DarkSide: The Consumerization of Hacking

 

The Colonial Pipeline Co. attack brought to light well-documented susceptibilities to our aging energy infrastructure in the US. It also demonstrates the real and growing threat that cyber-crime poses to our society, as well as a growing trend in the cybercrime market, that of RaaS, Ransomware as a Service. This is the consumerization of cybercrime, where hacker collectives literally operate as a business serving clients with ready-for-use ransomware tools that can be used to deliver attacks on global companies.

For more information on the hack and its perpetrators, DarkSide, read the Krebs on Security article that takes a close look at “DarkSide” and its operations.

Hacktivists turned Capitalists

Hacker groups or collectives are nothing new. The first documented incident of hacking dates back to 1971 and is attributed to a Vietnam Vet, John Draper, who figured out a way to make free phone calls. Inevitably, hacking has come a long way since John decided he needed to make free long-distance calls, becoming very much a part of the mainstream of social lexicon, even glamorized to a large extent by hackers themselves as well as a largely uninformed Hollywood portrayal of “hacktivist” culture. Far from the Hollywood “freedom fighter” portrayal of the hacker, the blackhat industry has always largely been about making money, but in recent years has become bolder and better, while seemingly losing all ethical values.

Who is at risk?

These hacking collectives will tell you that only the largest companies that can “afford to lose a few million” are targeted. They also claim that state actor projects, or geopolitics, are off the table with the sole aim of these groups to serve as a sort of online Robin Hood – taking from the rich… Oops, seems like they forgot about giving back to the poor. The reality seems far less “ethical” and far more indiscriminate. This week, a single, albeit major, pipeline operation was interrupted. Just three months ago, a small Florida city water company was hacked. School districts and universities have been targets and, of course, most industry sectors have been and continue to be targeted, from carpet manufacturers to the big banks. All in all,  it is estimated that 2,400 U.S.-based government, healthcare facilities, and schools were victims of ransomware in 2020 alone. Pre-IPO companies who are trying to safeguard sensitive data before going public are a popular target. The reality is that these attacks have a cascading fallout that impacts our safety, our health, our economy, our taxes, our livelihoods. Who is at risk? All of us it would seem.

Consumer Beware

Yes, based on the above, corporations are largely the chosen victims of ransomware. However, if you think this makes you immune as an individual, well, think again…

This attack crossed over into the public domain, closing a major US oil and gas pipeline, leading to a widespread fallout ranging from lines at the gas stations and a shortage of fuel, rising gas prices, to fallout – thankfully minimal –  in the stock market.

Corporations that have suffered ransomware attacks are lobbying governments to provide bail-out funds to enable them to beef up security practices to help protect against future attacks. What we may never know (of course we know) is whether appropriate security measures were in place prior to these attacks? From a consumer perspective, that cost is now being passed on to you in the form of higher product prices, lack of wage increases, and of course in your taxes.  If this sounds like the great TARP bailout of 2008, where citizens effectively paid the billion-dollar bonuses of bankers, well… your hearing might be good.

As Krebs reports, experts say ransomware attacks will continue to grow in sophistication, frequency, and cost unless something is done to disrupt the ability of crooks to get paid for such crimes. Last month, a group of tech industry heavyweights lent their imprimatur to a task force that delivered an 81-page report to the Biden administration on ways to stymie the ransomware industry. Among many other recommendations, the report urged the White House to make finding, frustrating, and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.

Corporate “Oversight”

As corporations either invest or receive bailout money to build out security, corporations will invest in tools to scan networks, environments, systems, and assets in an attempt to pre-empt and detect threats. However, this data needs to be managed effectively, prioritized, and applied to people, process, and technology to have any impact. This is where companies can fall short and is a gap that CyberOne is trying hard to help them fill.

We want all companies to build a culture of risk across their organization. This starts with effective governance and leadership commitment to risk awareness and providing resources for effective risk management. While many companies are able to provide compliance certifications as a demonstration of commitment to security, risk management is really the key to effective security.

For more information on risk management implementation contact CyberOne

 

 

May is Free: Get Your CMMC Free Readiness Assessment

 

For the entire month of May, CyberOne is offering a free readiness assessment for CMMC Certification. The Assessment is compatible with the 800-171 Assessment required by the SPRS. Click on the link below and put CMMC in the message field. We will respond with your assessment:

FREE CMMC Assessment

Fully Guided CMMC Implementation and Certification – no need for costly consultants:

CyberOne’s full suite GRC platform enables you to complete every step of the CMMC Certification process. We provide you all the tools and information you need to achieve and maintain certification on CyberOne’s highly automated, modern SaaS platform. Before you engage an MSP or consultant, check out what we can do for you. Request a demo today.

  • NIST 800-171 Control Self Assessment, SSP (get it for free here)
  • Policy Development Support
  • CMMC Control development and implementation guidance (level 1-3)
  • Automated Evidence Collection and review
  • Mitigation and Issue Management for POA&M’s, Findings and Risk Environment
  • Risk Register for proactive risk management
  • Vulnerability Scans & Analysis
  • Our Auditor-ready platform can be used in collaboration with C3PAO’s for Certification
  • Contact with C3PAO’s ready to certify you with CyberOne special pricing

 

CyberOne with Slack for Alerts & Risk Mitigation

 

 

 

 


CyberOne’s GRC lifecycle Saas platform provides an open API for integration with most modern business systems. If your company is using Slack, you can integrate with CyberOne to manage risk mitigation, send alerts and notifications to slack, create communication channels within your organization and directly with CyberOne Support. See the workflow below for more information or contact us for your demo.

  1. Authenticate to Slack
  2. Create your #1risk channel to communicate directly with CyberOne
  3. Send alerts and notifications from CyberOne to Slack

The CyberOne Security extensible, GRC lifecycle Saas platform is your single source of truth for Policy, Risk, and Compliance management. Built for companies of all sizes, we help automate and integrate your policy, compliance, asset, risk, incident, and business continuity management. Manage all your certifications on CyberOne (SOC 2, ISO 27001, CMMC, PCI, HIPAA) with our cross-referenced framework library with more than 100 global frameworks. CyberOne also provides policy, control, evidence, risk register and assessment templates, and step-by-step training and implementation guides. There’s no more need for costly consultants, or confusing, demoralizing spreadsheets!

INTEGRATE. AUTOMATE. THE POWER OF ONE

 


Slack API app – CyberOne Risk Workflow Sample

Incoming Webhooks:

Webhook #1. When Finding is created and when user clicks on Send Email Registration, create a message to Slack that say:

Icon: https://fontawesome.com/icons/shield-virus?style=solid

color: #FA7C00

Title: Issue Management

You have a new request. Click on Mitigate Risk if you can resolve the issue by the assigned due date or if you need more time, click on Exception Request to obtain risk approval.

Finding Name – <insert>

Source Type – <insert>

Due Date: <insert>

Primary Contact: <insert>

Finding Description – <insert>

If Yes, (populate finding response = Mitigate Risk and create Risk Mitigation record to associate with Finding)

If No (populate Finding response = Exception Request and Create ER record to associate with Finding)

Sample Slack Integration with CyberOne

 

SOC 2 Certification. Your Security Passport.

The Hotman Group and CyberOne Security have more than 50 years combined experience delivering risk and compliance management and SOC 2 Certification to companies of all sizes. Trust your SOC 2 readiness to certified CPAs who understand the complex control implementation and infrastructure needed to satisfy audit requirements. Maintain your control implementation, any corrective actions and automate your year-round evidence collection process on CyberOne’s modern SaaS GRC automation platform. We provide continuous, comprehensive compliance at a fraction of the cost of traditional consulting services and limited, niche compliance solutions. 

 

CyberOne is delighted to feature today’s article from Cheri Hotman, Owner Principal of the Hotman Group.

As the federal government rolls out CMMC (the Cybersecurity Maturity Model Certification), corporations are both facing increased scrutiny and demanding higher levels of security, risk, and compliance. In today’s marketplace, doing business is an issue of security. You need it and you need to demonstrate it. SOC 2 certification applies to any company that manages data in the cloud, which is, pretty much all of us these days. It can also serve as a basis for governing regulated data (PHI or P)) and is also a highly useful means of validating cybersecurity practices to the board and all current and future clients.   As such, it is quickly becoming the first question in a risk assessment (do you have a SOC 2 report?), and subsequently, it is a revenue driver and a means of expediting security review in the sales pipeline, as well as a comprehensive framework and foundation to security.

In this article, Cheri addresses the broadly publicized SolarWinds hack, its impact on the cybersecurity community and resulting measures taken by corporations to manage risk across the enterprise and in the supply chain.

 

The SolarWinds Breach

We’ve all heard about the recent SolarWinds breach, and for good reason. The massive software development company was hacked in 2019, leaving their clients vulnerable to attack. The company unknowingly sent out a software update this March with hidden malware embedded in it. Of their 33,000 clients, an estimated 18,000 downloaded and contracted the spyware making extremely valuable, highly sensitive information available to the hackers (Canales and Jibilian).

 

What Now?

The initial chaos has subsided, and the resounding question now is “how?” Surely a high-level company such as the one offering services to Fortune 500 companies and the U.S. Government would detect a breach in their system- right? Unfortunately, the answer isn’t quite so simple. Cybersecurity is a complex, multidimensional practice meant to protect against digital attacks. There are countless parts to it, but as a result of this breach, the importance of one particular part has been brought to light- SOC 2.

 

What Exactly is SOC 2?

SOC 2 is an intense cybersecurity, risk, and technical controls audit that must be performed by a CPA. It’s used to produce a report that provides either a green light or a bold, flashing red light in regard to the controls a company has set in place to protect the product/ service (and data) they offer. Companies use them to ensure their systems are secure and functioning properly, and potential clients use them to vet their vendors. Companies that have a CPA produce these reports make their company stand out by simplifying the process of deciding on a vendor, and make it cost-effective and confidence-building for potential clients.

There are two types of SOC 2 audits: Type 1, which determines whether a company’s cybersecurity and technical controls are designed appropriately as of a specific point of time (think: April 3, 2021- it could have been compromised the day before and could become compromised the day after, but this type of audit only attests to the date of the report). Next is Type 2, which measures a business’ control design and operation over a period of time (typically over the course of 12 months). Most companies and clients seek out Type 2 reports due to the detail and assurance made available. Here, more is more– companies and clients alike want little-to-no room for error in knowing the controls in place are reducing risk as they’re supposed to.

 

How to be Successful with SOC 2:

The SolarWinds breach has accounted for numerous companies seeking out their first SOC 2 report, which can be an overwhelming process. Fortunately, it doesn’t have to be daunting! SOC 2 is attainable for every company. First to know is that your commitment to managing your systems and risk will make or break the success of your SOC 2 audits, meaning it’s essential to have an ongoing program built into your company to effectively design and continuously monitor controls. The goal here is to be ready for an audit before the audit. Doing so leaves less room for failure, and results in less stress and scrambling to get things in place last-minute. There are several GRC tool options built to help you do this successfully! Use one to simply and continuously monitor your controls, communicate metrics, and produce evidence for it via documentation. As a part of these programs, you need to have corrective action processes for when you catch failures, because they will happen, and that’s okay- so long as you have a plan! Lastly, it is best to hire someone to help you design and run your control environment. Because it is an ongoing and complex process, this will save you time, hassle and error. Focus on what you excel at while allowing a SOC 2 expert to focus on what they do best- minimizing waste, guessing, and failures.

 

Words of Wisdom:

Although this is a completely attainable solution, there are a few things you’ll want to avoid when implementing your new SOC 2 program:

 

  • Do not try to do this with Excel, Word, or email. It will result in a blow-up-in-your-face disaster. Go ahead and invest in a platform built for handling compliance, risk and controls. You’ll thank me later!
  • Because a SOC 2 program is an ongoing one, it often seems ideal to hire someone in-house to build out and manage your program. However, this also means managing them to make sure they are doing their job correctly. Ultimately, it’s both time-consuming and expensive, so if this route doesn’t seem feasible…
  • Work with a company or person that can get you set up and keep you running like a well-oiled engine. Many businesses offer implementation and management for a lower overall cost than an in-house resource.
  • Although using a third party is a great option, use caution when choosing who to work with. Make sure they have the proper certifications for both SOC 2 AND security, as well as deep cybersecurity and risk practitioner expertise.
  • If this sounds like a foreign language to you, you’re just overwhelmed, or you don’t know if you’re ready to begin this process, hire someone to perform a gap assessment to figure out where you are today, and what your needs are, to put you on the path to success.

 

About the Author:

Cheri Hotman is an enthusiastic, passionate professional. Her drive to succeed began when she graduated with an MBA from the University of Texas at Dallas, and has only grown since then. With a track record that includes a career predominately in banking, financial services, and consulting followed by a position as Vice President in the Tech/IT space, you’d think her tenacity to have faltered- and you’d be wrong. She is a CPA, now holds her CISSP (cybersecurity certification), and has launched her own cybersecurity, risk, and compliance practitioner company. If you need a cybersecurity expert, or even just some inspiration, connect with her through www.hotmangroup.com, or via LinkedIn at www.linkedin.com/in/cherihotman.

 

 

Read more about CyberOne from our clients here on Gartner’s, Capterra review site or contact us directly.

     

 

 

 

CMMC Certification Ready… Steady…

 

Whether you’re a Formula 1 expert or Learner driver on the Information Security Certification Super Highway (!), you should be aware of the Cybersecurity Maturity Model Certification – CMMC. If you are a Federal Prime or Sub-contractor, and, more to the point, if you are a DIB (Defense Industrial Base) Contractor, you might be lost on that Highway right now! Never fear! No need to download anymore “free guides to CMMC Certification” (like, errr. this one!)

Here is your map to CMMC Certification!

Step 1: Take The Shortcut

For you Netflix addicts (who isn’t after this year?), you can shortcut this article and watch our CEO, Lily Yeoh’s latest TV interview here

 

OR….  (HINT: There is no map needed)  just contact CyberOne and we will automate the process for you…

Who’s (Whose?) on CMMC First?

Let’s begin with the landscape. Who requires and who needs CMMC Certification? How do we get it? How do we maintain it? How do we build a budget for it? What is the CMMC required NIST 800-171 Control Self Assessment and SSP for SPRS?

Who’s asking? Not only DoD Contracts…

It started with the DoD, but, like a virus (!), it quickly grew. Earlier in 2020, the Department of Homeland Security (DHS) is already including CMMC in its contract processGSA is the latest to introduce CMMC language into its contract process. GSA notes it reserves the right to require CMMC in its contracts, based upon the contract and security needs.  Read more about GSA and CMMC here

Who responds? Prime and Subcontractors, and so on…

DIB’s and all subcontractors are required to be CMMC certified. This also includes the completion of the NIST 800-171 Self Assessment and a Control Mapped SSP. These must be submitted (with score) and displayed in the SPRS (Supplier Performance Risk System). “Quick tip”: It’s pronounced “Spurs” in the industry!  The more you know…

What do we do now?

CyberOne’s full suite GRC platform enables you to complete every step of the CMMC Certification process. We provide you all the tools and information you need to achieve and maintain certification on CyberOne’s highly automated, modern SaaS platform. Before you engage an MSP or consultant, check out what we can do for you. Request a demo today.

  • NIST 800-171 Control Self Assessment, SSP (see more below)
  • Policy Development Support
  • CMMC Control development and implementation guidance (level 1-3)
  • Automated Evidence Collection and review
  • Mitigation and Issue Management for POA&M’s, Findings and Risk Environment
  • Risk Register for proactive risk management
  • Vulnerability Scans & Analysis
  • Auditor-ready platform that can be used in collaboration with C3PAO’s for Certification

NIST 800-171 Control Self Assessment

Required as a starting point for all Primes and Subcontractors. Start with our fully automated CMMC required NIST 800-171 Control Self Assessment, risk score, and controls mapped to your SSP, and report-ready for submission to the SPRS. CyberOne’s platform. Add your subcontractors for assessment, starting at only $350 per assessment. Your assessment is mapped to CMMC controls in CyberOne so you can begin CMMC readiness as soon as the assessment has been completed.

CMMC Certification and More

The key to successful compliance, and the challenge, for most enterprises, is the maintenance and effective, ongoing, implementation of controls, often across multiple frameworks. We call this continuous monitoring.

On the CyberOne platform, we will provide you with control implementation guidance, policy templates,  and sample evidence checklists to easily build your CMMC controls. We also provide access to our global obligations library and crosswalks. CyberOne offers more than 100 global regulations and standards, crosswalked to show related requirements in multiple standards. Crosswalks enable you to comply with multiple security and privacy frameworks with minimal control sets. Control Automation with CyberOne

We will guide your internal control and policy development, as well as provide gap analyses and recommendations for strengthening controls and policies. It’s all part of the CyberOne offering. CMMC, SOC2, ISO 27001 are all within comfortable reach on CyberOne’s extensible platform.

Trust vs. Zero Trust.


Feeling secure?

Privacy versus Security is a trust versus zero trust game! CyberOne says, there can be no privacy without security. So, trust starts with zero trust, obviously…

In a time where privacy has been elevated to a Royal topic, I spent the day/week/month perusing articles about privacy to see what, if any, common themes arose.   By far the all-pervading subject of choice can be boiled down to a single, one-syllable, mighty word…

“Trust”

A principal objective for B2C and B2B customers, “Trust” is the pot of gold at the end of the privacy rainbow. Without trust, consumers are lost and companies will not share or fulfill valuable data requirements. Meanwhile, outside of the privacy circles, where the SolarWinds blow, the government is moving hastily towards a “Zero Trust” security posture. Are they really opposites?

At CyberOne, we freely bandy the phrase “ there is no privacy without security”. In the world of Privacy, Trust and Zero Trust might just mean the same thing!  

Yes, you are living in an episode of Alias!

As a consumer-human, or company that has or uses personal information, you may be surprised/skeptical/afraid (opt-in or opt-out accordingly – that’s a privacy joke!) to hear this… Have no fear, or, actually have fear, and from fear there will come no fear, if this is done right! Fear is healthy. It prompts caution, which is the path to security. For example, if you have read the latest from Mr. Snowden, or know anything about the seemingly constant attacks on privacy data, you’re probably not reading this on your phone and, COVID aside, you may be forgiven for pulling your curtains, sliding your webcam cover shut and communicating in sign language to your partner while playing very loud music.

According to both NIST and Pew Research, an estimated 80% of Americans still believe that the risk of companies collecting data about them far outweighs the cost of doing business with them. This presentation by NIST exposes many of our fears related to Privacy and the growing, if not ever-present lack of trust in corporations. As such, that TRUST is such a high-value, but perhaps unachievable commodity is, in itself, worth discussion. 

Why is it so important and what does it mean for companies and consumers to establish trust? 

Perhaps this is obvious, but, after all, for all the fearmongering, justified or other, about our personal information being stolen, the myriad of ways to steal it, and the documented lack of trust, the question is interesting because, for the most part, consumers offer up personal information with relative abandon and disregard, to corporations who use it to, among other things, sell you stuff to stop your personal information from being stolen. The Influencer phenomenon was built upon sharing information. We may not trust, but sharing takes precedent, it would seem. Forbes started tracking this phenomenon more than 10 years ago. Imagine how this Forbes article would read today? Nonetheless, if the NIST data is true, while consumers are open to the new “world wide web” order, they may be permanently teetering on the edge which puts the Golden Eggs of retention, loyalty at risk. As such, to the good, business has largely come aboard the privacy train, even if for some, it is being driven by acquisition and retention strategies rather than solid ethics. 

Governments, equally, are finding it in the common interest to protect personal information. Privacy regulations cover more geographic regions than you might know, from GDPR (the European General Data Protection Regulation), BGDPR (Brazilian General Data Protection Regulation, APEC Privacy Framework (Asia-Pacific Economic Cooperation), even China. Here, in the US, too, many states have their own privacy regulation, perhaps the most recognized being CCPA – CPRA, but by no means the only one. (US states with Privacy laws). Penalties for misuse of data are potentially very severe. It’s potentially a “do-good” source of revenue for state actors. 

So, why are we still living in fear? Let’s go back to that stolen CyberOne adage… You can’t have privacy without security. Simply put “privacy is NOT security”.

Compliance with the legal aspects of various privacy laws, be it GDPR, the now British (BGDPR) and Brazilian (LGDP) versions of GDPR, CCPA – CPRA, ODP,   APEC, and so on… are all well and good, but largely they are just enabling a set of choices from the consumer. If you want to learn more about the various laws, including one of the first laws to connect privacy and liability with security, see the supplement at the end of this article. 

The marriage of privacy and security is where trust begins…

Why? Because it goes, one giant leap further to tell the consumer that companies are committed to protecting the data, no matter how it is collected, stored, transferred, and even destroyed. Compliance says we are obeying the law. Security not only says we are protecting your data, it speaks to implementation. If companies want to build consumer trust, they need to demonstrate more than compliance – they need to be secure, not just say they are. For example, the company Ring built a billion-dollar business not on the ability to see who is at your door and decide if you want to open it (privacy), but the ability to shout at them through the doorbell, and call the cops.   

Trust is about security. Trust comes from Zero Trust! Security is the zero-trust constant. Security means, among other things, verify, so effectively, from a security position, zero trust takes any level of assumption out of trust. If a company can achieve this for its customer, company, or consumer, then the other Golden Eggs of loyalty and retention should follow. So, while you may already think that privacy is connected to your sales strategy, data shows that security, rather, should be part of your acquisition and retention strategies.

So, now I need to add a budget for Security?

To simply state that companies must overlay security with privacy ignores the most common question for SMB’s. Where is the budget? Indeed, what does this mean for SMB’s with limited budgets or hyper-growth startups with investors “hyper-focused” on revenue? How easy is it to pivot from none or some security and privacy to a position where these requirements can be met and maintained? 

Our experience in the world of SMB’s tells us that many companies out there have very limited budgets – sound familiar? Are you trying to manage security and privacy with a skeleton crew (1-2) and spreadsheet? The modernization of your S & P program is vital and will be a budget-wise solution, too. These programs cannot be managed effectively on spreadsheets, for one, because they require continuous monitoring, and generally, because the readiness factor – the need to evaluate control strength and implementation, collect evidence and verify, prioritize, manage and mitigate risk, is all-consuming, and leaves little to no time for proactive risk analysis beyond the task of risk management. In a tool, you can eliminate many of the redundancies and painful elements, like chasing evidence, of security and privacy and, a good tool will tell you, at any and all times, whether you are secure and in compliance, which will save costs. 

If the higher purpose of risk and compliance management is i) to ensure security ii) prevent risk iii) assure compliance, and, above all, to apply risk to become a more agile company, which is indeed one of our deliverables at CyberOne, these are not achievable from a spreadsheet. These are entirely achievable with automation and integration. While tools rarely replace people (successfully), the right solution will create efficiencies and target processes that enable people to prioritize effectively. To that end, here are some final tips:

  • Choose a solution that integrates your internal control framework with your policies, your requirements (regulations or standards) and enables you to create “crosswalks” that allow many-to-one mapping efficiencies for control references and evidence items. 
  • Look for continuous monitoring to ensure you are always in compliance, which can be critical to fluidity in your sales pipeline. Look for integrated risk management that connects your Risk Register (proactive – possible) and Findings (active – actual risk) and your entire risk environment to your control family to allow both proactive and reactive mitigation. 
  • Finally, API integration with your business systems and your intelligence platforms, all of this, will help reduce the level of employee engagement necessary to maintain repetitive processes and enable a more risk-aware, analytics focused risk program, as well as lower the level of non-practitioner engagement in the functional bureaucracy of risk management.
  • Enable your risk team (of one) to focus on supplying intelligence, and applying intelligent risk, and, enable your nonpractitioners to engage with the risk program only where it is meaningful to their work. 

CyberOne Security’s modern GRC automation platform supports continuous risk and compliance management that enables business. With CyberOne, you can establish comprehensive security and privacy on a single pane of glass with complete assurance that you are protecting your business, your data, your customer, your revenue, and your reputation.

Our clients agree and so do their customers! 

Happy Privacy AND Security day, week, month year, y’all!

 

Supplement: The Privacy Landscape from a Regulatory and Standards Perspective

Regulations:

Let’s take a brief look at the regulatory landscape: If regulation has been abundant, agreement on how to protect privacy is less clear and all-important trust is not a factor. Regulations start in US States (CCPA, ODP, NYPA, etc.) and reach most countries (LGDP), continents (GDPR, APEC), archipelagos, and even a few dictator-nations (those last examples may not be entirely true!). You can read a good comparison of US privacy laws from IAPP here. Here are some of the basic differences:

To Opt-In or To Opt-out? ( or, Shakespeare meets privacy…)

GDPR requires businesses to request consent. It defines consent as “freely given, specific, informed and unambiguous” In other words, consumers must “opt in” to any use of their data. Consumers most commonly experience this today in the form “subscribe to” requests, or  “Cookie banners” – sadly, not the chocolate chip, macadamia nut variety. GDPR implementation is relatively rigorous, but compliance is also rather vague and largely remains untested by its governing body. GDPR gives lots of guidance on what needs to be done to protect privacy, but it is lacking in the “how”.

CCPA- soon to be CPRA, however, takes a largely “opt out” approach to consumer privacy, effectively requiring consumers to indicate that they do not want to subscribe. Similarly, CCPA takes a more legalese approach to privacy, outlining “must do’s” with little guidance for “how to”. 

Setting the Standard

If privacy is not a legal requirement, but you do wish to learn more about approaches, both NIST and ISO have published privacy standards to help you build out controls. You can read about these here:

NIST PRIVACY

ISO 27701

Security and Privacy…

That brings us to Ohio! Another interesting privacy law is the Ohio Data Protection Act (ODP). This is somewhat under the radar as it is limited to the great state of Ohio, but is a potentially rather important regulation from a legal precedent standpoint. Ohio was the first state to include “safe harbor” for companies, and, in our view, this could be a vital step towards building trust. Where GDPR and CCPA took largely punitive approaches to enforcement of their laws, ODP provides businesses with an incentive to implement and maintain an effective cybersecurity program, providing companies with “safe harbor” or immunity from prosecution if able to demonstrate compliance with a recognized security standard (NIST 800-171, 800-53, FedRamp, CIS, or ISO). 

Now, there’s a lot more we can say about the different approaches to privacy

 

 

 

 

 

 

CyberOne with Rapid7-Nexpose for Vulnerability Management

CyberOne now offers integration with Nexpose for a full vulnerability management lifecycle

Choose CyberOne for fast easy, affordable integration with Nexpose (Rapid7).

Build your Vulnerability Management program on CyberOne’s modern Saas full suite GRC platform.

Identify, Assess, Report, Remediate, Verify.

Implement controls to prevent recurring issues.

Choose CyberOne with Nexpose for Vulnerability Management. CyberOne is a full suite GRC automation platform offering integrated risk management for teams of all-sizes from 1+. We specialize in the SMB market, companies with up to $500 million annual revenue, and those who aspire to get there! 

Start Now for just $350 per month!

 

(more…)

The bridge to CMMC Certification

 

Have you completed and submitted your CMMC required 800-171Control Self Assessment and SSP to the SPRS?

 

Federal contractor or subcontractor? Are you currently exploring, or getting lost among the CMMC Certification landscape?

 

Today, we provide a step-by-step guide, and, affordable solution for each step in the process.

 

Hear here from our CEO, Lily Yeoh, on best practices for achieving and Fastracking CMMC Certification

 

Who’s (Whose?) on CMMC First?

Let’s begin with the landscape. Who requires and who needs CMMC Certification? How do we get it? How do we maintain it? How do e build a budget for it? What is the CMMC required NIST 800-171 Control Self Assessment and SSP for SPRS?

Who’s asking? Not only DoD Contracts…

It started with the DoD, but, like a virus (!), it quickly grew. Earlier in 2020, the Department of Homeland Security (DHS) is already including CMMC in its contract process. GSA is the latest to introduce CMMC language into its contract process. GSA notes it reserves the right to require CMMC in its contracts, based upon the contract and security needs.  Read more about GSA and CMMC here

Who responds? Prime and Subcontractors, and so on…

DIB’s and all subcontractors are required to be CMMC certified. This also includes the completion of the NIST 800-171 Self Assessment and a Control Mapped SSP. These must be submitted (with score) and displayed in the SPRS (Supplier Performance Risk System). “Quick tip”: It’s pronounced “Spurs” in the industry!  The more you know…

What do we do now?

CyberOne’s full suite GRC platform enables you to complete every step of the CMMC Certification process. We provide you all the tools and information you need to achieve and maintain certification on CyberOne’s highly automated, modern SaaS platform. Before you engage an MSP or consultant, check out what we can do for you. Request a demo today.

  • NIST 800-171 Control Self Assessment, SSP (see more below)
  • Policy Development Support
  • CMMC Control development and implementation guidance (level 1-3)
  • Automated Evidence Collection and review
  • Mitigation and Issue Management for POA&M’s, Findings and Risk Environment
  • Risk Register for proactive risk management
  • Vulnerability Scans & Analysis
  • Auditor-ready platform that can be used in collaboration with C3PAO’s for Certification

NIST 800-171 Control Self Assessment

Required as a starting point for all Primes and Subcontractors. Start with our fully automated CMMC required NIST 800-171 Control Self Assessment, risk score, and controls mapped to your SSP, and report-ready for submission to the SPRS. CyberOne’s platform. Add your subcontractors for assessment, starting at only $350 per assessment. Your assessment is mapped to CMMC controls in CyberOne so you can begin CMMC readiness as soon as the assessment has been completed. 

CMMC Certification and More

The key to successful compliance, and the challenge, for most enterprises, is the maintenance and effective, ongoing, implementation of controls, often across multiple frameworks. We call this continuous monitoring.

On the CyberOne platform, we will provide you with control implementation guidance, policy templates,  and sample evidence checklists to easily build your CMMC controls. We also provide access to our global obligations library and crosswalks. CyberOne offers more than 100 global regulations and standards, crosswalked to show related requirements in multiple standards. Crosswalks enable you to comply with multiple security and privacy frameworks with minimal control sets. Control Automation with CyberOne

We will guide your internal control and policy development, as well as provide gap analyses and recommendations for strengthening controls and policies. It’s all part of the CyberOne offering. CMMC, SOC2, ISO 27001 are all within comfortable reach on CyberOne’s extensible platform. 

Build your Castle (& Moat) in the CyberOne Sandbox – Try Us for Free Today!

Getting Started with the CyberOne Sandbox

You can SIGN-UP FOR YOUR FREE 10 DAY TRIAL of CyberOne anytime.

Please email support@cb1security to gain access to the Sandbox and schedule a time for onboarding.

Onboarding takes 15 minutes.

Access to the Sandbox is accompanied by CyberOne training videos and manuals to guide your experience. Onboarding to the Sandbox requires two-step verification and the presence of a CyberOne expert.  Sandbox users have access to a Power User Administrative Account, and a Lite User Portal Account. The Power User Account is for risk and compliance managers, and the Lite User account is provided to control/asset/evidence owners, third party or assessment contacts and finding owners for risk mitigation. Each user account also has an accompanying email account, as well as access to the CyberOne extensible platform to experience the full automation capabilities of CyberOne.

If you are already part of the growing CyberOne family, then you can access your credentials for the Sandbox anytime from our training site Sandbox page or you can contact your account manager directly or via support@cb1security.com

 

For more information on CyberOne, read what our friends say about us on Capterra

 

Cyber On (e) friends!