacy of health information, and non-compliance can entail notoriously eye-watering penalties enough to warrant close attention. One catch with HIPAA compliance, however, is that the standards for compliance aren’t necessarily as cut-and-dry as other compliance frameworks, based more on the reasonability and appropriateness of measures rather than their existence or lack-thereof. This goes to make HIPAA compliance a strong option to outsource, for a number of reasons we’ll run through shortly.

Before we dive too deep into HIPAA’s minutiae, let’s quickly refresh ourselves on what constitutes HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a law in the US that aims to protect the health information of individuals (hereby known as PHI, or Protected Health Information) when said information is used by organizations. In terms of protection HIPAA generally looks to ensure that appropriate security measures are in place to avoid unintended disclosures, appropriate privacy considerations are in place to define what a fair disclosure is by patient standards, and appropriate planning and notification structures are in place to ensure a timely and effective response if privacy or security standards do get breached.  

As to why HIPAA is so critical to pay attention to, there are two major reasons. One is that non-compliance comes with a heavy price – this can range from civil penalties like suspension of processing activities, corrective action plan mandates, or per-record-violation fines of up to $50,000, all the way to criminal penalties leading to separate, higher fines or even prison time. This makes HIPAA compliance a serious concern for finances, reputation, and legal liability. The second major aspect to pay attention to is how broad the scope of who is considered to be a processor (or in HIPAA’s terminology, “covered entity”) under HIPAA, being healthcare providers, plan-handlers, clearinghouses, and as of the 2013 Omnibus rule, any subcontractors of the aforementioned parties. This can make applicability more common than many organizations would think, so if healthcare data is touched at all caution is advised.

Given the nature and criticality of HIPAA compliance, it’s clear that in most every case where applicable the process of attaining compliance is worthy of investment and high prioritization. And while a good option in this case would be hiring, training, and tasking internal staff/resources toward HIPAA compliance specialization, oftentimes companies find outsourcing these compliance checks to be a more cost-effective solution. This trend is due to a number of factors, such as:

  • Specialization – Full HIPAA compliance can be complex to identify and implement, thus making staff training a slower and more error-prone process than hiring a company that specializes in said compliance implementations. Additionally, compliance firms generally hold a keener awareness of other relevant compliance requirements that may be special to your organization.
  • Objectivity – It can be tough for internal staff to fully gauge the reasonability and appropriateness of HIPAA controls when only viewing their company’s environment in isolation, be it for lack of extra-organizational context for determining effectiveness or a reluctance to report major issues to management. A compliance firm can view your company in context of the many others that have aimed for the same controls to best make fitted-decisions and as a business-best interest are known to be straightforward and detailed in reporting.
  • Cost – When pushing toward a new compliance effort many companies underestimate the cost involved with getting internal resources ready to handle the process – between additional training, labor-hour requirements, compliance software, and the inherent risk cost for expensive HIPAA errors, the price for internal compliance checks can add up fast. An external compliance firm, on the other hand, comes with all the training, software, and experience required, and will only need to be staffed for whatever hours are required for your audit interval. For many companies, this only amounts to a handful of hours a year, making outsourcing relatively cheap in contrast to internal training in many instances.

Altogether it’s fair to say that if there’s a chance HIPAA applies to your company then there’s a guarantee that you want to get it right. And if you’re looking to ensure a quick, efficacious, and cost-effective compliance process then outsourcing HIPAA compliance is an option worth due consideration. 

Looking for an expert in HIPAA compliance to outsource to? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros’ analysts have audited systems, remediated errors, and trained staff for HIPAA compliance many times over. Contact us now for a free consultation and to learn more about our services.

read more

What is A Compliance Calendar and Why You Need One

In today’s digital age, cybersecurity is more important than ever before! With the growing number of cyber threats, it’s important to stay on top of your security measures to protect the personal information and sensitive data within your company. There are multiple ways to ensure that you are keeping up with your security and properly protecting sensitive information from cyber attacks, such as keeping up to date with quarterly vulnerability scans, annual penetration tests, risk assessments, internal security audits and more. One challenge that comes with implementing all of these services, however, is that they all require some form of time and scheduling. This scheduling element can sometimes present an obstacle for a business getting started, so in this blog we will be discussing some of the more important projects for cybersecurity and explore how your schedule may look once we begin.

Having a cybersecurity expert on your team will likely change your schedule in a few ways!

Depending on the scope of the services your business requires, your calendar may include regular meetings with the analyst to discuss ongoing security issues, project deadlines for implementing new security measures or updates, and occasional emergency meetings to respond to security incidents. For example, if your business would like to implement vulnerability scans as a service, there are multiple factors to consider for scheduling. Meetings with the analyst will be needed with some regularity, the frequency depending on scope of the vulnerability assessment. Past those meetings come performing the scans themselves – typically, vulnerability scans should be conducted every quarter, meaning you’ll need to schedule that block of time accordingly. Finally, vulnerability scans can help identify potential security weaknesses or gaps. These weaknesses may include weak passwords, outdated software and any other issues that would be easy for hackers to get into. These scan findings are important to address, so post-scan it’s best to leave some time available for the analyst to discuss the risks and remediation options.

Another service that should be added to your calendar is a ISO 27001 preparation and certification process. The frequency of these meetings can depend on a variety of factors including specific needs and goals. To achieve and maintain an ISO certification, your business may need to have regular meetings scheduled to implement and review security policies and procedures, including items like a business continuity plan, disaster recovery plan, and incident response plan. Additionally, a large part of the ISO process is the internal security audit, which typically requires walkthroughs from various business stakeholders – these can be tricky to coordinate and find time for depending what other projects are going on, which makes them important considerations for the ISO schedule. Past that, when it comes to maintaining an ISO certification, your business needs to have quarterly information risk council (IRC) meetings. IRC meetings are meant to help ensure that your business is at its best practices and ensure that your risk management strategies are up to date and often the party is expected to ultimately approve/review policies by auditors, so these routine meets are critical items to coordinate and account for. The ISO process can sound like a lot on paper, but with attentive scheduling and prioritization the process can often be accomplished fairly smoothly.

Overall, your calendar may become more structured and planned out as you work with a cybersecurity analyst to implement and maintain your security measures. It’s important to prioritize cybersecurity and set aside enough time and resources to ensure your systems and data are properly protected. All in all, there are several reasons why a business should maintain cybersecurity services. A business stores a lot of sensitive data such as financial information, customer data, employee records, and confidential business plans. A successful cyberattack can interrupt business operations, and most importantly, initiate loss of revenue. Therefore, by establishing and maintaining cybersecurity services on your calendar, you will help protect your business from cyber threats, maintain compliance, and most importantly build trust with customers.

To find out how to set up a compliance calendar and for a free consultation, please contact us. We assist hundreds of clients with their compliance calendar and perform other data privacy and cybersecurity services.

read more

2023 Data Privacy State Laws Series: CPA

If you’ve been following along, you probably noticed a lot of similarities between VCDPA and CTDPA. The next state data privacy law we’re going to look at, the Colorado Privacy Act (CPA), completes our trio of closely aligned laws coming into effect this year. Each has their own unique quirks, but they find a lot of common ground. CPA comes into effect on July 1st, and will have a 60 day cure notice that will remain in effect until January 1st, 2025. 

Much like the other state laws we’ve looked at for 2023, CPA codifies the right to know, right to rectification, right to portability, right to deletion, right to opt-out of sale, and the right to opt-out of target advertising. One of the unique features of CPA is the requirement to establish and provide an internal appeal process if you choose to deny a consumer’s request to exercise any of the previously mentioned rights. Additionally, CPA requires you to inform the consumer of their right to contact the Colorado Attorney General if after the appeal process they have concerns about the result of the appeal. The Colorado Privacy Act sets a limit to the number of times a consumer may request to exercise their right to data portability in a calendar year. While any entity subject to CPA must provide a consumer with their personal data in a portable format at the request of the consumer, they may only exercise that right twice per calendar year. 

One question many data controllers likely have about CPA is do they have to store or maintain personal data in a way that can be associated with a consumer if they request to exercise one of the above mentioned data rights? The answer to that is no, if the data you process is de-identified or unreasonably burdensome to associate with an authenticated consumer request you do not have to set up a process to maintain data in order to associate personal data with an authenticated consumer request. From a consumer privacy perspective this is likely a more ideal scenario anyway.

Additionally, the CPA requires data controllers that process data for the purposes of profiling, processing sensitive data, targeted advertising, or selling personal information conduct a data protection assessment for each of these processing activities. These data protection assessments only apply to processes generated or created on or after the effective date of July 1st, 2023. A single data protection assessment can address similar data processing activities. Controllers will have an obligation to provide data protection assessments to the Colorado Attorney General upon request, though they will remain exempt from public review and Colorado Open Records Act requests.

read more

How to Prepare for CMMC 2.0

In 2020 the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) to enforce the protection of sensitive unclassified information that’s shared with DoD contractors and subcontractors. However, in 2021 DoD reviewed the CMMC framework and overhauled it after input from industry leaders. After completing the overhaul, CMMC 2.0 was announced and is the current version of CMMC that will apply to all contractors and subcontractors of the Defense Industrial Base (DIB) that handle sensitive unclassified information in their work for the DoD once the rulemaking phase is complete.

When people talk about CMMC, they’re usually referring to the Level 2 certification that requires an assessment by a Certified Third Party Assessment Organization (C3PAO). CMMC Level 2 is based on NIST SP 800-171, which encapsulates the basic security requirements of FAR 52.204-21 that make up Level 1 and provides its own security controls derived from those basic security requirements. CMMC Level 3 is based on NIST SP 800-172 but is out of scope for most organizations and is not a subject for discussion in this article. CMMC Level 2 has 110 practices that an organization must implement. While that can sound like a heavy lift, current DoD contractors may already be legally required to implement these practices even before CMMC. CMMC is an enforcement mechanism for security practices already required under federal law. Many DoD contracts already require the implementation of NIST SP 800-171 under DFARS 252.204-7012. CMMC attempts to verify that these practices are being implemented through third party assessments. If you are a DoD contractor with contracts subject to DFARS 7012, 7019, or 7020 you should be implementing these CMMC practices already. If you’re not already implementing the 110 practices outlined by NIST SP 800-171, the time to implement them isn’t when CMMC begins to show up in solicitations– its now, whether to prepare for the inevitable rollout of CMMC or to bring your organization in line with the commitments its made under DFARS 7012.

As you prepare for CMMC, it is important to determine what Level certification you will likely require and what information is in scope of CMMC. CMMC Level 1 revolves around Federal Contract Information (FCI), while CMMC Level 2 revolves around Controlled Unclassified Information. The Defense Counterintelligence and Security Agency (DCSA) has a good FAQ discussing FCI and CUI and how they differ from one another. In short, FCI is “information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.” And CUI is unclassified information that may still require “safeguarding and may also be subject to dissemination controls.” Once you’ve determined what information you currently process and what information you’re likely to process in future contracts, you can prepare for the correct level of CMMC. To begin, you’ll want to map what information is within the scope of CUI and FCI and where within your organization that information is stored and processed. CMMC does not require that all controls apply to the entire organization, just the enclave in which CUI and FCI are stored or processed. For smaller organizations this is likely irrelevant as it will be negligible to implement the appropriate CMMC practices across the entire organization versus the subset within the scope of CMMC, but for larger organizations making sure the in-scope information is only found within the necessary enclave can significantly reduce the burden of CMMC.

Once you’ve assessed where CUI and FCI are stored or processed and potentially contained within an enclave in your organization, you should begin a gap assessment to determine what controls to implement in order to satisfy the appropriate practices for your organization’s Level of CMMC. Level 1 maps to FAR 52.204-21, while Level 2 maps to NIST SP 800-171 rev 2. Both are publicly available, but DoD has provided a CMMC Assessment Guide for each Level. Each CMMC Assessment Guide gives additional discussion and considerations that are useful when considering your current controls and when implementing new controls to meet the required CMMC practices. If you are a contractor currently subject to DFARS 7019, you are required to conduct self assessments against NIST SP 800-171 and submit your score to the Supplier Performance Risk System (SPRS). In this case, you may not need to conduct an additional gap assessment as you should already understand where your organization’s shortcomings are if you’ve taken these statutory and contractual requirements seriously. 

When conducting an SPRS self-assessment, you start with a score of 110 and can go down to -203 as you subtract points for missing or insufficient controls. Each practice is worth either 1, 3, or 5 points, and there is no partial credit except for two of the 5-point practices. While we are still in the final rulemaking phase of CMMC 2.0, and some minor details could change, it’s important to note that it’s currently being discussed that to receive your CMMC certification, you’ll need to have met 80% of the practices and have met all of the 5 points SPRS practices. If you fail to meet 80% of those practices along with all the 5-point SPRS practices for your CMMC Level, you will not be able to achieve your certification even with the appropriate POAMs (Plan of Action and Milestones). Once you have completed a gap or self-assessment, you should begin working on completing the Security System Plan (SSP) and a Plan of Action and Milestones. Having those documents prepared and continuously updating them as you implement more controls to meet the practices required by the Level of certification you want or need to achieve will ensure your organization is not scrambling when CMMC requirements begin to appear in DoD contracts after the final rulemaking phase has ended.

Curious if CMMC is the right path for your business? Or could you use some assistance preparing for your CMMC Certification? Either way, CyberData Pros provides you with the guidance to prepare and achieve certification. We maintain a 100% audit success rate! Contact us now for a free consultation and to learn more about our services.

read more

What is an Information Risk Council and Why is it Important?

When people think about what factors are most influential in determining the effectiveness of an information security system, typically the first items that come to mind are technologies, policies, and controls. Often overlooked is one of, if not the most critical components of the system – its leadership. Of course secure tech and methods are vital components of the system too, but their effectiveness can be rendered null if leadership is unable to establish, enforce, maintain, and overall direct their usage. 

Effective leadership, however, is a challenge in and of itself; it’s not as simple as hiring a competent c-suite. As talented as a CISO or CPO might be, no one person can be expected to fully understand the culture, processes, and concerns of every individual department of an organization. Imagine if a president was required to understand first-hand all those factors for each government department before making a decision – by the time they could even get close to a full understanding their information on older departments would become outdated and they’d probably be past their term limit anyway; no decision could ever be made. The problem is that those aforementioned factors are instrumental in determining the true effectiveness of these decisions, and thus cannot be ignored in strong leadership. So, barring omniscience on the CISO/CPOs’ end, upper leadership is going to need advice and influence from department representatives, and that’s where the Information Risk Council comes in.

Now if the term Information Risk Council (or IRC, for short) is unfamiliar, there’s no need to worry. The group often goes by different names at different organizations: Department GRC Committee, Risk Management Council, Risk Governance Committee, and likewise are all names you might encounter instead. What is crucial is not the name but the concept behind it, which is defined in the group’s composition and concerns. In essence the IRC (or its alternate names) is a group of senior infosec leadership and department representatives that focuses on composing, ratifying, and implementing security policies, controls, and initiatives throughout the organization. To better understand the council’s purpose, however, it’s best to go into some detail on the composition and concerns themselves.

  • Composition: The major benefit of the IRC lies in granting the executive security/privacy owners in the company a deeper understanding and a wider perspective of the company’s state and needs, and by grouping in representatives (or heads) of every department, that purpose can be fulfilled. Department representatives should be able to collect and report on their specific department’s state and needs and thus provide valuable insight when decisions are made, affecting, or informed by that department. 
  • Concerns: With a general objective in place to provide a cross-departmental informed direction for the information security program, the IRC often takes on a number of duties/tasks in its operation. As a standard these tasks generally include quarterly meetings to discuss the state/direction of the program, a designated policy/assessment review and approval procedure, risk management discussions and reports, and incident handling/response. Of course additional roles may come into play as the organization’s needs change, but these basic responsibilities will cover the base needs of most effective IRC initiatives and do so more decisively than a CPO/CISO could by taking those same tasks on alone.

Altogether, taking the two fundamental considerations above as frameworks makes a strong starting point for an efficacious IRC. The benefits a team like that can bring to an infosec program often impresses clients who implement them as they’re usually multifaceted. Not only does the improved perspective help with the direction of change, but it also typically makes departments feel heard and more accepting of said change, which can encourage new policies to be acted upon in practice rather than just in writing. No need to just read up on the benefits though- try forming a team at your organization and see for yourself. In almost every implementation the barrier of entry is low and the opportunity for improvement is high.

Could your business use help implementing an IRC? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros have assisted many committees from inception to maturity and can walk your organization’s to that same state. Contact us now for a free consultation and to learn more about our services.

read more