Preparing for your audit and certification

Whether you’re looking ahead to securing a security certification, or in the surveillance/maintenance audit cycle, your people, process, and technology will all play an important role in guaranteeing your success. It’s not just important to do it right the first time. It’s important to do it right every time.

CERTIFY ME!

We have previously spoken of the impact to businesses and security teams of SolarWinds, along with increasing ransomware and other cyberattacks. The demand is increasing to demonstrate an implemented security posture to make it through the sales process. Whether it’s SOC 2 Certification, ISO Certification, or CMMC Certification for DIB’s, government and corporations are both being held accountable and calling for greater accountability in their supply chain. This is, hopefully, good for consumers, good for society, good for humanity even!

As the demand for “certified” compliance increases, the cybersecurity industry has responded with new tools, automation, and “virtual CISO” services, all designed to simplify and expedite the readiness and certification process, because, of course, as a customer, you need certification, and you need it NOW!

BEYOND THE CHECKBOX

If you are about to launch headlong into a SOC 2 or another type of compliance certification, read this first! If you are planning to use a spreadsheet… Don’t. If you are looking for a SaaS product, tool, MSP, or combination of both, keep reading! It is important to know what is ahead and find a tool that enables you to fulfill all of your tasks and objectives and/or guide your MSP partners to make your investment and cost-effective and successful as possible. We think of it in three stages:

  1. Readiness: Scope of the certification (only do what you need to do); what is already in place; what do we need to build? (This is the checklist)
  2. Continuous Monitoring: Implementation, corrective action, validation; review, recycle, add, rinse. (This is beyond the checkbox)
  3. Risk in Action: Risk Register, established risk metrics, empirical data, and actionable activity to make the organization stronger, faster, better… (This is where you want to be)
I CHECKED ALL THE BOXES!

The impression of ‘getting certified’ after 14, 30 90 days (SOC 2 Type 1, maybe…) 6-12 months (SOC 2 Type 2/ISO 27001, CMMC), is misleading at best, and generally speaking, creates a “false” sense of security. In reality, passing the certification audit is just the beginning of an ongoing compliance cycle that requires ongoing maintenance, or, in other words, a risk management program. If you are not thinking beyond the checkbox, you are underestimating the task at hand.

POLICY CREATES LIABILITY

Step one: all certifications require developed policies. Once written, that policy must be implemented. There is no going back! Failure to implement the standards and procedures outlined by your policies and accompanying procedural documents creates liability, not just audit penalties. There are many templates and offerings to help craft policies. These do largely serve as a good starting point, but “buyer-beware” unless you understand what is in your policy–can you validate that your policy statements are actionable within your organization?–then you are potentially opening your company up to a world of pain!

COMPLIANCE & RISK MANAGEMENT

The jolly old Oxford English Dictionary describes compliance as “the act of obeying a rule, order or request”. OK, that mostly works, with one rather important addendum. “Ongoing”… Security OR Privacy compliance are not point-in-time activities, rather, they are any point-in-time activities. We call this continuous monitoring (Step two).  Immediately, this is why compliance is not sustainable in a spreadsheet. It’s simply too hard to keep up with ongoing activity, issues, and changes across the business, product, and in-scope technology. Automation is the key to effectively reviewing or monitoring compliance. Tools like CyberOne can automate evidence collection through API integrations or “manually” through project management notifications and alerts that go out to evidence owners. However, if automation can help sustain existing compliance, the business of managing gaps, risk management is the next level. Now, we are in the realm of risk management. Managing threats, vulnerabilities, issues that arise, events (heaven forbid), and business continuity, all of which are compliance requirements, can only be done through effective, empirical risk management. Risk management takes you through (Steps three, four, five, etc…). Compliance tells you what you are and are not doing, so to speak, where effective risk management, tells how to maintain, scale, and do it better. On the right tool (ahem!), this can refer to both operational and enterprise risk. With the right risk data, measured in real-time, against established requirements and objectives, your company will become more efficient and work smarter across security and general operations. As such, compliance is only as valuable as the risk management that it informs, and as a stand-alone activity, it is not sustainable.

CERTIFICATION TOOLS: CHECK THESE BOXES

As you launch into your certification tool search, here’s a quick summary of the capabilities you really need to be successful:

  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

Once you implement the above, well, remember where we said you wanna be? Faster, stronger, better… You are here!

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what our clients say about CyberOne here:

 

 

 

Credits:

Harvard Business Review: https://hbr.org/2018/03/why-compliance-programs-fail

The Compliance and Ethics Blog:

Check Your Use of “Check the Box”

 

 

 

A security message from HRH the Queen on Independence Day

 

All freedom comes at a price. Good security helps maintain freedom by protecting your company from exposure to an increasingly threatening landscape. Help keep we pesky Brits and other “ne-er-do-wells” from invading (again) your systems and networks this coming Independence Day weekend.

 

It’s all about getting the Crown Jewels without paying a Queen’s ransom!

 
As you launch your search, here’s a quick, totally unbiased, summary of the capabilities you should require from your tool:
  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

 

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what HRH and our clients say about CyberOne here:

    

Completely unbiased advice for how to select the right GRC Tool

 

Do you need Compliance Certification? Does your soul begin to resemble a spreadsheet? Do you need a GRC tool? Do you think you only need a compliance tool? Do you know the difference?

It’s all about getting the Crown Jewels without paying a Queen’s ransom!

As you launch your search, here’s a quick, totally unbiased, summary of the capabilities you should require from your tool:
  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what our clients say about CyberOne here:

Compliance Certification: Step outside the checkbox

 

CERTIFY ME!

We have previously spoken of the impact to businesses and security teams of SolarWinds, along with increasing ransomware and other cyberattacks. The demand is increasing to demonstrate an implemented security posture to make it through the sales process. Whether it’s SOC 2 Certification, ISO Certification, or CMMC Certification for DIB’s, government and corporations are both being held accountable and calling for greater accountability in their supply chain. This is, hopefully, good for consumers, good for society, good for humanity even!

As the demand for “certified” compliance increases, the cybersecurity industry has responded with new tools, automation, and “virtual CISO” services, all designed to simplify and expedite the readiness and certification process, because, of course, as a customer, you need certification, and you need it NOW!

BEYOND THE CHECKBOX

If you are about to launch headlong into a SOC 2 or another type of compliance certification, read this first! If you are planning to use a spreadsheet… Don’t. If you are looking for a SaaS product, tool, MSP, or combination of both, keep reading! It is important to know what is ahead and find a tool that enables you to fulfill all of your tasks and objectives and/or guide your MSP partners to make your investment and cost-effective and successful as possible. We think of it in three stages:

  1. Readiness: Scope of the certification (only do what you need to do); what is already in place; what do we need to build? (This is the checklist)
  2. Continuous Monitoring: Implementation, corrective action, validation; review, recycle, add, rinse. (This is beyond the checkbox)
  3. Risk in Action: Risk Register, established risk metrics, empirical data, and actionable activity to make the organization stronger, faster, better… (This is where you want to be)
I CHECKED ALL THE BOXES!

The impression of ‘getting certified’ after 14, 30 90 days (SOC 2 Type 1, maybe…) 6-12 months (SOC 2 Type 2/ISO 27001, CMMC), is misleading at best, and generally speaking, creates a “false” sense of security. In reality, passing the certification audit is just the beginning of an ongoing compliance cycle that requires ongoing maintenance, or, in other words, a risk management program. If you are not thinking beyond the checkbox, you are underestimating the task at hand.

POLICY CREATES LIABILITY

Step one: all certifications require developed policies. Once written, that policy must be implemented. There is no going back! Failure to implement the standards and procedures outlined by your policies and accompanying procedural documents creates liability, not just audit penalties. There are many templates and offerings to help craft policies. These do largely serve as a good starting point, but “buyer-beware” unless you understand what is in your policy–can you validate that your policy statements are actionable within your organization?–then you are potentially opening your company up to a world of pain!

COMPLIANCE & RISK MANAGEMENT

The jolly old Oxford English Dictionary describes compliance as “the act of obeying a rule, order or request”. OK, that mostly works, with one rather important addendum. “Ongoing”… Security OR Privacy compliance are not point-in-time activities, rather, they are any point-in-time activities. We call this continuous monitoring (Step two).  Immediately, this is why compliance is not sustainable in a spreadsheet. It’s simply too hard to keep up with ongoing activity, issues, and changes across the business, product, and in-scope technology. Automation is the key to effectively reviewing or monitoring compliance. Tools like CyberOne can automate evidence collection through API integrations or “manually” through project management notifications and alerts that go out to evidence owners. However, if automation can help sustain existing compliance, the business of managing gaps, risk management is the next level. Now, we are in the realm of risk management. Managing threats, vulnerabilities, issues that arise, events (heaven forbid), and business continuity, all of which are compliance requirements, can only be done through effective, empirical risk management. Risk management takes you through (Steps three, four, five, etc…). Compliance tells you what you are and are not doing, so to speak, where effective risk management, tells how to maintain, scale, and do it better. On the right tool (ahem!), this can refer to both operational and enterprise risk. With the right risk data, measured in real-time, against established requirements and objectives, your company will become more efficient and work smarter across security and general operations. As such, compliance is only as valuable as the risk management that it informs, and as a stand-alone activity, it is not sustainable.

CERTIFICATION TOOLS: CHECK THESE BOXES

As you launch into your certification tool search, here’s a quick summary of the capabilities you really need to be successful:

  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

Once you implement the above, well, remember where we said you wanna be? Faster, stronger, better… You are here!

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what our clients say about CyberOne here:

 

 

 

Credits:

Harvard Business Review: https://hbr.org/2018/03/why-compliance-programs-fail

The Compliance and Ethics Blog:

Check Your Use of “Check the Box”

 

 

 

Lower Audit Costs with a GRC Automation Platform

You can get a free readiness assessment by clicking this link and telling us which frameworks you need (CMMC, SOC 2, ISO, PCI, HIPAA, GDPR, all of these and more)

Did you know?

More and more auditors factor the use of a GRC solution into the pricing of an audit. If you are still working in spreadsheets, time is no longer your only enemy. Now and in the future, you will be paying more for that certification as well as wasting precious time. Compliance requirements are holding up the sales pipeline, causing stress, chaos, and general distress across your organization. Are you trying to keep up with evidence collection, control implementation, and managing the inevitable corrective actions that come from (using a spreadsheet) being overloaded, under-resourced, and ill-prepared for your audits? We all know it’s is a fools-errand if your tool has a “green-kiss” icon. We want to help! 

Auditors have figured it out/So has Forbes Magazine!

Auditors have recognized the value of an automation solution to manage the, otherwise arduous, compliance workflow. Compliance requires a lot of repetition, attention to detail and the ability to macro- and micro-manage your people, process and technology. CyberOne will save you time, money, audit penalties (more money) and de-stress you – Forbes magazine agrees!  (cut and paste this into an email to your boss, now!)

CyberOne Cloud-Based Automation

CyberOne’s cloud-based automation solution is widely accepted by audit firms and supports the full compliance lifecycle. We automate evidence collection, risk and finding alerts and risk monitoring. CyberOne also integrates with all your security tools, BitSight, Nexpose, Nessus, Qualys, productivity tools, Jira, Slack, Power BI, ServiceNow, and more.

CyberOne pays for itself in a matter of months.

We start by helping you select an auditor that is right for you and scoping your readiness and requirements.  We also provide all the tools you need to build or scale your compliance program, including readiness assessments, policy templates, control guidance and sample evidence lists. We will take you step by step through your readiness, audit and certification and set you up with continuous monitoring and ongoing automation to ensure success for this audit and the next surveillance audit, and certification, year after year.

You can get a free readiness assessment by clicking this link and telling us which frameworks you need (CMMC, SOC 2, ISO, PCI, HIPAA, GDPR, all of these and more)

I would like to talk to an expert about my compliance needs

 

The bridge to CMMC Certification

 

Have you completed and submitted your CMMC required 800-171Control Self Assessment and SSP to the SPRS?

 

Federal contractor or subcontractor? Are you currently exploring, or getting lost among the CMMC Certification landscape?

 

Today, we provide a step-by-step guide, and, affordable solution for each step in the process.

 

Hear here from our CEO, Lily Yeoh, on best practices for achieving and Fastracking CMMC Certification

 

Who’s (Whose?) on CMMC First?

Let’s begin with the landscape. Who requires and who needs CMMC Certification? How do we get it? How do we maintain it? How do e build a budget for it? What is the CMMC required NIST 800-171 Control Self Assessment and SSP for SPRS?

Who’s asking? Not only DoD Contracts…

It started with the DoD, but, like a virus (!), it quickly grew. Earlier in 2020, the Department of Homeland Security (DHS) is already including CMMC in its contract process. GSA is the latest to introduce CMMC language into its contract process. GSA notes it reserves the right to require CMMC in its contracts, based upon the contract and security needs.  Read more about GSA and CMMC here

Who responds? Prime and Subcontractors, and so on…

DIB’s and all subcontractors are required to be CMMC certified. This also includes the completion of the NIST 800-171 Self Assessment and a Control Mapped SSP. These must be submitted (with score) and displayed in the SPRS (Supplier Performance Risk System). “Quick tip”: It’s pronounced “Spurs” in the industry!  The more you know…

What do we do now?

CyberOne’s full suite GRC platform enables you to complete every step of the CMMC Certification process. We provide you all the tools and information you need to achieve and maintain certification on CyberOne’s highly automated, modern SaaS platform. Before you engage an MSP or consultant, check out what we can do for you. Request a demo today.

  • NIST 800-171 Control Self Assessment, SSP (see more below)
  • Policy Development Support
  • CMMC Control development and implementation guidance (level 1-3)
  • Automated Evidence Collection and review
  • Mitigation and Issue Management for POA&M’s, Findings and Risk Environment
  • Risk Register for proactive risk management
  • Vulnerability Scans & Analysis
  • Auditor-ready platform that can be used in collaboration with C3PAO’s for Certification

NIST 800-171 Control Self Assessment

Required as a starting point for all Primes and Subcontractors. Start with our fully automated CMMC required NIST 800-171 Control Self Assessment, risk score, and controls mapped to your SSP, and report-ready for submission to the SPRS. CyberOne’s platform. Add your subcontractors for assessment, starting at only $350 per assessment. Your assessment is mapped to CMMC controls in CyberOne so you can begin CMMC readiness as soon as the assessment has been completed. 

CMMC Certification and More

The key to successful compliance, and the challenge, for most enterprises, is the maintenance and effective, ongoing, implementation of controls, often across multiple frameworks. We call this continuous monitoring.

On the CyberOne platform, we will provide you with control implementation guidance, policy templates,  and sample evidence checklists to easily build your CMMC controls. We also provide access to our global obligations library and crosswalks. CyberOne offers more than 100 global regulations and standards, crosswalked to show related requirements in multiple standards. Crosswalks enable you to comply with multiple security and privacy frameworks with minimal control sets. Control Automation with CyberOne

We will guide your internal control and policy development, as well as provide gap analyses and recommendations for strengthening controls and policies. It’s all part of the CyberOne offering. CMMC, SOC2, ISO 27001 are all within comfortable reach on CyberOne’s extensible platform.