Why Every Business Needs Cybersecurity Risk Management
May 10, 2022The Importance of Tabletop Exercises in a Cybersecurity Plan
June 14, 2022What is a cybersecurity compliance program?
Cybersecurity compliance is the act of performing activities and adopting the controls necessary to achieve a minimum amount of cybersecurity per the requirements placed on a specific business. These requirements come from a variety of areas including laws, contracts, insurance requirements, and general best practices for IT Risk Management.
Federal and International Laws
There are Federal and International Laws such as HIPPA, GDPR, Sarbanes Oxley, FFIEC, and the new Strengthening American Cybersecurity Act, just to name a few. These laws can illicit strict fiscal and even criminal punishments for non-compliance.
A recent CNET report highlights how GDPR issued out more than $1.2 billion in fines spread over just five firms, which included Amazon, Google, and WhatsApp.
State Laws
Then you have state laws. The NCSL is a wonderful resource to track cyber laws for all 50 states. California is well known for their California Consumer Privacy Act (CCPA) because it regulates how businesses are allowed to manage the personal information of Californians; however, every single state has adopted their own laws regarding breach notifications and the handling of specific types of sensitive data.
Contracts
Outside of laws, contracts will also contain specific requirements regarding the business or transaction with vendors and customers. These requirements are only expected to grow as the amount of contractual flowdowns increases due to efforts to create secure supply chains.
FAR and DFARS
All Federal contracts contain either the Federal Acquisition Regulation (FAR) or the Defense Federal Acquisition Regulation Supplement (DFARS).
The FAR is the primary regulation for use by all executive agencies in their acquisition of supplies and services with appropriated funds.
The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public. DFARS supplements FAR and should be read in conjunction with the FAR.
A few of the required cybersecurity controls include:
The Civil Cyber-Fraud Initiative
A recent development is that the Department of Justice (DoJ) released the Civil Cyber-Fraud Initiative to combat cybersecurity fraud by government contractors and federal fund recipients by applying the False Claims Act (FCA) to cybersecurity self-attestations.
Essentially, it exists to fine companies that are not meeting their contractual requirements via SPRS audits. Like the IRS’s audit organization or OSHA, the initiative can fine up to $11,000 per misrepresented control and charge up to three times the government’s losses if the government is compromised by a breach in your organization.
The whistleblower provision awards up to 30% of all damages and fines to the whistleblower while protecting them from retribution.
In fiscal year 2021, the DOJ assessed more than $5.6 billion in fines with $1.6 billion in whistleblower payments spread across 598 cases (average fine of $9 million per case).
Cybersecurity Insurance Requirements
Cybersecurity insurance reduces the financial risks associated with doing cyber business; however, it is not a failsafe and does not replace the need for a cybersecurity program.
To qualify for coverage, the entity must agree to a security audit by the insurance provider or present documentation of an approved third-party audit. The audits will play a role in determining the type of coverage an organization may need and the required controls.
Not all insurance companies are the same and many will provide policies with varying requirements. It is critical that the insured customer stay in compliance with the cybersecurity insurance requirements in order to receive a pay out in the event of a breach. Insurance companies will typically always look for a reason to not pay claims, but rarely for a reason to not accept premiums.
Framework
Risk management frameworks set a benchmark that allows organizations to easily repeat secure practices and procedures, maintain their network, measure their progress, and confidently know where they stand in their cybersecurity maturity journey.
The adoption of a cybersecurity framework should be of the highest priority as it can help ensure that no components are missed due to oversight or lack of knowledge. Unfortunately, implementing frameworks are often overlooked because firms do not fully understand their risk.
Cybersecurity Compliance Program
With all these different requirements, it is nearly impossible to stay in compliance without a fully defined cybersecurity compliance program with the mission to ensure compliance across all components.
A cybersecurity compliance program should include:
Plans, Policies, and Procedures
Plans, policies, and procedures are the foundation to a sound cybersecurity compliance program.
This type of documentation records an organization’s compliance activities and the controls in place to protect them. It is important to evaluate plans, policies, and procedures frequently to ensure the firm is staying up to date with evolving cybersecurity regulations.
Training
Employees can be the greatest weakness or one of the greatest assets for maintaining cybersecurity defenses, which is why organizations should invest in them. Properly educating employees is imperative to maintaining a functioning cybersecurity plan. To maintain compliance, firms need to keep logs to show employees have completed annual awareness and social engineering training.
Vulnerability Scans, Penetration Testing, and Cybersecurity Threat Hunting
Vulnerability scans and penetration testing are proactive measures to find potential vulnerabilities in a firm’s network and validate them through exploitation. Threat hunting is a deep dive into the network to detect if there are any active threats lurking undetected within the network. Similar to training, organizations must keep track of the results and steps of remediation from any type of assessment or test to exemplify compliance.
Change Management
Organizations should also practice IT change management. This is a process for reviewing proposed or planned changes to an IT system, network, or service. As a result, change management minimizes the rate of which security risks occur, provides an organization with system transparency, and network optimization.
Logs
Logs, logs, and more logs. Maintaining and reviewing logs frequently will allow an organization to quickly and efficiently identify anomalies that may be an indicator of or a precursor to a malicious cyber-attack. Types of logs include Syslog, Windows Event Logs, Netflow Logs, etc. Logging plays a crucial role in the maintenance of a secure cybersecurity infrastructure and is foundational to many of the security monitoring tools that form the foundation of the technical cybersecurity capability.
Why Gray Analytics?
Without a Cybersecurity Compliance Program, a business has already lost the battle. With a program, a firm can ensure that they not only stay in compliance, but also drive ROI through their cybersecurity spend and gain a competitive advantage due to its assurance as being a trusted secure component of any supply chain. Engaging with Gray Analytics’ team of professionals can help your organization navigate the complexities of today’s ever-changing regulatory environment.