Risk or Compliance? I think you mean Risk and Compliance?

 

CyberOne is an end to GRC Saas platform for all-size companies and teams.

Like many of our clients, if you are heading into your audit season or just looking forward to building a stronger, more efficient security program based on the alarming and increasing trend in ransomware attacks and data breaches, then CyberOne can help. CyberOne engages your people, processes, and technology to build a culture of risk. From good governance to understanding your gaps and putting your risk data to work to make decisions that benefit the business, CyberOne is a single source of truth for your company to govern, protect, and build.

When we discuss compliance with our customers, we always encourage you to start the compliance journey by, first, understanding your risks. Before you take your auditor’s IRL and simply build controls against it, first, decide whether your company has risk in that area. Where there is no risk, there is likely no need for a control. By adopting this approach, you can quickly tailor the scope of your audit to what is relevant to your company only. Our clients estimate that this approach has helped reduce audit time and costs by 30%. You can read about what our clients say about us here on Capterra.

You can build your risk register and manage findings from all your different sources – compliance review, vulnerability scans, pen test, audits, assessments, more. Use our API integration with Nexpose, Nessus, Qualys, AWS, Microsoft to pull your data into CyberOne, and push out the workflow with our own automated notification process, or through Slack or Jira (Engineers love us!). Ultimately, you will see how easy it is to scale and build a security governance, risk and compliance program in CyberOne that is based on your company’s priorities, needs, and objectives. And, we have experts to support you every step of the way.

Start today with our free risk assessment. You can choose from ISO 27001, SOC 2, CMMC, or CAIQ. We will send you an assessment and help you build a roadmap to meet your security objectives.

Take our risk assessment here today for free.  

 

Make secure easy, and insecure obvious…  [Credit: A wise customer of CyberOne]

 

A security message from HRH the Queen on Independence Day

 

All freedom comes at a price. Good security helps maintain freedom by protecting your company from exposure to an increasingly threatening landscape. Help keep we pesky Brits and other “ne-er-do-wells” from invading (again) your systems and networks this coming Independence Day weekend.

 

It’s all about getting the Crown Jewels without paying a Queen’s ransom!

 
As you launch your search, here’s a quick, totally unbiased, summary of the capabilities you should require from your tool:
  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

 

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what HRH and our clients say about CyberOne here:

    

Completely unbiased advice for how to select the right GRC Tool

 

Do you need Compliance Certification? Does your soul begin to resemble a spreadsheet? Do you need a GRC tool? Do you think you only need a compliance tool? Do you know the difference?

It’s all about getting the Crown Jewels without paying a Queen’s ransom!

As you launch your search, here’s a quick, totally unbiased, summary of the capabilities you should require from your tool:
  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what our clients say about CyberOne here:

Lower Audit Costs with a GRC Automation Platform

You can get a free readiness assessment by clicking this link and telling us which frameworks you need (CMMC, SOC 2, ISO, PCI, HIPAA, GDPR, all of these and more)

Did you know?

More and more auditors factor the use of a GRC solution into the pricing of an audit. If you are still working in spreadsheets, time is no longer your only enemy. Now and in the future, you will be paying more for that certification as well as wasting precious time. Compliance requirements are holding up the sales pipeline, causing stress, chaos, and general distress across your organization. Are you trying to keep up with evidence collection, control implementation, and managing the inevitable corrective actions that come from (using a spreadsheet) being overloaded, under-resourced, and ill-prepared for your audits? We all know it’s is a fools-errand if your tool has a “green-kiss” icon. We want to help! 

Auditors have figured it out/So has Forbes Magazine!

Auditors have recognized the value of an automation solution to manage the, otherwise arduous, compliance workflow. Compliance requires a lot of repetition, attention to detail and the ability to macro- and micro-manage your people, process and technology. CyberOne will save you time, money, audit penalties (more money) and de-stress you – Forbes magazine agrees!  (cut and paste this into an email to your boss, now!)

CyberOne Cloud-Based Automation

CyberOne’s cloud-based automation solution is widely accepted by audit firms and supports the full compliance lifecycle. We automate evidence collection, risk and finding alerts and risk monitoring. CyberOne also integrates with all your security tools, BitSight, Nexpose, Nessus, Qualys, productivity tools, Jira, Slack, Power BI, ServiceNow, and more.

CyberOne pays for itself in a matter of months.

We start by helping you select an auditor that is right for you and scoping your readiness and requirements.  We also provide all the tools you need to build or scale your compliance program, including readiness assessments, policy templates, control guidance and sample evidence lists. We will take you step by step through your readiness, audit and certification and set you up with continuous monitoring and ongoing automation to ensure success for this audit and the next surveillance audit, and certification, year after year.

You can get a free readiness assessment by clicking this link and telling us which frameworks you need (CMMC, SOC 2, ISO, PCI, HIPAA, GDPR, all of these and more)

I would like to talk to an expert about my compliance needs

 

CMMCAB Latest News

 

 

The CMMC Advisory Board has appointed Melanie Kyle Gingrich to lead training and development. Previously, the Senior Vice President of Product Development for Monster Worldwide, she has been charged with training and standing up a CMMC ecosystem of organizations that develop course materials and train assessors as the CMMC Board prepares to roll out its first certifying organizations this summer. Read more here from FCW.

CyberOne Security provides CMMC readiness and continuous monitoring to prepare and support you through the lifecycle of your CMMC certification process. From your 800-171 Self Assessment submission to the SPRS through control implementation, evidence verification, certification with our C3PAO partners, and continuous control monitoring for re-certification, CyberOne provides step-by-step guidance and automation that saves time and provides complete assurance for certification success. Oh, and, most important of all, it’s affordable for all-size organizations.

  1. Control Self Assessment for DFARS CyberSecurity Requirement
  2. CMMC Control Mapping to 800-171
  3. Automated Evidence Collection
  4. Certification Readiness Report
  5. C3PAO connection
  6. Continuous Monitoring post-Certification

Read our reviews on Capterra and contact us now for your FREE CMMC Evaluation.

 

DarkSide: The Consumerization of Hacking

 

The Colonial Pipeline Co. attack brought to light well-documented susceptibilities to our aging energy infrastructure in the US. It also demonstrates the real and growing threat that cyber-crime poses to our society, as well as a growing trend in the cybercrime market, that of RaaS, Ransomware as a Service. This is the consumerization of cybercrime, where hacker collectives literally operate as a business serving clients with ready-for-use ransomware tools that can be used to deliver attacks on global companies.

For more information on the hack and its perpetrators, DarkSide, read the Krebs on Security article that takes a close look at “DarkSide” and its operations.

Hacktivists turned Capitalists

Hacker groups or collectives are nothing new. The first documented incident of hacking dates back to 1971 and is attributed to a Vietnam Vet, John Draper, who figured out a way to make free phone calls. Inevitably, hacking has come a long way since John decided he needed to make free long-distance calls, becoming very much a part of the mainstream of social lexicon, even glamorized to a large extent by hackers themselves as well as a largely uninformed Hollywood portrayal of “hacktivist” culture. Far from the Hollywood “freedom fighter” portrayal of the hacker, the blackhat industry has always largely been about making money, but in recent years has become bolder and better, while seemingly losing all ethical values.

Who is at risk?

These hacking collectives will tell you that only the largest companies that can “afford to lose a few million” are targeted. They also claim that state actor projects, or geopolitics, are off the table with the sole aim of these groups to serve as a sort of online Robin Hood – taking from the rich… Oops, seems like they forgot about giving back to the poor. The reality seems far less “ethical” and far more indiscriminate. This week, a single, albeit major, pipeline operation was interrupted. Just three months ago, a small Florida city water company was hacked. School districts and universities have been targets and, of course, most industry sectors have been and continue to be targeted, from carpet manufacturers to the big banks. All in all,  it is estimated that 2,400 U.S.-based government, healthcare facilities, and schools were victims of ransomware in 2020 alone. Pre-IPO companies who are trying to safeguard sensitive data before going public are a popular target. The reality is that these attacks have a cascading fallout that impacts our safety, our health, our economy, our taxes, our livelihoods. Who is at risk? All of us it would seem.

Consumer Beware

Yes, based on the above, corporations are largely the chosen victims of ransomware. However, if you think this makes you immune as an individual, well, think again…

This attack crossed over into the public domain, closing a major US oil and gas pipeline, leading to a widespread fallout ranging from lines at the gas stations and a shortage of fuel, rising gas prices, to fallout – thankfully minimal –  in the stock market.

Corporations that have suffered ransomware attacks are lobbying governments to provide bail-out funds to enable them to beef up security practices to help protect against future attacks. What we may never know (of course we know) is whether appropriate security measures were in place prior to these attacks? From a consumer perspective, that cost is now being passed on to you in the form of higher product prices, lack of wage increases, and of course in your taxes.  If this sounds like the great TARP bailout of 2008, where citizens effectively paid the billion-dollar bonuses of bankers, well… your hearing might be good.

As Krebs reports, experts say ransomware attacks will continue to grow in sophistication, frequency, and cost unless something is done to disrupt the ability of crooks to get paid for such crimes. Last month, a group of tech industry heavyweights lent their imprimatur to a task force that delivered an 81-page report to the Biden administration on ways to stymie the ransomware industry. Among many other recommendations, the report urged the White House to make finding, frustrating, and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.

Corporate “Oversight”

As corporations either invest or receive bailout money to build out security, corporations will invest in tools to scan networks, environments, systems, and assets in an attempt to pre-empt and detect threats. However, this data needs to be managed effectively, prioritized, and applied to people, process, and technology to have any impact. This is where companies can fall short and is a gap that CyberOne is trying hard to help them fill.

We want all companies to build a culture of risk across their organization. This starts with effective governance and leadership commitment to risk awareness and providing resources for effective risk management. While many companies are able to provide compliance certifications as a demonstration of commitment to security, risk management is really the key to effective security.

For more information on risk management implementation contact CyberOne