Category: Compliance

By James Robinson, Deputy CISO Netskope

Over the past 30 days, the most pressing question facing CIOs and CISOs right now is, ”how much?” How much access to ChatGPT do we actually give our employees? Top security leaders are left to decide whether they should completely ban ChatGPT in their organizations, or embrace the use of it. So which option should they pick?

A simple answer is to implement a managed allowance. However, this may only work if your organization is doing all the right things with sensitive data protection and the responsible use of AI/ML in your own platforms and products. Your organization must effectively convey where and how it’s using AI to customers, prospects, partners, and third- and fourth-party suppliers in order to build successful and securely enabled programs that are governance-driven.

Organizations that simply “shut off” access to ChatGPT may feel initially more secure, but they are also denying its many productive uses and potentially putting themselves—and their entire teams—behind the innovation curve. To avoid falling behind, organizations should consider prioritizing the implementation of a managed allowance of ChatGPT and other generative AI tools.

Governing ChatGPT within your organization

Netskope has been deeply focused on the productive use of AI and ML since our founding in 2012. Like everyone, we’ve just observed an inflection point for generative AI. Unless you were a data scientist, you likely weren’t doing much with generative AI before November 2022. And as a security practitioner, developer, application builder, or technology enthusiast your exposure was focused on use not development of the features. But since the public release of ChatGPT, everyone is able to access these services and technologies without any prior knowledge about the tool. Anyone with a browser today, right now, can go in and understand what ChatGPT can and can’t do.

When something quickly becomes the dominant topic of conversation in business and technology this quickly—and ChatGPT definitely has—leaders have essentially two choices:

  • Prohibit or severely limit its use
  • Create a culture where they allow people to understand the use of this technology—and embrace its use—without putting the business at risk

For those on your team who are allowed access to ChatGPT, you must enable responsible access. Here at the dawn of mainstream generative AI adoption, we’re going to see at least as much disruptive behavior as we did at the dawn of the online search engine decades ago, and where we saw different threats and a lot of data made publicly available that arguably should not have been.

Managing third and fourth-party risk

As organizations implement the productive business use of generative AI by the appropriate users, we will also see the rise of copilots being used. This will force security companies to be responsible for obtaining critical information from their third- or fourth-party suppliers regarding AI-associated tools. These questions can help guide the assessment:

  • How much of a supplier’s code is written by AI?
  • Can your organization review the AI-written code?
  • Who owns the AI technology your suppliers are using?
  • Who owns the content they produce?
  • Is shift-left licensing involved, and is that a problem?

AI is here to stay. With the right cultural orientation, users within organizations are better able to understand and use the technology without compromising the company’s security posture. However, this needs to be combined with the right technology orientation, meaning modern data loss prevention (DLP) controls that prevent misuse and exfiltration of data, and are also part of an infrastructure that enables teams to respond quickly in the event of that data’s misuse.

The post Don’t Shut Off ChatGPT, Implement a Managed Allowance Instead appeared first on Cybersecurity Insiders.

Ransomware, a type of malware designed to encrypt files or systems until a ransom is paid, has rapidly ascended to become one of the most severe cybersecurity threats. This article illuminates the insights shared by Safi Raza, Senior Director of Cyber Security at Fusion Risk Management, during a recent interview. We will explore the complexity of the ransomware challenge, potential solutions, and Fusion Risk Management’s unique approach to tackling this burgeoning issue. The insights shared by Safi Raza offer a valuable perspective on managing the ransomware threat effectively and underline the critical importance of a proactive and well-planned approach to cyber defense.

The Scope and Scale of the Ransomware Challenge

Raza vividly portrays the scale of the ransomware problem using real-world examples that highlight the severity and global reach of this type of attack. The infamous Colonial Pipeline ransomware attack in 2021 exemplifies the potential for severe economic and societal disruption, as fuel supplies to a significant part of the US East Coast were shut down due to the breach.

Raza notes an evolution in ransomware tactics, particularly the rise of ‘double extortion’ schemes. This technique involves both encrypting data and threatening its public release, thereby doubling the pressure on victims to meet the attackers’ ransom demands.

Strategies for Responding to a Ransomware Attack

The necessity of a swift and efficient response in the face of a ransomware attack cannot be overstated. Raza strongly recommends the establishment of a robust incident response plan that can be set in place well before an attack strikes. He argues that pre-emptive planning can substantially mitigate the impact of an attack, limiting financial loss and reputational damage.

An essential part of an incident response plan is understanding and planning for both regulatory obligations and contractual responsibilities. Different jurisdictions and contracts can have specific notification timelines and requirements in the event of a data breach. These considerations must be incorporated into any comprehensive response plan to ensure legal compliance during a crisis.

Fusion Risk Management’s Holistic Approach

As Senior Director of Cyber Security at Fusion Risk Management, Raza illustrates the company’s method for tackling ransomware threats. The company takes a holistic approach, leveraging the Fusion Framework® System™, a platform designed to integrate business continuity, risk management, and crisis and incident management. This solution provides a consolidated, organization-specific view of risk mitigation strategies, incident response plans, and business continuity initiatives, enabling an effective response to ransomware threats.

Emphasizing the importance of business continuity even after a breach, Raza asserts that the Fusion Framework System enables organizations to bolster their resilience against ransomware and other cybersecurity threats. This focus on the bigger picture – on the continuous operation of business processes despite an attack – is integral to Fusion’s approach.

Additional Key Considerations in Tackling Ransomware

While Raza provides a comprehensive overview of the ransomware issue and Fusion’s approach, there are a few additional crucial elements that merit inclusion for a complete understanding of ransomware defense strategies.

Regular, secure backups are a key defense against ransomware attacks. A robust backup strategy allows an organization to, ideally, restore much of its systems without the need to pay the ransom. Furthermore, these backups must be secured properly to prevent them from falling victim to the same ransomware attack.

User education is another critical defense against ransomware. Many ransomware attacks originate from successful phishing attempts. Organizations must implement regular training programs to ensure their employees can recognize and report phishing attempts.

Lastly, maintaining up-to-date systems and utilizing advanced threat detection and response tools can substantially strengthen an organization’s defenses. These tools can identify and neutralize threats before they infiltrate the network, reducing vulnerabilities and the potential for successful ransomware attacks.

Conclusion

Tackling the ongoing ransomware threat requires a holistic approach that incorporates preventive measures, thorough incident response planning, resiliency planning, and effective recovery strategies.

In closing, Raza reiterates the value of having a resiliency plan to ensure the continued operation of business processes, especially after a breach. This foresight and forward-thinking approach align with Fusion Risk Management’s philosophy and the company’s advanced toolset designed for business continuity and risk management.

In conclusion, managing the ransomware threat is an ongoing challenge that demands a comprehensive, multi-faceted strategy. From fostering user awareness to integrating state-of-the-art tools like the Fusion Framework System, every measure contributes to strengthening an organization’s resilience against this pervasive menace.

The post Navigating the Ransomware Threat Landscape: A Comprehensive View by Safi Raza appeared first on Cybersecurity Insiders.

Automation transforms the audit experience. What was once a burden to bear becomes a competitive advantage that lets your company maximize every opportunity.

Streamlining the audit process is not the only benefit compliance automation. From higher productivity to stronger security posture, automation improves your compliance program.

Learn more about the benefits of compliance automation and then schedule a demo to see how you can streamline your audit processes.

What is Compliance Automation?

Security breaches can happen anytime given the complexity of modern IT systems and the pervasive threat environment. These breaches can cause operational disruption, lost revenue, customer dissatisfaction, and legal or regulatory actions.

Companies simply cannot afford non-compliance.

At the same time, manual processes cannot keep up. People spend increasing amounts of their day checking systems and filling in spreadsheets. Compliance officers must map this evidence against internal policies and external compliance frameworks.

At audit time, these snapshots may not be enough. To satisfy the auditors, compliance teams must shift into overdrive to update the company’s compliance status.

Compliance automation replaces these manual spreadsheet-driven processes with software solutions that:

  • Continuously monitor security controls 24-7.
  • Cover all on-premises systems, cloud service providers, and SaaS vendors.
  • Automatically address minor compliance issues.
  • Generate alerts for issues that require staff attention.
  • Produce reports to document continuous compliance.

Why You Should Aim for Automation

Automation streamlines the auditing process. At the same time, automation improves your compliance and security posture as well as the productivity of your compliance program.

Streamlined Audits

Companies that monitor compliance manually dread requests for audits. They scramble to collect evidence, reconcile spreadsheets, and resolve any resulting issues. Missing or inaccurate data in the final report could compromise the report and present inaccurate data to your customers and prospects.

Compliance automation simplifies the auditing process. With continuous monitoring and evidence collection, all the necessary information is already in one place.

Certifying compliance continuously rather than at a point in time gives customers more confidence in your company’s ability to maintain compliance and gives you a leg up on your competitors.

Stronger Compliance and Security Posture

Automation is the only way to monitor all systems continuously. Staff time is limited, so manual processes require prioritizing high-risk systems. Letting others go unmonitored for any length of time allows compliance gaps to linger. Software can monitor all systems all the time.

Automation also makes compliance monitoring more accurate. Spreadsheet-based manual processes are prone to human error. Mundane and repetitive spreadsheet work naturally leads to transcription errors and omissions. Letting compliance automation software handle this low-value work eliminates these errors.

With all compliance evidence collected automatically, your staff gains visibility deep into your on-premises and cloud systems. Dashboards give you quick summaries of compliance status. At the same time, you have the tools to dig into issues and gain insights into compliance performance across the organization.

Continuous, error-free monitoring and heightened visibility combine to improve your company’s compliance and security posture. Compliance systems can identify and resolve minor issues automatically. More significant problems get quickly escalated to compliance officers for immediate action.

Improved Productivity

Employees and contractors spend too much time collecting evidence into spreadsheets. This daily grind wastes the expensive talents these people were hired for. Compliance automation frees people to focus on the high-value, meaningful work that strengthens your compliance efforts.

Things to Look for in a Compliance Partner

Given the importance of compliance to the business, you must carefully evaluate potential compliance partners. Some things to consider include the following:

Focus on the Audit Process

Compliance is a constantly-evolving field that can challenge even the largest enterprises. You can supplement your company’s in-house compliance talent by choosing partners with strong domain expertise.

Another challenge companies face is finding independent auditors that understand compliance frameworks as well as the company’s compliance platform. Look for partners who give you access to networks of vetted independent auditors.

Control Configurability

Every company has a unique combination of IT infrastructure, risk tolerance, and compliance requirements. Look for adaptable and scalable automation solutions that offer the control variety you need. This gives you the flexibility you need in an ever-evolving risk environment.

Support for Compliance Frameworks

Solutions that support a variety of frameworks make compliance programs more robust. Rather than running redundant processes, automated evidence collection can simultaneously support ISO 27001, GDPR, HIPAA, and other audits.

Native Integrations and Open APIs

To maximize the benefits of compliance automation, look for partners that offer a wide variety of integrations up and down the tech stack. They should offer secure and reliable native integrations rather than plug-ins.

Since no partner can cover every possibility, see if they offer an Open API so your developers can quickly integrate additional systems.

User-Friendly Compliance Journeys

Compliance automation solutions should take the pain out of compliance monitoring. Developers benefit from easily used integrations and APIs, while operations benefits from accessible dashboards and alerts.

Compliance Partner Reputation

Look for a compliance partner with a proven track record of success with companies similar to yours. Testimonials provided by the partner will showcase their strengths. Sites like G2 compile independent reviews from customers to provide more complete assessments of a compliance partner’s solution.

Your Audit Experience: A Look Into the Before and After

Before automating your compliance processes, audits are monumental challenges. Your staff takes on heavier workloads as they:

  • Ensure evidence is current.
  • Update, consolidate, and reconcile spreadsheets.
  • Address newly-discovered compliance gaps.
  • Generate, review, and correct reports.

In the end, all that work may go for nothing. Manual processes increase the risk of failed audits and missed opportunities.

Automating evidence collection and control monitoring takes you from point in time to continuous compliance. Your team can proactively address compliance gaps and streamline the audit process to respond quickly, accurately, and completely to any request.

Drata’s compliance automation platform will help you turn the operational burden of your audit experience into a competitive advantage. We bring everything our customers are looking for in a compliance partner, including:

  • 75+ integrations.
  • A library of 500+ controls across your tech stack.
  • User-friendly dashboards, alerts, and reports.
  • A pre-vetted directory of independent auditors.

Across industries, businesses of all sizes rate Drata best-in-breed. We earned that reputation by understanding the audit experience and bringing that expertise to every customer engagement.

Schedule a demo to see how Drata can transform your audit experience.

The post How Compliance Automation Can Transform Your Next Audit appeared first on Cybersecurity Insiders.

If you handle consumer financial data, you need to be aware of the U.S. Federal Trade Commission‘s (FTC) revised Safeguards Rule cybersecurity regulation. The rule applies to a wide range of businesses, including those that may not consider themselves to be financial institutions. The FTC has classified many companies as “non-banking financial institutions” subject to the rule, which requires them to implement specific measures to protect customer data.

Compliance with the revised Safeguards Rule is mandatory, and the deadline for implementation is fast approaching. Financial institutions covered by the rule must comply with certain provisions by June 9, 2023. While the FTC has extended the deadline for some changes to the rule, businesses should still take immediate steps to ensure they are in compliance by the deadline.

Understanding the FTC Safeguards Rule

The FTC Safeguards Rule is a set of regulations that require covered financial institutions to develop, implement, and maintain an information security program designed to protect customer information. The rule was first introduced in 2002 and has been revised multiple times to keep up with evolving technology and security threats. The most recent revision was announced in October 2021, with a deadline for compliance set for June 2023.

What is the FTC Safeguards Rule?

The FTC Safeguards Rule is a set of regulations that require covered financial institutions to develop, implement, and maintain an information security program designed to protect customer information. The rule applies to non-bank financial institutions, such as mortgage lenders and brokers, and requires them to take steps to protect sensitive customer information from unauthorized access, use, or disclosure.

Who is affected by the FTC Safeguards Rule?

The FTC Safeguards Rule applies to non-bank financial institutions, such as mortgage lenders and brokers, that collect, maintain, or use personal information from consumers. The rule also applies to service providers that have access to this information. Covered financial institutions must comply with the Safeguards Rule regardless of size, location, or type of business.

What are the requirements of the FTC Safeguards Rule?

Among other things, the revised Safeguards Rule requires:

  • Planning and action to address “reasonably foreseeable internal and external risks” — in other words, protection against data breaches, data leakage, phishing, and ransomware.
  • Implementation of multi-factor authentication.

In addition to these requirements, covered financial institutions must also:

  • Designate one or more employees to coordinate the information security program.
  • Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
  • Implement safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
  • Select service providers that are capable of maintaining appropriate safeguards, make sure the contract requires them to maintain safeguards, and oversee their handling of customer information.
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Overall, the FTC Safeguards Rule is designed to ensure that covered financial institutions take reasonable steps to protect sensitive customer information from unauthorized access, use, or disclosure. Failure to comply with the Safeguards Rule can result in significant penalties and reputational damage for covered financial institutions.

Steps to Protect Your Customer’s Data

Conduct a Risk Assessment

Before you can protect your customer’s data, you need to know what data you have, where it’s stored, and who has access to it. Conducting a risk assessment will help you identify vulnerabilities and potential threats to your customer’s data. This will allow you to develop a comprehensive plan to protect that data.

Among other things, the revised Safeguards Rule requires planning and action to address “reasonably foreseeable internal and external risks” — in other words, protection against data breaches, data leakage, phishing, and ransomware.

Implement a Written Information Security Program

Developing a Written Information Security Program (WISP) is a key element of protecting your customer’s data. A WISP is a comprehensive plan that outlines how you will protect customer data. It should include policies and procedures for data access, storage, and disposal, as well as guidelines for responding to security incidents.

The revised Safeguards Rule also requires implementation of multi-factor authentication. This means that you need to use more than one method of authentication to access sensitive data. For example, you might require a password and a fingerprint scan to access customer data.

Train Your Employees

Your employees are your first line of defense against data breaches. It’s important to train them on how to handle customer data securely. This includes training on how to identify and respond to security incidents, as well as how to use multi-factor authentication.

Monitor Your Systems and Respond to Incidents

Monitoring your systems is critical to detecting and responding to security incidents. You should have systems in place to monitor for unusual activity and respond quickly to potential threats. This includes having a plan in place for notifying customers in the event of a data breach.

Remember, protecting your customer’s data is an ongoing process. You should regularly review and update your security measures to ensure that you are keeping up with the latest threats and vulnerabilities.

Meeting the June 2023 FTC Safeguards Rule Deadline

Preparing for the Deadline

The new June 9, 2023, deadline for compliance with the revised FTC Safeguards Rule is approaching quickly. Among other things, the revised Safeguards Rule requires planning and action to address “reasonably foreseeable internal and external risks” — in other words, protection against data breaches, data leakage, phishing, and ransomware. It also requires the implementation of multi-factor authentication. To prepare for the deadline, businesses should consider the following steps:

  • Conduct a comprehensive risk assessment to identify potential vulnerabilities and risks to customer data.
  • Develop and implement a comprehensive data security program that addresses the risks identified in the risk assessment.
  • Implement multi-factor authentication to protect against unauthorized access to customer data.
  • Train employees on data security best practices and how to identify and respond to potential security incidents.
  • Regularly review and update the data security program to ensure it remains effective and up-to-date.

What Happens if You Don’t Comply?

Businesses that fail to comply with the revised Safeguards Rule by the June 9, 2023, deadline may be subject to enforcement actions by the FTC, including fines and penalties. In addition, failing to comply with the Safeguards Rule can also damage a business’s reputation and erode customer trust.

How to Report a Data Breach

In the event of a data breach, businesses should take immediate action to contain the breach, notify affected customers, and report the breach to the appropriate authorities. The revised Safeguards Rule requires businesses to have a written incident response plan in place that outlines the steps to be taken in the event of a data breach. Businesses should also consider the following steps:

  • Notify affected customers as soon as possible and provide them with information on how to protect themselves from identity theft and fraud.
  • Report the breach to the appropriate authorities, such as the FTC, state attorneys general, and credit reporting agencies.
  • Cooperate with law enforcement and regulatory agencies in their investigation of the breach.
  • Conduct a thorough investigation of the breach to identify the cause and take steps to prevent future breaches.

Conclusion

Protecting your customer’s data is not only a legal obligation but also a moral responsibility. The revised Safeguards Rule is a step in the right direction, and businesses must take it seriously. The deadline for compliance with the revised Safeguards Rule has been extended to June 9, 2023. This extension provides businesses with an additional six months to assess their data security measures and implement necessary changes.

Among other things, the revised Safeguards Rule requires businesses to plan and take action to address “reasonably foreseeable internal and external risks.” This includes protection against data breaches, data leakage, phishing, and ransomware. Businesses must implement multi-factor authentication to ensure that only authorized personnel have access to sensitive data.

It is crucial for businesses to understand the importance of data security and take appropriate measures to protect their customers’ data. Failure to comply with the revised Safeguards Rule can result in significant financial penalties and damage to the business’s reputation. Therefore, businesses must prioritize data security and comply with the revised Safeguards Rule by the June 9, 2023 deadline.

The post How to Comply with the U.S. Federal Trade Commission’s (FTC) revised Safeguards Rule appeared first on Cybersecurity Insiders.

By Scott Gordon, CISSP, Oomnitza 

Technology oversight is a common mandate across IT and security frameworks and compliance specifications, but achieving that oversight is difficult. The rise of hybrid workplaces, shadow IT/DevOps, and cloud infrastructure dynamics continue to create cybersecurity risks. SecOps, Governance Risk and Compliance (GRC) and ITOps teams use wide variety of tools and operational data to mitigate security posture exposures and fortify business resiliency, yet audit readiness and compliance validation remain a challenge. According to a recent survey, 66% of organizations failed at least one audit over the last three years [1]. Another survey calculated that organizations spend $3.5M each year on compliance activities [2].

Why? First, technology and operational intelligence, across the myriad of users, endpoints, applications and infrastructure, is siloed and fragmented. Beyond event logging, where is no established way to aggregate, correlate, and analyze this data, which exists within different departments, divisions, and management tools. Second, the tasks required to ascertain control and policy compliance details, resolve violations and provide adherence proof are resource intensive and error prone. As audit frequency and range expand to meet multiple evolving specifications, how can organizations reduce issues, delays, and spend? Answering this question has placed CISOs on a path towards continuous audit readiness that’s accomplished by automating audit processes, from Scope to Evidence.

Clearly, smaller enterprises tend to be more cloud-first, but larger the company, the more distributed the environment — and the more siloed divisions and IT domains become. The pandemic accelerated vlouf migration, propelled digital transformation initiatives, and surged hybrid workplace adoption. The net effect of these events has introduced well known audit readiness challenges, such as:

  • Audit data is siloed and fragmented, preventing timely, efficient and accurate analysis
  • Attestation-based compliance does note replace quantitative control assessment
  • Identifying and resolving remote workforce policy deviation is difficult
  • Cloud resource monitoring and policy enforcement is more fractured
  • Less controlled use of cloud resources introducing new exposures
  • Audit delay, re-audits and unplanned audit spend is increasing

GRC and security teams often have large, disparate technology datasets that are often incorrect or duplicative, hindering effective control analysis. Data discrepancies and deviation from pre-designated control frameworks are common. GRC team requests for audit support, investigations and corrective actions result in large, cross-department time and resource drains– often with incomplete or unsubstantiated outcomes. Overall, these audit challenges yield increased compliance gaps, prolonged audits, unplanned expenditures, and greater penalty and procedure refactoring costs. Beyond failing to meet audit specifications, there is the risk of attack and data leakage –upwards of 69% of cyberattacks started with an exploited mismanaged internet-facing assets [3].

One foundation for audit and compliance readiness is to identify and settle on a common security framework, and as a result, common control areas: asset intelligence, IT management, and protection mechanisms. Asset/Technology Intelligence incorporates endpoints, applications, and network and cloud infrastructure. IT Management (that includes Identity and Access Management) encompasses ownership, access, entitlements, configuration, and lifecycle management controls. Protection mechanisms incorporates a wide variety of cyber defenses such as malware, encryption, vulnerability management and firewall technologies.

To advance audit process automation, policies and their technical controls can be used to monitor, verify, report, resolve and refine adherence to specifications. For example, to satisfy PCI-DSS as well as other mandates, a policy for compliant virtual systems running in a payment processing zone would include operating a standard configuration that has system encryption and managed detection and response MDR) active, having an active and authorized owner, and resources consistently managed (access) a specified interval. A compliance workflow would create, monitor and respond to deviations related to these policy-based controls.

Technical control validation (beyond attestation), when used within a process automation platform, reduces audit and compliance complexity and lowers auditing expenditures. ITOps, security and GRC teams can map each set of policies based on user, ownership, location, and technology security / operational state conditions. This also facilitates working with business units to identify unique business requisites and contractual obligations. This approach does not hold water if the underlying audit data is still inaccurate, missing, or conflicting.

Data incongruity impacts evidence generation and threat resolution – and is the antithesis of progressing continuous audit readiness. Audit process automation, from Scope to Evidence, necessitates establishing a unified, integrated system of record for asset technology. Most enterprises have several sources that might conflict with each other or may not be regularly updated. This manifests in present-day auditing gaps – according to Cybersecurity Insiders research more than half of respondents confirmed that their organization have less than 75% asset intelligence coverage.

GRC, security and IT teams need actionable insight on what resources, from endpoints and applications to network and cloud infrastructure, are associated with which owners, managers and departments – and where are these resources located.  Which endpoints have inactive or outmodes defenses and are vulnerable? What software applications are installed and what SaaS applications are being accessed and is such use unauthorized and licenses. Where are new instances of network and cloud workloads being spun up, who manages them, and are they correctly configured or exposed. It is this matrix of data that organizations use to apply a policy (guidelines to be met) that drive the processes (actions to be taken) and procedures (detailed steps that comprise the action) — these elements serve as the basis for automation.

A new class of  Enterprise Technology Management (ETM) tools have emerged as an enabler for continuous audit readiness by providing the ability to automate key business processes for technology and IT management. These platforms deliver the necessary system of record and workflow flexibility to enable continuous audit readiness.  ETM platforms apply multi-source data normalization and advanced correlation that better equip security and GRC staff to to analyze and interpret policy compliance information. They also provides low-code workflow editing and management, leveraging this unified and accurate technology intelligence, to streamline a wide variety of compliance verification and remediation tasks. This approach makes audit reporting preparation always available, incident management more proactive, audit completion more predictable (and less costly), and audit workflows more easily manageable – across an enterprise’s entire IT estate.

49% of organizations expressed room for improvement in their workflows due to periodic security and compliance issues [5] Given on-going operational dynamics, ever-increasing technology volume, and present-day shrinking budgets, now is the time to determine where and how to progress continuous audit readiness.

Scott Gordon (CISSP)
CMO at Oomnitza

1 ESG Research: 2021: State of Data Privacy and Compliance
2 Vanson Bourne/Telos: 2020 Survey, A Wake-Up Call: The Harsh Reality of Audit Fatigue
3 ESG Research: 2022 Security Hygiene and Posture Management
4 Cybersecurity Insiders: 2022 Attack Surface Management Maturity Report
5 You-Gov/Oomnitza: 2022 State of Audit Readiness Report

The post Forging the Path to Continuous Audit Readiness appeared first on Cybersecurity Insiders.

By Tyler Reguly, senior manager, security R&D at cybersecurity software and services provider Fortra

The pandemic ushered in an unprecedented wave of online purchasing, as people around the world became far more comfortable with virtual shopping. In fact, the U.S. Census Bureau’s latest Annual Retail Trade Survey reports e-commerce expenditures rose from $571.2 billion in 2019 to $815.4 billion in 2020, a 43% increase.

Cybercriminals everywhere matched the uptick with clever new schemes to filch payment card data and defraud victims of billions of dollars. The Nilson Report estimated $28.6 billion in payment card-related losses occurred in 2020 (over one-third of them in the U.S.). They also predict this number will reach $408 billion in losses by 2030.

Time for change

With the boom in digital commerce paired with the increased popularity of contactless payment and cloud-stored accountholder data, the Payment Card Industry (PCI) Security Standards Council decided to re-evaluate the existing standard. First launched in 2004 and updated most recently in 2018, the PCI Data Security (PCI DSS) standard is continually updated to reflect the evolving challenges of the cyberthreat landscape.

The current version, PCI DSS v3.2.1, is clearly failing to protect cardholder account details effectively in today’s environment. The Council gathered input from 200+ organizations and announced the updated requirements in March 2022, which will become mandatory on March 31, 2024. Organizations also have until 2025 to implement a set of future-dated changes. The full timeline can be found on the PCI Security Council website.

The 12 controls

PCI DSS 4.0 spans 12 controls, several of which have received updates in the latest version. According to the PCI Council, the enhanced requirements promote security as a continuous process while adding flexibility for different methodologies.

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to cardholder data by business need-to-know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security within organizational policies and programs

Changes in PCI DSS 4.0

In looking at the new standard more closely, there are several requirements with notable changes. Below is a high-level overview of the differences between PCI v3.2.1 and PCI v4.0:

Requirement 2: Broader scope defining the need for security configuration management (SCM) on more types of assets.

Requirement 3: “Account Data” instead of “Cardholder Data” indicates a potential increase of scope for PCI assets.

Requirement 4: Less specificity on the type of encryption used means your organization is freer to follow industry best practices. An important takeaway is to internally define what those technical standards are and be able to justify why they are now “Strong Cryptography” so that you can still pass your PCI audit (essentially, just document what standards you are following and why).

Requirement 5: It is no longer sufficient to just have standard antivirus software. This requirement now specifically calls for anti-malware to be in place, necessitating a strong antivirus solution with malware protection or EDR/MDR/XDR solution.

Requirements 7–9: These requirements are primarily the same as before, but the big takeaway is that instead of just enforcing access controls to systems, it’s now requesting this to be done more granularly to specific components such as software, databases, etc.

Your five-step PCI DSS 4.0 transition checklist 

As you get up to speed on how the standard itself has evolved, you’ll begin to understand the potential impact to your own processes and operations. This isn’t a one-and-done type of effort. It will require a phased approach over time. Successful organizations will view the new requirements as an opportunity to strengthen the security mindset across many aspects of their business.

To help you get started, you’ll want to build the following components into your initiative:

  1. Plan a phased implementation according to the PCI timeline
  2. Review potential changes to scope
  3. Conduct a people and process evaluation
  4. Strengthen security configuration management (SCM) processes
  5. Onboard a tool that automates continuous compliance

Go in-depth on how to approach each of these items in this executive guide, the Five-Step PCI DSS v4.0  Transition Checklist. This essential resource helps you understand the requirements of PCI DSS 4.0 and how to ensure your organization is addressing the changes needed to avoid audit fines and data breaches.

Above all, securing payment card information helps protect your customers’ sensitive information and your company’s reputation by preventing costly business disruption in a fast-changing cyberattack environment.

Tyler Reguly is senior manager, security R&D at cybersecurity software and services provider Fortra, responsible for overseeing TACTIC, a team of security researchers that provide the security expertise that powers the company’s Tripwire product line.

In addition to security research, Tyler has worked closely with Fanshawe College, from which he graduated with a diploma in Computer Systems Technology, developing five courses including subjects like Advanced Hacker Techniques & Tactics, Hacking and Exploits, Malware Research, Evolving Technologies and Threats, and Python Programming.

Tyler has contributed to various standards over the years including CVSSv3 and has provided technical editing to a number of published books. In addition, he is a co-founder of the IoT Hack Lab that has been offered at SecTor (Security Education Conference Toronto) since 2015.

Follow Tyler Reguly on Twitter.

The post The Five-Step PCI DSS 4.0 Transition Checklist appeared first on Cybersecurity Insiders.

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

In a recent blog post, we highlighted the release of an InsightCloudSec compliance pack, that helps organizations establish and adhere to AWS Foundational Security Best Practices. While that’s a great pack for those who have standardized on AWS and are looking for a trusted set of controls to harden their environment, we know that’s not always the case.

In fact, depending on what report you read, the percentage of organizations that have adopted multiple cloud platforms has soared and continues to rise exponentially. According to Gartner, by 2026 more than 90% of enterprises will extend their capabilities to multi-cloud environments, up from 76% in 2020.

It can be a time- and labor-intensive process to establish and enforce compliance standards across single cloud environments, but this becomes especially challenging in multi-cloud environments. First, the number of required checks and guardrails are multiplied, and second, because each platform is unique,  proper hygiene and security measures aren’t consistent across the various clouds. The general approaches and philosophies are fairly similar, but the way controls are implemented and the way policies are written can be significantly different.

For this post, we’ll dive into one of the most commonly-used cloud security standards for large, multi-cloud environments: the CSA Cloud Controls Matrix (CCM).

What is the CSA Cloud Controls Matrix?

In the unlikely event you’re unfamiliar, Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA brings together a community of cloud security experts, industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.

The Cloud Controls Matrix is a comprehensive cybersecurity control framework for cloud computing developed and maintained by CSA. It is widely-used as a systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Five CSA CCM Principles and Why They’re Important

The CCM consists of many controls and best practices, which means we can’t cover them all in a single blog post. That said, we’ve outlined 5 major principles that logically group the various controls and why they’re important to implement in your cloud environment. Of course, the CCM provides a comprehensive set of specific and actionable directions that, when adopted, simplify the process of adhering to these principles—and many others.

Ensure consistent and proper management of audit logs
Audit logs record the occurrence of an event along with supporting metadata about the event, including the time at which it occurred, the responsible user or service, and the impacted entity or entities. By reviewing audit logs, security teams can investigate breaches and ensure compliance with regulatory requirements. Within CCM, there are a variety of controls focused on ensuring that you’ve got a process in place to collect, retain and analyze logs as well as limiting access and the ability to edit or delete such logs to only those who need it.

Ensure consistent data encryption and proper key management
Ensuring that data is properly encrypted, both at rest and in transit, is a critical step to protect your organization and customer data from unauthorized access. There are a variety of controls within the CCM that are centered around ensuring that data encryption is used consistently and that encryption keys are maintained properly—including regular rotation of keys as applicable.

Effectively manage IAM permissions and abide by Least Privilege Access (LPA)
In modern cloud environments, every user and resource is assigned a unique identity and a set of access permissions and privileges. This can be a challenge to keep track of, especially at scale, which can result in improper access, either from internal users or external malicious actors. To combat this, the CCM provides guidance around establishing processes and mechanisms to manage, track and enforce permissions across the organization. Further, the framework suggests employing the Least Privilege Access (LPA) principle to ensure users only have access to the systems and data that they absolutely need.

Establish and follow a process for managing vulnerabilities
There are a number of controls focused on establishing, implementing and evaluating processes, procedures and technical measures for detecting and remediating vulnerabilities. The CCM has dedicated controls for application vulnerabilities, external library vulnerabilities and host-level vulnerabilities. It is important to regularly scan your cloud environments for known vulnerabilities, and evaluate the processes and methodologies you use to do so, as well.

Define a process to proactively roll back changes to a previous state of good
In traditional, on-premises environments, patching and fixing existing resources is the proper course of action when an error or security concern is discovered. Conversely, when things go awry in cloud environments, remediation steps typically involve reverting back to a previous state of good. To this end, the CCM guides organizations to proactively establish and implement a process  that allows them to easily roll back changes to a previously known good state—whether manually or via automation.

How InsightCloudSec Helps Implement and Enforce CCM

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on common industry frameworks or customized to specific business needs. This is accomplished through the use of compliance packs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework or industry best practices. The platform comes out-of-the-box with 30+ compliance packs, and also offers the ability to build custom compliance packs that are completely tailored to your business’ specific needs.

Whenever a non-compliant resource is created, or when a change is made to an existing resource’s configuration or permissions, InsightCloudSec will detect it within minutes. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration and/or permissions—without any human intervention.

If you’re interested in learning more about how InsightCloudSec can help implement and enforce security and compliance standards across your organization, be sure to check out a free demo!

James Alaniz and Ryan Blanchard contributed to this article.

Setting your own standard

Cloud Audit: Compliance + Automation

Today’s regulatory environment is incredibly fractured and extensive. Depending on the industry—and the part of the world your business and/or security organization resides in—you may be subject to several regulatory compliance standards. Adding to the complexity, there is overlap among many of the standards, and they all require considerable resources to implement properly.

This can be a difficult endeavor, to say the least. That’s why many companies have dedicated compliance personnel to (as much as possible) push workloads and resources to adherence to cloud security standards. It’s important to build a plan to keep up with changing regulations and determine what exactly they mean for your environment.

From there, you can specify how to incorporate those changes and automate cloud posture management processes so you can act fast in the wake of an incident or breach. Deploying a cloud security posture management (CSPM) can ease the administrative burden associated with staying in compliance.

Complex compliance frameworks

There’s no reason to think your organization needs to go about all this compliance confusion on its own, even with skilled in-house personnel. There are regulations you’ll need to adhere to explicitly, but oftentimes regulatory bodies don’t offer a solution to track and enforce adherence to standards. It can be difficult to build that compliance framework from scratch.

That’s why it’s important to engage a CSPM tool that can be used to build in checks/compliance standards that align to one or more regulations—as noted above, it's often a combination of many. It's also likely you’ll want to supplement with additional checks not covered in the regulatory frameworks. A capable solution like InsightCloudSec can help you accomplish that.

For example, The European Union's General Data Protection Regulation (GDPR) requires organizations to incorporate data protection by design, including default security features. To this point, InsightCloudSec can help to enforce security rules throughout the CI/CD build process to prevent misconfigurations from ever happening and govern IaC security.

A pre-configured solution can erase the complexity of setting up your own compliance framework and alert system, and help you keep up with the speed of this type of regulatory pace. The key is knowing if the solution you’re getting is up to date with the current standard in the location in which it’s required.

When choosing a solution, look for one that delivers out-of-the-box policies that hold cloud security to high standards, so your controls are tight and contain failsafes. For example, a standard like the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) helps you create and fortify those checks so that your customers or users have confidence that you’re putting cloud security at the forefront. The InsightCloudSec CSA CCM compliance pack provides:  

  • Detailed guidance of security concepts across 13 domains—all of which follow Cloud Security Alliance best practices.
  • Alignment with many other security standards like PCI DSS, NIST, and NERC CIP.
  • Dozens of out-of-the-box policies that map back to specific directives within CSA CCM, all of which are available to use right away so you can remediate violations in real time.

A few questions to keep in mind when considering a solution that aligns to the above criteria:

  • Does the solution allow you to export and/or easily report on compliance data?
  • Does the solution offer the ability to customize frameworks or build custom policies?
  • Does the solution allow you to exempt certain resources from compliance requirements to minimize false positives?

Automating enforcement

Real-time visibility is the key to automating with confidence, which is a critical factor in staying compliant. Given the complexity of today’s hybrid and multi-cloud environments, keeping up with the sheer number of risk signals is nearly impossible without automation. Automation can help you safeguard customer data and avoid risk by catching misconfigurations before they go live and continuously auditing your environment.

As aptly noted in Rapid7’s Trust in the Cloud report, automation must be tuned to internal risk factors like trustworthiness of developers and engineers in day-to-day maintenance, trust in automation to set guardrails in your environments, and your organization’s ability to consistently and securely configure cloud environments. Continuous monitoring, enforcement, reporting—and, oh yeah, flexibility—are keys to success in  the automated-compliance game.

Automated cloud compliance with InsightCloudSec

It can be very easy for things to fall between the cracks when your team is attempting to both innovate and manually catch and investigate each alert. Implementing automation with a solution like InsightCloudSec, which offers more than 30 pre-built compliance packs available out-of-the-box, allows your teams to establish standards and policies around cloud access and resource configuration. By establishing a common definition of “good” and automating enforcement with your organizational standards, InsightCloudSec frees your teams to focus on eliminating risk in your cloud environments.

Get started now with the 2022 edition of The Complete Cloud Security Buyer’s Guide from Rapid7. In this guide, you’ll learn more about tactics to help you make your case for more cloud security at your company. Plus, you’ll get a handy checklist to use when looking into a potential solution.

You can also read the previous entry in this blog series here.

By Prashanth Nanjundappa, VP of Product Management, Progress

The Need for Compliance

The need for security is well understood by almost every business. If data and systems aren’t secure, they could be compromised and important information could end up in the hands of bad actors. The job of security teams is to put in place a secure architecture that defends against all different kinds of threats. However, what compliance is and the need for it isn’t always as clear to businesses.

Compliance teams mitigate risk by making sure businesses align with certain frameworks. Three important forces exist which make it essential for organizations to be compliant. First, there are the regulatory bodies that keep an eye on whether businesses are compliant. Every so often, these regulatory bodies publish a new set of standards, which technology companies must adhere to. Regulatory bodies are complemented by regulator sectors, such as those in the financial, hospitality, and healthcare industries, for whom security and privacy are of top concern. These sectors look to the compliance specifications published by regulatory bodies to know what needs to be enforced and make sure companies within their sector are compliant. Adhering to compliance standards is necessary to operate in these industries. The third force is the customers who are using a company’s products. They look to regulatory body specifications to make sure that the product they’re purchasing is certified and compliant to industry standards. Compliance is of utmost importance to companies both large and small.

Changes in Compliance

These days, organizations are looking beyond just whether they’re compliant or not, and towards becoming compliant more quickly. There has been rapid growth in the technology industry and new companies emerging in all different sectors, like Uber in transportation, AirBnB in hospitality, and Robinhood in finance. In order to bring their product to the market quickly, business leaders need to be able to quickly make sure their launch is secure and adheres to compliance standards and specifications. This is why there has been a shift towards compliance as code.

So, how does compliance as code speed the process up? Traditionally, the three different bodies in security and compliance (developers, ops teams, and security teams) speak in completely different languages. But the time-to-market for a launch would be much faster if they all spoke the same language. The most common, acceptable language for all teams is code. Once a code is made, it enters the DevOps cycle, and it can be tested and repeated, and teams can put checks and balances in place to make sure everything is flagged and audited. This process is much faster than traditional governance methods.

Other technology sectors have undergone this same codification shift, such as infrastructure as code, because companies want to make sure that their development is automated and tests well in advance. This same mindset of wanting more quick, advanced preparation is driving the move towards compliance as code. It has also made compliance as code more acceptable and more of an available option for companies. Traditional organizations adopting compliance as code have been able to move more quickly, and new companies are adopting compliance as code as the default.

What’s next

Automation and Codification has been the foundation of DevOps. DevOps methodology is the mindset shift that needed to happen for people, Automated testing was adopted first followed by infrastructure as code, and then compliance and now paradigms “as code” in general, which help in automation. More and more companies have become open to this process. Organizations need to reduce development cost, cost of having a breach, and cost of finding a defect late in the cycle, which codification can achieve. And, with growing competition in the technology industry, companies need to make their product available to their end consumer as soon as possible before a competitor does first. “As Code” paradigm for automation is already the standard for new start ups, and I expect to see compliance as code become commonplace in all different technology sectors, from banking to hospitality to healthcare. This is how businesses will stay competitive.

The post Businesses shift toward compliance as code appeared first on Cybersecurity Insiders.

By Taylor Hersom, Founder and CEO of Eden Data

Staying on top of the legal cybersecurity landscape can be challenging. As the number of State, Federal, regional, and international laws that supersede the digital world continues to increase, how can your organization know which rules to focus on?

You should never underestimate the power and impact of privacy and data regulations. Companies that have failed to meet standards have been fined with millionaire fines, suffered brand reputation damage, and faced class action legal suits. Let’s dive into the three points you should cover to avoid risks before discussing international and US federal and state laws.

Unraveling the legal landscape of your operations

The first point you should focus is on where — which countries and states — your company operates and where your customers are based. Additionally, if your company is expanding into new markets and regions, your standards will also need to expand!

Secondly, you should pay close attention to the contracts you sign with your customers. Customers will typically call out the minimum standards your organization must meet to protect their data. As a McKinsey survey reveals, consumer-trust levels regarding their data are very low and vary depending on the industry. Consumers will not hesitate in taking action against your company if their data is mismanaged or breached.

Finally, it’s critical to consult a privacy law firm when evaluating the laws that will affect your company. The firm must be familiar with your business type. When looking for a privacy firm, ensure it is experienced in managing and serving businesses similar to yours.

International Law and U.S. Federal Law

The most important international law is the General Data Protection Regulation (GDPR). The GDPR brings a 21st Century human rights approach to data and cybersecurity.

GDPR is the first law of its kind to truly take a crack at protecting an individual’s identity and recognizing that our data privacy is something important that should be guarded. While the law isn’t perfect, it gives EU citizens a chance to fight back against organizations that are blatantly taking advantage of their data.

GDPR-info explains that the most serious GDPR violations can face fines of up to 20 million euros or up to 4 % of a company´s total global turnover of the preceding fiscal year.

Unlike the European Union, the US has no single federal law regulating cybersecurity and privacy. However, several federal laws may apply depending on the type of organization and industry in which your company operates.

The Consumer Privacy Protection Act of 2017 is designed to ensure the privacy and security of sensitive personal information. It applies to any organization that manages data of 10,000 or more U.S. citizens during any 12 months. It was enacted to prevent and mitigate identity theft, provide notice of security breaches, and enhance law enforcement assistance.

On the other hand, the Homeland Security Act, signed into law by George W. Bush in 2002, was enacted to post the 9/11 attacks. Its primary goal is to reduce the vulnerability of the U.S. to terrorism and relates to national security data.

Other federal laws are sector-specific. For example, if you work in the U.S. in the financial industry, you must comply with the Gramm-Leach-Bliley Act. The law controls how financial institutions deal with the private information of individuals.

Under the Cyber Security Information Sharing Act, your tech company has to share data with the government to help identify threats sooner. If your company works in cybersecurity, this law is fundamental, especially today, as nation-state cyberattacks are on the rise. Other federal laws are even more niche in their application, such as the laws that only apply to U.S. Department of Defense (DoD) contractors or the Children’s Online Privacy Protection Act (COPPA) which regulates websites and online services that target children under the age of 13. Finally, the HIPPA Act only applies to healthcare, setting standard protection measures for personal information stored by the healthcare industry.

State-level cybersecurity laws

At this point, almost every state has data privacy laws. While most of them are lackluster, you should still pay attention to them due to the risk of a lawsuit in the event of a data breach.

Typically, the strategy is to use a more robust standard, such as GDPR, as your baseline so that you can have comfort knowing you are applying more stringent standards to your data privacy than is required by these state-level laws.

According to Ludwig APC, California has always led the way in state privacy laws. In 2004 the state enacted a law that required companies to implement and maintain reasonable security to protect personal information from unauthorized access and use. Over 23 states have since enacted similar cybersecurity regulations, known collectively as “Reasonable Security Laws.”

Another well-known California state law is the California Consumer Privacy Act (CCPA) of 2018. The law does not have requirements for businesses, but, it creates the right of action for individuals impacted by a data breach. As mentioned before, customers and users will engage in legal action even when their data was impacted by a cybersecurity incident.

Western Alliance Bank explains there has been an explosive growth of data-privacy class action suits and these will continue to rise as cybercrime proliferates. To respond to growing data legal cases, companies can turn to state laws known as “Safe Harbor Laws”. These are legal resources companies can use when being sued by individuals or by a class action.

The legal world has rapidly evolved to meet the demands of the advancements of the technological era. Organizations that meet legal standards open doors to new business opportunities, avoid fines and legal suites, build reputation and performance and provide enhanced security.

The post Cybersecurity regulations: How do laws apply to your business? appeared first on Cybersecurity Insiders.