Risk Assessment

DocumentationPrivacyRisk Assessment
February 28, 2023

How to Prepare for CMMC 2.0

In 2020 the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) to enforce the protection of sensitive unclassified information that’s shared with DoD contractors and subcontractors. However, in 2021 DoD reviewed the CMMC framework and overhauled it after input from industry leaders. After completing the overhaul, CMMC 2.0 was announced and is the current version of CMMC that will apply to all contractors and subcontractors of the Defense Industrial Base (DIB) that handle sensitive unclassified information in their work for the DoD once the rulemaking phase is complete.

When people talk about CMMC, they’re usually referring to the Level 2 certification that requires an assessment by a Certified Third Party Assessment Organization (C3PAO). CMMC Level 2 is based on NIST SP 800-171, which encapsulates the basic security requirements of FAR 52.204-21 that make up Level 1 and provides its own security controls derived from those basic security requirements. CMMC Level 3 is based on NIST SP 800-172 but is out of scope for most organizations and is not a subject for discussion in this article. CMMC Level 2 has 110 practices that an organization must implement. While that can sound like a heavy lift, current DoD contractors may already be legally required to implement these practices even before CMMC. CMMC is an enforcement mechanism for security practices already required under federal law. Many DoD contracts already require the implementation of NIST SP 800-171 under DFARS 252.204-7012. CMMC attempts to verify that these practices are being implemented through third party assessments. If you are a DoD contractor with contracts subject to DFARS 7012, 7019, or 7020 you should be implementing these CMMC practices already. If you’re not already implementing the 110 practices outlined by NIST SP 800-171, the time to implement them isn’t when CMMC begins to show up in solicitations– its now, whether to prepare for the inevitable rollout of CMMC or to bring your organization in line with the commitments its made under DFARS 7012.

As you prepare for CMMC, it is important to determine what Level certification you will likely require and what information is in scope of CMMC. CMMC Level 1 revolves around Federal Contract Information (FCI), while CMMC Level 2 revolves around Controlled Unclassified Information. The Defense Counterintelligence and Security Agency (DCSA) has a good FAQ discussing FCI and CUI and how they differ from one another. In short, FCI is “information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.” And CUI is unclassified information that may still require “safeguarding and may also be subject to dissemination controls.” Once you’ve determined what information you currently process and what information you’re likely to process in future contracts, you can prepare for the correct level of CMMC. To begin, you’ll want to map what information is within the scope of CUI and FCI and where within your organization that information is stored and processed. CMMC does not require that all controls apply to the entire organization, just the enclave in which CUI and FCI are stored or processed. For smaller organizations this is likely irrelevant as it will be negligible to implement the appropriate CMMC practices across the entire organization versus the subset within the scope of CMMC, but for larger organizations making sure the in-scope information is only found within the necessary enclave can significantly reduce the burden of CMMC.

Once you’ve assessed where CUI and FCI are stored or processed and potentially contained within an enclave in your organization, you should begin a gap assessment to determine what controls to implement in order to satisfy the appropriate practices for your organization’s Level of CMMC. Level 1 maps to FAR 52.204-21, while Level 2 maps to NIST SP 800-171 rev 2. Both are publicly available, but DoD has provided a CMMC Assessment Guide for each Level. Each CMMC Assessment Guide gives additional discussion and considerations that are useful when considering your current controls and when implementing new controls to meet the required CMMC practices. If you are a contractor currently subject to DFARS 7019, you are required to conduct self assessments against NIST SP 800-171 and submit your score to the Supplier Performance Risk System (SPRS). In this case, you may not need to conduct an additional gap assessment as you should already understand where your organization’s shortcomings are if you’ve taken these statutory and contractual requirements seriously. 

When conducting an SPRS self-assessment, you start with a score of 110 and can go down to -203 as you subtract points for missing or insufficient controls. Each practice is worth either 1, 3, or 5 points, and there is no partial credit except for two of the 5-point practices. While we are still in the final rulemaking phase of CMMC 2.0, and some minor details could change, it’s important to note that it’s currently being discussed that to receive your CMMC certification, you’ll need to have met 80% of the practices and have met all of the 5 points SPRS practices. If you fail to meet 80% of those practices along with all the 5-point SPRS practices for your CMMC Level, you will not be able to achieve your certification even with the appropriate POAMs (Plan of Action and Milestones). Once you have completed a gap or self-assessment, you should begin working on completing the Security System Plan (SSP) and a Plan of Action and Milestones. Having those documents prepared and continuously updating them as you implement more controls to meet the practices required by the Level of certification you want or need to achieve will ensure your organization is not scrambling when CMMC requirements begin to appear in DoD contracts after the final rulemaking phase has ended.

Curious if CMMC is the right path for your business? Or could you use some assistance preparing for your CMMC Certification? Either way, CyberData Pros provides you with the guidance to prepare and achieve certification. We maintain a 100% audit success rate! Contact us now for a free consultation and to learn more about our services.

read more
PrivacyRisk AssessmentSecurity
February 21, 2023

What is an Information Risk Council and Why is it Important?

When people think about what factors are most influential in determining the effectiveness of an information security system, typically the first items that come to mind are technologies, policies, and controls. Often overlooked is one of, if not the most critical components of the system – its leadership. Of course secure tech and methods are vital components of the system too, but their effectiveness can be rendered null if leadership is unable to establish, enforce, maintain, and overall direct their usage. 

Effective leadership, however, is a challenge in and of itself; it’s not as simple as hiring a competent c-suite. As talented as a CISO or CPO might be, no one person can be expected to fully understand the culture, processes, and concerns of every individual department of an organization. Imagine if a president was required to understand first-hand all those factors for each government department before making a decision – by the time they could even get close to a full understanding their information on older departments would become outdated and they’d probably be past their term limit anyway; no decision could ever be made. The problem is that those aforementioned factors are instrumental in determining the true effectiveness of these decisions, and thus cannot be ignored in strong leadership. So, barring omniscience on the CISO/CPOs’ end, upper leadership is going to need advice and influence from department representatives, and that’s where the Information Risk Council comes in.

Now if the term Information Risk Council (or IRC, for short) is unfamiliar, there’s no need to worry. The group often goes by different names at different organizations: Department GRC Committee, Risk Management Council, Risk Governance Committee, and likewise are all names you might encounter instead. What is crucial is not the name but the concept behind it, which is defined in the group’s composition and concerns. In essence the IRC (or its alternate names) is a group of senior infosec leadership and department representatives that focuses on composing, ratifying, and implementing security policies, controls, and initiatives throughout the organization. To better understand the council’s purpose, however, it’s best to go into some detail on the composition and concerns themselves.

  • Composition: The major benefit of the IRC lies in granting the executive security/privacy owners in the company a deeper understanding and a wider perspective of the company’s state and needs, and by grouping in representatives (or heads) of every department, that purpose can be fulfilled. Department representatives should be able to collect and report on their specific department’s state and needs and thus provide valuable insight when decisions are made, affecting, or informed by that department. 
  • Concerns: With a general objective in place to provide a cross-departmental informed direction for the information security program, the IRC often takes on a number of duties/tasks in its operation. As a standard these tasks generally include quarterly meetings to discuss the state/direction of the program, a designated policy/assessment review and approval procedure, risk management discussions and reports, and incident handling/response. Of course additional roles may come into play as the organization’s needs change, but these basic responsibilities will cover the base needs of most effective IRC initiatives and do so more decisively than a CPO/CISO could by taking those same tasks on alone.

Altogether, taking the two fundamental considerations above as frameworks makes a strong starting point for an efficacious IRC. The benefits a team like that can bring to an infosec program often impresses clients who implement them as they’re usually multifaceted. Not only does the improved perspective help with the direction of change, but it also typically makes departments feel heard and more accepting of said change, which can encourage new policies to be acted upon in practice rather than just in writing. No need to just read up on the benefits though- try forming a team at your organization and see for yourself. In almost every implementation the barrier of entry is low and the opportunity for improvement is high.

Could your business use help implementing an IRC? Or could you use some assistance directing and refining an existing team? Either way, CyberData Pros have assisted many committees from inception to maturity and can walk your organization’s to that same state. Contact us now for a free consultation and to learn more about our services.

read more
AuditPrivacyRisk AssessmentSecurity
January 18, 2023

Why Ongoing Audits are Good for Business

If you browse cybersecurity literature long enough you’ll find the benefits a business can derive from a privacy or security audit are generally well understood and regarded, but lesser-known are the perks of ongoing audits. This is largely due to a generalized concern some businesses hold that subsequent audits may be redundant – which is a prudent question of cost-efficiency. What’s often misunderstood in this concern is that the benefits of continual audits are at the same time greater and different than those of singular audits, with the difference being seen largely in the distinction between proactive and reactive action. Let’s take a quick dive into this distinction, and discuss a few key benefits continuous audits will bring.

A simple way of highlighting the key point of utility of continual audits is by considering the audits like you might consider a medical check-up – after all, an audit essentially is a health check for your information security system, so this makes for an apples-to-apples analogue. If you’re feeling very sick you might well schedule a one-off check-up. From there a doctor will run tests, make a diagnosis, and create a treatment plan to get you back into good shape. This check-up is generally the role an isolated audit will perform, and it definitely is a step in the right direction. But it’s worth remembering that if routine re-visits aren’t made then afterward you’re liable to miss otherwise detectable signs of illness and become sick again. And although it’s true that you can schedule another appointment at that point, the fact you’re sick to begin with is damaging to the body, and the recovery process can be drawn-out, challenging, and expensive. It’s oftentimes a lot more efficient for both your health and wallet to mitigate the risk of sickness consistently by making check-ups a routine, which represents the emergent perks of continual audits. 

It’s likely you can see how this same concept applies with information security audits – the best way by far to handle incidents is to take measures to avoid them entirely, and these measures are directed by continual audits. With that in mind, let’s look at a few specifics of how exactly these ongoing audits keep your business healthier than ad hoc audits:

  • Layered Net: A single audit might not always detect all risks present – some issues only become apparent in trends between multiple audits. A continual audit process ensures that most every detectable risk present in a system is identified, not just those apparent at a single point in time.
  • Remediation Review: Following the conclusion of an audit should come the process of addressing the identified risks. A common issue with said process is that the remediation efforts are not always fully effective, leaving the organization exposed still to a risk they believe is mitigated. Subsequent audits will review remediation efforts to assess their efficacy and provide guidance on how to improve them. 
  • Currency & Compliance: More frequent audits mean less room exists in-between for organizations to unknowingly diverge from emerging regulations and best practices. This not only simplifies the maintenance of compliance by way of lending more time to react to and prepare for new requirements, but also lends a competitive edge by allowing for quick adoption of new security and privacy best practices. 
  • More Recent, More Value: Over time your organization and the risk landscape it’s exposed to changes, and thus audits lose relevance with time. This makes recency a large variable in the value an audit brings, both internally and externally. For instance, externally it’s often found that potential partners or clients only accept audits from the last year or six months, with more recency generally preferred. Internally, timely findings in developing systems are oftentimes extremely beneficial, as it’s far easier to adjust for security early in that system’s implementation than attempting to retrofit it far afterward.

Altogether, the benefits listed above are most apparent in (if not exclusive to) a continuous audit process. And these points don’t even account for the human benefits of the process, such as improving staff’s understanding of your organization’s risk posture over time or demonstrating your organization’s commitment to cybersecurity and data privacy to prospects. It’s worth remembering that security and privacy are not problems to fix, but an ongoing process of improvement – in that sense, with audits an increase in quantity often boosts the quality of the process altogether.

Is your business interested in the benefits of a new audit? Whether you’re looking to establish an audit process or conduct your first audit ever, CyberData Pros are experts in the process and can walk you through it – from scoping to a polished report. Contact us now for a free consultation and to learn more about our services.

read more
ITRisk AssessmentSecurity
December 27, 2022

Your IT Department is NOT your Cybersecurity Team

So, you’ve got yourself a head of IT and they can do it all! You hired the best of the best. They can manage your cloud infrastructure, setup and administer all your company laptops, secure your wired and wireless networks, and even figured out a way to get that ancient printer/copier onto the network for everyone to use. The corporate space has long heralded the prodigious “IT Person’ as the crown jewel of all things computer and technology. However, as technology has advanced, companies have started leveraging more and more of these incredible advancements. From fully cloud-based infrastructure and virtualization to advanced digital communications and collaboration tools, the venerable ‘IT Person’ has never had a plate so full. On top of all that, many of these companies have made the frankly naïve and ultimately costly mistake of handing cybersecurity responsibilities to that very same ‘IT Person’. 

Anyone in the cybersecurity space will tell you the same thing: cybersecurity may be IT, but IT is NOT necessarily cybersecurity. Having someone( or better yet a team of people) with specialized knowledge and focus is absolutely vital to survival in the sea of never-ending cyber threats. One of the best places to start is with a Security Engineer. The job of a Security Engineer is to be able to understand the organization as a whole, including its culture, technology, data assets and liabilities, and leverage that understanding to deeply integrate low friction, seamless security controls around information systems within the organization’s existing structure. The key here is the deep integration, and low friction. A proper engineer is able to provide what your ‘IT Person’ just doesn’t have the specialized skills to deliver. Anyone can set astronomically high password requirements, turn off permissions for important systems unless requested, and set up a messy and slow VPN connection that employees are required to use. But all of those things are perfect examples of high friction systems that lead to constant pushback from employees, and constant holes to plug as people find a way around these frustrating restrictions. A Security Engineer has the skills necessary to build systems that work WITH your organization and its structure to make your workflows more secure, while remaining as low friction as possible. This big picture approach will ultimately lead to better buy-in from employees, which in turn leads to dramatically more secure infrastructure. 

While a Security Engineer is a strong and effective role to fill, it is undoubtedly aspirational for most smaller organizations. It would be entirely unrealistic to say every company has a need or the resources to house an expensive employee focused solely on security. So what about everyone else? Enter the IT Security Specialist. You could reasonably think of this role as something along the lines of a Jr. Security Engineer. This is a role that strives to achieve many of the same goals as a Security Engineer, but perhaps with a few years less experience, and a few less certifications under their belt. However, there is one thing the IT Security Specialist has that makes it a fantastic role for most companies to start with: hands-on IT experience. The IT Security Specialist is designed to work side-by-side with your existing IT operations. By bringing specialized, security focused insights and strategies, as well as the ability to implement those strategies, you’re able to alleviate additional burden on the already famously thin-stretched IT department. This should bring a ‘security first’ mindset into the organization.

So we’ve covered the entry points of small and medium organizations, but say you’ve just signed a handful of your biggest clients yet, and have major expansions planned over the next few years. An IT Security Specialist isn’t going to cut it, and a Security Engineer or two seems nice, but some of these big partnerships have some massive security requirements, including high level management focused on protecting their data. What are you supposed to do? This is exactly where a CISO, or a Chief Information Security Officer, is designed to fit in. Most simply described as the head of all things security, you are committing to establishing an entire division of your organization to the quality, strength, and importance of data privacy and security. A CISO can report directly to the CEO, or to a separate CIO (Chief Information Officer); however, comparing the two roles is an entire conversation in and of itself. From developing and managing security programs like company wide training to implementing network monitoring systems and incident response teams, a CISO is the one responsible for making all these things happen without burdening the CEO or other key areas of the organization. This is a great way to show potential clients, partners, or even investors that you are deeply committed to your organization’s security infrastructure. This shows that they can trust you to take every precaution necessary to protect their data, as well as brand reputation from the devastating consequences of a data breach.

While there is no one-size-fits-all solution to cybersecurity infrastructure, one thing is abundantly clear for organizations of all sizes: your magical, wonderful, and altogether impressive ‘IT Person’ should not shoulder the burden of your cybersecurity infrastructure. With the incredible complexity in which modern organizations operate such as remote cloud infrastructure, nested virtualized networking, and fully digital, internet connected communication and data storage systems, IT has enough on their hands as it is. Specialization is what today’s cybersecurity programs demand. With a seemingly endless stream of new threats and the escalating consequences they bring with them, falling behind is not an option.

Is your business looking for a certified partner to assist your “IT Department”? CyberData Pros has many years of experience in IT, data privacy, and cybersecurity to make sure your business is secure. Contact us now for a free consultation and to learn more about our services.

read more
CCPADocumentationGDPRPrivacyRisk Assessment
December 15, 2022

What is a Privacy Impact Assessment? Does My Business Need One?

Privacy is progressing across the US and it stops for no one – so what does it take to keep up? Well, as an increasing number of privacy regulations following the example of GDPR and CPRA arise, it naturally follows that more companies than ever are going to be newly bound to rigorous sets of privacy standards. In the interest of meeting those standards it’s crucial to have some standardized form of data system assessment to weed out privacy risks, which is exactly the role Privacy Impact Assessments (PIAs) fill. These assessments are thus primed to become an invaluable asset for organizations newly assessing privacy risk at the behest of legislation, as well as existing privacy-conscious organizations aiming to maintain their privacy posture – so it’s a great time to take a look at what a PIA is, whether or not you need one, and what one entails.

What it is

Essentially, a PIA is a tool that enables organizations to identify, categorize, and ultimately remediate privacy risks present in their data systems in accordance with relevant legislative standards. The objectives of these assessments are a few: to verify the data system’s privacy conformity with organizational and legal requirements, to determine the privacy risks present in the data system, and to evaluate solutions to mitigate identified risks. 

Who Needs it

Understanding what constitutes a PIA and its goals, a natural follow-up question would be who needs one. The necessity of one largely depends on the requirements of whatever regulations your business must abide by – different frameworks require these assessments at different stages of data handling. Odds are, however, that if you are bound to privacy legislation and handle customer Personally Identifiable Information (PII) you will at minimum be required to conduct a PIA when said data is newly processed or sold. Additionally, whenever significant changes/additions are made to the data system’s structure or its processes, then a PIA is typically highly-advised, if not required outright. 

Even past the explicitly-required cases, most any organization that handles PII should heavily consider conducting these assessments at least every three years. Remember that these assessments aren’t just a box to tick for compliance’s sake – they exist to help protect consumer information from undue exposure and thus protect the company who would be held liable. At its core, a PIA is a tool to mitigate risk and should be considered as such.

How it Works

So – if you decide upon conducting a PIA, what exactly does it involve? Generally, the assessment takes the form of both an analysis process and a report document. The process itself will vary again depending on the regulatory requirements an organization faces, but will typically include steps like the following:

  • An identification of the scope of the assessment along with the staff and stakeholders associated with in-scope systems
  • A categorization of data should take place, categorizing them according to their sensitivity 
  • A technical mapping of where and how information flows throughout its system: from acquisition to storage to transfer to use to disposal
  • An analysis and cataloging of privacy risks based on the data system’s state – take note to consider non-technical privacy impacts as well, an example being how easily communicable an otherwise safe process is to concerned consumers
  • A determination of whether or not the risk of holding different types of PII is proportional and reasonable to its business purpose
  • A consideration of mitigatory measures that could be taken to further protect the data system’s privacy as well as potential future data gathered

At the conclusion of the above steps a PIA report should be prepared documenting the results. The report should be easily interpreted and comprehensive of the steps and considerations taken – aid to this end can be found from online templates and/or privacy consultants. After the report’s completion, ensure that it’s published and sent where necessary by regulation. Ultimately, the PIA report is a living document. Ongoing reviews of the report should take place where there is any progress toward implementing the identified PIA recommendations or if any changes to the system are documented. 

With the PIA’s goals, use-case, and process in mind, hopefully you’re left with a clearer picture of these assessments going forward. Like many system assessments, the process can seem daunting at first, but with some practice it will become a tremendously helpful tool in your GRC toolbox, helping you adapt and thrive in our privacy-conscious future.

Need some help conducting your Privacy Impact Assessment? Let CyberData Pros carry one out for you, from scoping to publication. Contact us now for a free consultation and to learn more about our services.

read more
AuditPenetration TestingRisk AssessmentSecurityVulnerability Scanning
December 1, 2022

The Best Defense is a Good Offense

Within the realm of cybersecurity, there are a multitude of steps your organization can take to help better secure your infrastructure, network, and applications. While it might sound easy to go with an out-of-sight, out-of-mind approach, a particularly important component of a strong security posture involves digging to uncover weaknesses before they become a real security incident. Oftentimes discerning what these various tests, scans, and reports are in the first place can leave one confusingly scratching their head, let alone recognizing which option might be best suited for your business. Two of the more common techniques that often get lumped together are penetration testing and vulnerability scanning, but while there can be some overlap, it’s important to distinguish and understand the differences between the two. 

Both penetration testing and vulnerability scanning can be beneficial to an organization in their own way. Depending on a multitude of factors and circumstances, one might be chosen over the other, i.e. if there are budget limitations, or perhaps one is required by a standard, regulation, or contractual agreement. While on their own both options carry great value, the strongest results come from a combination of the two as both methodologies complement each other to form a comprehensive approach. To briefly define, vulnerability scanning is a process that uses automated tools to search for and identify known vulnerabilities across an organization’s devices, systems, and networks. Penetration testing, often referred to as ethical hacking, takes a more manual approach by attempting to actively exploit any weaknesses that exist, in order to simulate what damage could be done by a real attacker. 

Aside from the core definition, there are benefits and comparisons between the two that are important to discuss when you are considering implementing either or both options. When a vulnerability scan is completed, the results are generated into a report that identifies, categorizes, and scores each found vulnerability. Since there is no attempt to actively exploit, the purpose here is primarily informative. It requires manual analysis to sift through the false positives and carry out the remediation steps to mitigate the risks associated with the findings, prioritizing  the most critical findings first. Vulnerability scans are performed more frequently than penetration tests (ideally quarterly) and are useful to compare to previous scans to monitor progress. Due to their more lightweight nature, vulnerability scans are much quicker and cost-friendly than penetration tests. 

By contrast, as the goal of a penetration test is to think like the “bad guys”, they are significantly more detailed and thus require substantially more time and effort. Because of the thorough and in-depth nature, a penetration test takes days to weeks to complete. Naturally, the cost associated with a penetration test is higher than a vulnerability scan, but it’s worth noting that a retest is frequently included in the cost. Additionally, they do not need to be conducted as frequently as vulnerability scanning; annually is the most common interval. 

Pages could be written diving into the details of each, but the aim here is to give you a short synopsis and explanation of these often confused terms, and hopefully by doing so allow you to have a better understanding of the real world applications of each. Each carries its own value, but the best approach combines the advantages of both to take your company’s security strategy to the next level. 

Here at CyberData Pros, our team is proud to offer these services to our clients, and we encourage you to contact us to discuss how vulnerability scanning and penetration testing can help your ability to strengthen your company’s security. The best defense is a good offense.

read more