Risk or Compliance? I think you mean Risk and Compliance?

 

CyberOne is an end to GRC Saas platform for all-size companies and teams.

Like many of our clients, if you are heading into your audit season or just looking forward to building a stronger, more efficient security program based on the alarming and increasing trend in ransomware attacks and data breaches, then CyberOne can help. CyberOne engages your people, processes, and technology to build a culture of risk. From good governance to understanding your gaps and putting your risk data to work to make decisions that benefit the business, CyberOne is a single source of truth for your company to govern, protect, and build.

When we discuss compliance with our customers, we always encourage you to start the compliance journey by, first, understanding your risks. Before you take your auditor’s IRL and simply build controls against it, first, decide whether your company has risk in that area. Where there is no risk, there is likely no need for a control. By adopting this approach, you can quickly tailor the scope of your audit to what is relevant to your company only. Our clients estimate that this approach has helped reduce audit time and costs by 30%. You can read about what our clients say about us here on Capterra.

You can build your risk register and manage findings from all your different sources – compliance review, vulnerability scans, pen test, audits, assessments, more. Use our API integration with Nexpose, Nessus, Qualys, AWS, Microsoft to pull your data into CyberOne, and push out the workflow with our own automated notification process, or through Slack or Jira (Engineers love us!). Ultimately, you will see how easy it is to scale and build a security governance, risk and compliance program in CyberOne that is based on your company’s priorities, needs, and objectives. And, we have experts to support you every step of the way.

Start today with our free risk assessment. You can choose from ISO 27001, SOC 2, CMMC, or CAIQ. We will send you an assessment and help you build a roadmap to meet your security objectives.

Take our risk assessment here today for free.  

 

Make secure easy, and insecure obvious…  [Credit: A wise customer of CyberOne]

 

Automated SSP Preparation for CMMC

How CyberOne can help you build your SSP

If your organization works as a defense contractor, it must assure that it has done its due diligence to comply with all applicable NIST, DFARS, and CMMC compliance requirements.

CyberOne can help by automating documentation collection for CMMC compliance (and multiple other frameworks) through integration or automated notifications and our best-in-class portal.

CyberOne supports global compliance frameworks and security requirements, including FedRAMP, NIST, ISO, COSO, CIS, and more — and provides cross-references to existing documentation you may already have in place to support CMMC mapping.

CyberOne simplifies the self-assessment process by delivering a single, central dashboard to help you visualize your compliance stance, across all applicable frameworks; identifying the gaps in your cybersecurity program, and telling you how to fill them.

CyberOne doesn’t pay for marketing. Our clients do it for us.

Automated compliance and risk management from a single source of truth.

See it here today

A security message from HRH the Queen on Independence Day

 

All freedom comes at a price. Good security helps maintain freedom by protecting your company from exposure to an increasingly threatening landscape. Help keep we pesky Brits and other “ne-er-do-wells” from invading (again) your systems and networks this coming Independence Day weekend.

 

It’s all about getting the Crown Jewels without paying a Queen’s ransom!

 
As you launch your search, here’s a quick, totally unbiased, summary of the capabilities you should require from your tool:
  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

 

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what HRH and our clients say about CyberOne here:

    

Completely unbiased advice for how to select the right GRC Tool

 

Do you need Compliance Certification? Does your soul begin to resemble a spreadsheet? Do you need a GRC tool? Do you think you only need a compliance tool? Do you know the difference?

It’s all about getting the Crown Jewels without paying a Queen’s ransom!

As you launch your search, here’s a quick, totally unbiased, summary of the capabilities you should require from your tool:
  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what our clients say about CyberOne here:

SOC 2 Certification. Your Security Passport.

The Hotman Group and CyberOne Security have more than 50 years combined experience delivering risk and compliance management and SOC 2 Certification to companies of all sizes. Trust your SOC 2 readiness to certified CPAs who understand the complex control implementation and infrastructure needed to satisfy audit requirements. Maintain your control implementation, any corrective actions and automate your year-round evidence collection process on CyberOne’s modern SaaS GRC automation platform. We provide continuous, comprehensive compliance at a fraction of the cost of traditional consulting services and limited, niche compliance solutions. 

 

CyberOne is delighted to feature today’s article from Cheri Hotman, Owner Principal of the Hotman Group.

As the federal government rolls out CMMC (the Cybersecurity Maturity Model Certification), corporations are both facing increased scrutiny and demanding higher levels of security, risk, and compliance. In today’s marketplace, doing business is an issue of security. You need it and you need to demonstrate it. SOC 2 certification applies to any company that manages data in the cloud, which is, pretty much all of us these days. It can also serve as a basis for governing regulated data (PHI or P)) and is also a highly useful means of validating cybersecurity practices to the board and all current and future clients.   As such, it is quickly becoming the first question in a risk assessment (do you have a SOC 2 report?), and subsequently, it is a revenue driver and a means of expediting security review in the sales pipeline, as well as a comprehensive framework and foundation to security.

In this article, Cheri addresses the broadly publicized SolarWinds hack, its impact on the cybersecurity community and resulting measures taken by corporations to manage risk across the enterprise and in the supply chain.

 

The SolarWinds Breach

We’ve all heard about the recent SolarWinds breach, and for good reason. The massive software development company was hacked in 2019, leaving their clients vulnerable to attack. The company unknowingly sent out a software update this March with hidden malware embedded in it. Of their 33,000 clients, an estimated 18,000 downloaded and contracted the spyware making extremely valuable, highly sensitive information available to the hackers (Canales and Jibilian).

 

What Now?

The initial chaos has subsided, and the resounding question now is “how?” Surely a high-level company such as the one offering services to Fortune 500 companies and the U.S. Government would detect a breach in their system- right? Unfortunately, the answer isn’t quite so simple. Cybersecurity is a complex, multidimensional practice meant to protect against digital attacks. There are countless parts to it, but as a result of this breach, the importance of one particular part has been brought to light- SOC 2.

 

What Exactly is SOC 2?

SOC 2 is an intense cybersecurity, risk, and technical controls audit that must be performed by a CPA. It’s used to produce a report that provides either a green light or a bold, flashing red light in regard to the controls a company has set in place to protect the product/ service (and data) they offer. Companies use them to ensure their systems are secure and functioning properly, and potential clients use them to vet their vendors. Companies that have a CPA produce these reports make their company stand out by simplifying the process of deciding on a vendor, and make it cost-effective and confidence-building for potential clients.

There are two types of SOC 2 audits: Type 1, which determines whether a company’s cybersecurity and technical controls are designed appropriately as of a specific point of time (think: April 3, 2021- it could have been compromised the day before and could become compromised the day after, but this type of audit only attests to the date of the report). Next is Type 2, which measures a business’ control design and operation over a period of time (typically over the course of 12 months). Most companies and clients seek out Type 2 reports due to the detail and assurance made available. Here, more is more– companies and clients alike want little-to-no room for error in knowing the controls in place are reducing risk as they’re supposed to.

 

How to be Successful with SOC 2:

The SolarWinds breach has accounted for numerous companies seeking out their first SOC 2 report, which can be an overwhelming process. Fortunately, it doesn’t have to be daunting! SOC 2 is attainable for every company. First to know is that your commitment to managing your systems and risk will make or break the success of your SOC 2 audits, meaning it’s essential to have an ongoing program built into your company to effectively design and continuously monitor controls. The goal here is to be ready for an audit before the audit. Doing so leaves less room for failure, and results in less stress and scrambling to get things in place last-minute. There are several GRC tool options built to help you do this successfully! Use one to simply and continuously monitor your controls, communicate metrics, and produce evidence for it via documentation. As a part of these programs, you need to have corrective action processes for when you catch failures, because they will happen, and that’s okay- so long as you have a plan! Lastly, it is best to hire someone to help you design and run your control environment. Because it is an ongoing and complex process, this will save you time, hassle and error. Focus on what you excel at while allowing a SOC 2 expert to focus on what they do best- minimizing waste, guessing, and failures.

 

Words of Wisdom:

Although this is a completely attainable solution, there are a few things you’ll want to avoid when implementing your new SOC 2 program:

 

  • Do not try to do this with Excel, Word, or email. It will result in a blow-up-in-your-face disaster. Go ahead and invest in a platform built for handling compliance, risk and controls. You’ll thank me later!
  • Because a SOC 2 program is an ongoing one, it often seems ideal to hire someone in-house to build out and manage your program. However, this also means managing them to make sure they are doing their job correctly. Ultimately, it’s both time-consuming and expensive, so if this route doesn’t seem feasible…
  • Work with a company or person that can get you set up and keep you running like a well-oiled engine. Many businesses offer implementation and management for a lower overall cost than an in-house resource.
  • Although using a third party is a great option, use caution when choosing who to work with. Make sure they have the proper certifications for both SOC 2 AND security, as well as deep cybersecurity and risk practitioner expertise.
  • If this sounds like a foreign language to you, you’re just overwhelmed, or you don’t know if you’re ready to begin this process, hire someone to perform a gap assessment to figure out where you are today, and what your needs are, to put you on the path to success.

 

About the Author:

Cheri Hotman is an enthusiastic, passionate professional. Her drive to succeed began when she graduated with an MBA from the University of Texas at Dallas, and has only grown since then. With a track record that includes a career predominately in banking, financial services, and consulting followed by a position as Vice President in the Tech/IT space, you’d think her tenacity to have faltered- and you’d be wrong. She is a CPA, now holds her CISSP (cybersecurity certification), and has launched her own cybersecurity, risk, and compliance practitioner company. If you need a cybersecurity expert, or even just some inspiration, connect with her through www.hotmangroup.com, or via LinkedIn at www.linkedin.com/in/cherihotman.

 

 

Read more about CyberOne from our clients here on Gartner’s, Capterra review site or contact us directly.