Frequently Asked Questions
Cybersecurity Compliance
To prepare for a potential ransomware attack, organizations should do the following:
- Implement security measures that include:
- Deploying antivirus and anti-malware software.
- Utilizing email filtering and security protocols to block phishing and other malicious emails.
- Limiting user access and permissions to only what's necessary for their roles.
- Dividing your network into segments to limit the spread of ransomware in case of an infection.
- Keeping all operating systems, applications, and software up to date with the latest patches and updates.
- Requiring strong passwords and multi-factor authentication
- Regularly back up all critical data and systems. Store protected backups offline or in an isolated environment to safeguard them from ransomware encryption. Regularly test the effectiveness of your backup and recovery procedures.
- Create a detailed incident response plan that includes incident detection, containment, eradication, communication, and recovery. Conduct Tabletop exercises to test your plan and identify areas for improvement.
After discovering a data breach, organizations’ top priorities should be containment, damage assessment, and notification.
Containment: Immediately disconnect any systems or network segments where the breach is believed to be active to prevent further spread. Change the passwords of compromised accounts and disable remote access. Secure any physical areas related to the breach.
Damage assessment: Identify the compromised data, determine affected services or resources, and the potential impact of the breach. Collect and preserve evidence from the breach, including log files, system snapshots, and other relevant data.
Notification: Notify the people whose data was impacted, the regulatory bodies as required by law, and the relevant stakeholders within the organization.
Penetration testing should be done at least once a year. Organizations may want to conduct more frequent testing depending on:
- Their risk profile and the sensitivity of the data being handled.
- Regulatory compliance: Certifying against infosec frameworks (ISO 27001, PCI DSS, etc.) or complying with laws (HIPAA, GLBA, etc.) could require additional pen tests.
- System or web application changes: Additional penetration testing may be necessary to account for changes to your IT infrastructure, such as new hardware, software or after significant changes to your web application.
The responsibilities of a Virtual Chief Information Security Officer (vCISO) can typically be tailored to meet the needs of the business the vCISO is serving. Common responsibilities businesses will task their vCISO with include:
- Trusted advisory and leadership support
- Security strategy and governance
- Security architecture and program development
- Risk management and vulnerability identification
- Incident response development and management
- Audit preparation
- Certifications and compliance
Small businesses can manage cybersecurity risks with some basic security measures, including:
- Requiring strong passwords and multi-factor authentication.
- Regularly updating all software and operating systems to patch security vulnerabilities.
- Installing anti-virus and anti-malware software.
- Implementing data in transit and at rest encryption.
- Providing employees with security awareness training that teaches them how to identify and avoid security threats like phishing, ransomware, and social engineering. Training should be conducted at least annually.
Businesses that can’t hire a full-time employee dedicated to cybersecurity can use a third-party vendor for additional support. Hiring a Virtual Chief Information Security Officer (vCISO) allows businesses to leverage the knowledge of experienced cybersecurity professionals to target high-priority tasks for an agreed-upon number of hours.
Balancing cybersecurity with user convenience can be tricky. A risk-based approach that implements controls based on the sensitivity of data and systems. Multi-factor authentication is a way to add an extra security layer without overly burdening the user. Single Sign-on (SSO) lets users access multiple applications with a single set of login credentials, minimizing password fatigue that can result in weak passwords. Automating software updates can ensure users are on the most secure versions of platforms without requiring them to take any action.
Here are some popular and effective tools for monitoring security threats:
Security Information and Event Management (SIEM): SIEM solutions can be used for continuous monitoring, and collecting and analyzing log data from sources like firewalls, intrusion detection systems, and applications to provide real-time threat detection and correlation.
Endpoint Detection and Response (EDR): EDR solutions monitor endpoint activities, detect suspicious behaviors, and respond to threats. They leverage behavioral analysis and machine learning to identify threats.
Network Monitoring Tools: These tools can analyze network traffic, identify anomalies, and provide real-time alerts when security incidents occur.
Threat intelligence Platforms: These platform solutions are designed to aggregate, analyze, and manage threat intelligence data from multiple sources to help organizations detect, understand, and respond to cyber threats more effectively.
When vetting third-party vendors, have them complete a questionnaire to gather information about their governance, organizational structure, security controls, and technology. The line of questions should include:
- Who in the organization is responsible for cybersecurity?
- How is C-suite leadership involved in cybersecurity?
- How does your business protect customer information?
- Is your business utilizing AI do deliver services?
- Do you have AI Usage Policy and Procedures
- Do you outsource any IT services?
- What are your security training practices?
- What are your security measures for software and hardware?
- What are your data recovery capabilities?
- Do you conduct penetration testing and vulnerability scanning?
- Is an incident response plan in place?
- Have you experienced a cyber incident? If yes, please describe.
- How do you monitor for unauthorized access?
When you select a third-party vendor, include your cybersecurity requirements in the contract. Some requirements to consider are:
- Maintaining Security Certifications: If the vendor holds a security certification like ISO 27001, SOC 2, or PCI, put in the contract that they’re required to maintain that certification. Consider requiring a copy of the report or assessment that was conducted to maintain the certification.
- Incident Notification Timeline Requirements: The SEC requires public companies to disclose material cybersecurity incidents within four days of their discovery. If a vendor experiences a data breach or other cyber incident involving your data, you must know about it quickly to meet the SEC requirement. Specify a timeline in the contract that will give you at least 24 hours to report the incident.
- Technology Changes: Require your vendors to notify you of any significant IT infrastructure changes they make. For example, moving services from a data center to a cloud provider.
- Termination Clauses: Your contracts should clearly state that failing to adhere to the cybersecurity requirements will result in the partnership's termination.
Training employees to identify and react to potential cyber threats is vital to an effective cybersecurity program. Studies of cyber incidents consistently find that human error is the leading cause of data breaches.
Here are three ways organizations can improve their cybersecurity awareness training program:
- Implement a bi-annual Security Awareness Program focused on interactive role-based training. Conducting cybersecurity training sessions twice a year, instead of just once, will demonstrate to employees the importance of this initiative and keep what they have learned fresh in their minds.
- Implement a quarterly phishing campaign that evaluates and reports on the organizational effectiveness of the employee Security Awareness Training Program. The goal is to ensure 100% employee saturation through the campaigns.
- Enhance your incident response team’s training by introducing breach and attack simulations that allow your organization to evaluate the efficacy of its security controls.
Organizations can assess the effectiveness of their cybersecurity strategy by analyzing the following key performance indicators (KPIs):
- Security incidents/intrusion attempts
- The average time to detect (TTD) a cyber threat
- The average time to respond (MTTR) to a threat
- The average time to contain a threat
- Security Program Maturity Score: Based on frameworks like NIST CSF, ISO 27001, or CIS Controls.
InfoSec Certifications
Here are some best practices for mid-sized companies implementing ISO 27001.
Designate a project leader and team: A successful ISO 27001 certification requires a team effort. Designate a leader for the project and assign them the personnel needed to execute the required tasks. Be sure everyone on the ISO team understands their roles and responsibilities.
Gap analysis: Conduct a gap analysis to identify where your current security policies, procedures, and controls fall short of the ISO 27001 requirements for an information security management system (ISMS).
Design and implement controls: Design security controls that will address the gaps and vulnerabilities discovered in the gap analysis.
Audit your controls: Once the controls are implemented, you’ll need to test them to make sure they are working as intended. When your organization is satisfied with the effectiveness of the security controls, it can begin working with a third-party certification body on ISO 27001 certification.
Common challenges in achieving SOC 2 compliance include:
Identifying a Scope: This is one of the first and most critical steps in the SOC 2 compliance journey. Properly identifying what systems, processes, and data should be included in the audit can save time and expenses down the road.
SOC 2 focuses on the 5 AICPA Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The Security principle is required for all organizations. When crafting their scope, organizations need to identify which other principles are relevant to their operations. Organizations often also choose to include Availability and Confidentiality in their scope. Organizations may also choose to incorporate other frameworks into their SOC 2, such as HIPAA, PCI, or HITRUST.
Securing the Resources Needed: The SOC 2 process takes most organizations between six months and a year to complete. Implementing the selected control frameworks will require a significant effort. Failure to account for the personnel requirements can lead to mistakes and delays.
Implementing Security Controls: This is where the rubber meets the road for SOC 2 compliance. Designing and implementing security controls tailored to your operations can be a long and challenging process. Implementation and ongoing control management must be considered during the control design process. Implementation is not the final step, you need to continuously test your controls to ensure they’re effective.
Evidence Gathering: Your auditor will request a variety of documentation based on your identified controls. Auditors will pull samples of control performance over the audit period to verify the control was implemented throughout the period. Required evidence could include the following:
- Asset inventory
- Policies and procedures
- Change management documentation
- System access evidence
- Personnel training evidence
- System descriptions
Develop a plan for gathering and organizing the required documentation.
PCI DSS compliance is essential for any entity involved in handling payment card data, including merchants, service providers, acquirers, and issuers. The ultimate responsibility for safeguarding cardholder data lies with any organization that stores, processes, or transmits it. Payment brands and acquiring banks enforce these standards and may levy fines for non-compliance.
Merchants
- Level 1 (High Volume/Breached): Typically process over 6 million transactions annually.
- Validation: Require an annual Report on Compliance (RoC), a comprehensive audit performed by a Qualified Security Assessor (QSA).
- Levels 2-4 (Lower Volume): Transaction volumes vary by level and payment brand.
- Validation: Can generally complete an annual Self-Assessment Questionnaire (SAQ). Some acquiring banks may still require QSA/Internal Security Assessor (ISA) involvement for certain SAQ types.
Service Providers
- Level 1 (High Volume): Typically process over 300,000 transactions annually.
- Validation: Must provide an annual Report on Compliance (RoC) by a QSA. They also need quarterly ASV scans and annual penetration tests.
- Level 2 (Lower Volume): Typically process under 300,000 transactions annually.
- Validation: Can generally complete an annual Self-Assessment Questionnaire (SAQ D for Service Providers). Quarterly ASV scans are also typically required. Clients may request a QSA-led RoC for greater assurance.
Issuers
- Responsibility: All payment brands mandate that their issuing members (financial institutions that issue payment cards) comply with PCI DSS for their environments handling cardholder data.
- Validation: Many large issuers, especially those directly connected to payment networks, are often required to undergo an annual Report on Compliance (RoC). All issuers must maintain robust PCI DSS compliance programs and protect sensitive cardholder data.
In essence, while the specific validation method differs based on your role and volume, the core obligation to protect cardholder data according to PCI DSS standards is universal across the payment industry.
The amount of time it takes to complete a SOC 2 report depends on whether an organization is doing a Type 1 or a Type 2 report. A Type 1 only requires that the controls are in place during the audit. A Type 2 audit tests the effectiveness of controls over a period of time, normally ranging from ninety days to one year. While a Type 1 is quicker, your clients may prefer a Type 2 as it shows a long-term commitment to the control implementation.
Audit timelines vary per organization. A Type 1 can take anywhere from 1-3 months. A Type 2 typically takes between three months and one year.
A SOC2 report is valid for twelve months. Organizations must conduct an annual audit to keep their report valid.
Healthcare Compliance
The essential steps to achieve HIPAA compliance include:
- Understand the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
- Designate a HIPAA Compliance Officer who oversees compliance, conducts risk assessments, manages training, and develops and enforces policies.
- Identify where and how PHI is used.
- Conduct annual risk assessments to identify potential vulnerabilities and risks to patient information.
- Develop written policies and procedures that align with HIPAA requirements for data access, storage, and disposal.
- Implement administrative, physical, and technical safeguards to protect patient data.
- Provide workforce training on HIPAA regulations, privacy protocols, and data security.
- Develop procedures to notify impacted individuals and the Office for Civil Rights if a data breach occurs.
- Validate the compliance of your third-party vendors and business associates.
- Assess HIPAA policies and procedures yearly to make any updates in alignment with new laws and regulations.
- Create a thorough sanctions policy.
- Keep records of all policies, procedures, training, audits, and breach notifications.
Strategies healthcare organizations can use to ensure the security of electronic health records (EHR) include:
- Implement access controls that limit user access to the minimum necessary and terminate user access when no longer required.
- Require strong passwords and multi-factor authentication.
- Encrypt data in transit and at rest.
- Conduct penetration testing to identify system vulnerabilities.
- Establish data backup and recovery plans to ensure data availability.
- Provide your staff with comprehensive security training.
- Implement real-time monitoring systems to detect and alert suspicious activity or potential security breaches.
- Conduct an annual risk assessment.
The HIPAA Security Rule states that covered entities and business associates must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
NIST SP 800-66 provides guidance to help implement the HIPAA Security Rule:
- Prepare for the assessment by understanding where ePHI is created, received, maintained, processed, and transmitted.
- Identify potential threat events and sources to the organization and its operating environment.
- Identify vulnerabilities within the organization that a threat actor could exploit.
- Determine the likelihood that a threat would occur and exploit identified vulnerabilities.
- Determine the impact of the threat and risk to ePHI.
- Document the risk assessment results.
Organizations must do the following after there is an unsecured breach of protected health information to comply with the HIPAA Breach Notification Rule:
- If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered.
- If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach, and media notification is required.
- Provide individuals impacted by the breach with a written notice via first-class mail or notice via email if the individual has consented to receive notices electronically.
HIPAA requires covered entities and business associates to train “all members of its workforce on the policies and procedures with respect to protected health information.” Training must cover all three HIPAA Rules.
HIPAA also requires all new employees to be trained within a reasonable time after beginning their job. Employees must receive renewed training when policy or procedure changes impact their job functions.
Here are some methods healthcare organizations can use to securely communicate patient information to patients, other providers, and internally:
- Use an email platform that utilizes data encryption.
- Use a secure patient portal that allows patients to communicate with your staff, view test results, and schedule appointments.
- If you’re using a messaging app, be sure it has strong access controls, data encryption, and audit trails.
- All communication platforms should have strong password requirements and multi-factor authentication.
- Train your staff on how to properly use all communication platforms, and not to import patient information into any Artificial Intelligence technologies.
The penalties for a HIPAA violation can range from $137-$68,928 per incident, with a maximum penalty of $2,067,813 over a calendar year.
To validate third-party vendors’ HIPAA compliance, healthcare organizations can do the following:
- Send questionnaires to vendors that ask about their security policies, procedures, and controls. The organization can use the answers to perform a basic evaluation.
- Organizations can rely on third-party assessments to evaluate their vendors’ security posture. If the vendor has an ISO or HITRUST certification or has undergone a SOC 2 audit, they should be able to provide you with evidence of a formal evaluation of their security.
- Vetting a vendor’s security isn’t a one-and-done process. You’ll need to perform ongoing evaluations to ensure your vendors continue to meet your security and compliance requirements.
- Train third-party vendors with your internal HIPAA training or require proof of completion by an external party.
- Require evidence of the disposal of protected health information they may have had access to upon the termination of the contract.
HIPAA requires policy and procedure documentation to be retained for at least six years from the date of creation or the date the policy/procedure was last in effect.
The Department of Health and Human Services provides an Audit Protocol to help covered entities and business associates determine whether their policies, procedures, and implementations meet the requirements in the HIPAA Security, Privacy, and Breach Notification Rules.
Steps that can be taken to secure mobile devices accessing patient data include:
- Strong password requirements and multi-factor authentication.
- Only authorize specific mobile devices to access and modify patient data.
- Encrypt all sensitive data stored on the device, both at rest and in transit.
- Enable remote wiping and locking capabilities to erase or lock the device in case of loss or theft.
- Use a secure, private Wi-Fi network for accessing patient data. If public Wi-Fi is necessary, utilize a VPN to encrypt the connection.
- Keep all software, including the operating system and applications, up to date with the latest security patches.
- Create a BYOD policy and have employees acknowledge their understanding.
Data Privacy Regulations
The requirements in the two laws are similar; however, there are some differences. Outlined are a few key differences between GDPR and CCPA requirements:
- The GDPR requires that organizations have a lawful basis to process personal data, while the CCPA requires businesses to have a legitimate purpose for processing
- The GDPR requires opt-in consent to use website cookies that track personal data. The CCPA only requires businesses to provide the ability to opt out of certain types of tracking.
- The CCPA has no restrictions on international data transfers. The GDPR requires an adequacy decision or adequate safeguards if the country has not been deemed to have adequate data protection laws.
The GDPR is a European Economic Area (EEA) regulation to protect the personal data and privacy of natural persons in the EEA.
The CCPA is a California law to protect the personal information and privacy of California residents. It applies to any business, regardless of location, that:
- Have annual revenue of $25 million or more
- Control or possess the data of 100,000 or more California residents
- Derives 50% or more of its revenue from the sale of personal data
Businesses can manage customer data deletion requests by following these steps:
- Establish a clear data deletion policy
- Implement a secure verification process
- Operate from an accurate data inventory and records of processing activities to ensure awareness of where personal data is processed
- Notify processors of deletion requests
- Maintain records of erasure requests
Penalties for GDPR non-compliance can range from 2% to 4% of total global revenue or up to €20 million, whichever is higher, depending on the type of violation.
Steps organizations can take to ensure their cookie management practices align with privacy regulations include:
- Providing a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website or a “Your Privacy Choices” link that drives to the appropriate preference center to make a do-not-sell request.
- Properly categorizing cookies and tags.
- Providing a privacy notice that states cookies are used on the website and explains how they work.
- Ensuring your privacy controls work as described in your privacy notice and as required under the CCPA.
- Creating an opt-out process that does not require more steps than opting in.
The role of the Data Protection Officer under the GDPR should include but not be limited to:
- Working towards compliance with all relevant data protection laws
- Monitoring data protection impact assessments
- Monitoring data protection training for employees
- Collaborating with the supervisory authorities
A DPO is required when:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
To verify third-party compliance with data privacy standards, organizations should leverage the following strategies:
Conduct regular audits: Audit vendor practices to verify compliance with data protection policies, contracts, assess their security controls, and identify vulnerabilities.
Monitoring and reporting: Implement a vendor monitoring program that includes access logs and data sharing protocols.
Contractual agreements: Include specific contractual clauses outlining data privacy obligations, including data processing, security measures, and data breach notification procedures.
The GDPR gives data subjects the following data portability rights:
- The data subject has the right to receive the personal data they provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit that data to another controller without hindrance from the original controller.
- The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
This right is only available where the processing is carried out based on consent, explicit consent, or pursuant to a contract and processed by automated means.
Organizations can prepare for an audit by data protection authorities by doing the following:
- Conduct a comprehensive data inventory
- Map and document the flow of data throughout the organization
- Conduct a risk assessment to identify vulnerabilities and use this assessment to build out a data protection program
- Design and implement data governance policies that outline how data is handled, protected, and processed
- Appointing a Data Protection Officer (if applicable)
- Train employees on data protection policies and procedures
The GDPR includes rules for cross-border transfers of personal data from the European Economic Area (EEA) to countries outside the EEA.
If the European Commission has decided that a country has an adequate level of data protection, data transfers to that country are allowed without further authorization. If data is being transferred to a country that has not been determined to have an adequate level of data protection, the data exporter must take steps to safeguard the data, which could include:
- Standard Contractual Clauses are clauses approved by the European Commission that establish contractual obligations for protecting data during the transfer.
- Binding Corporate Rules set policies for protecting data being transferred within a corporate group.
- Ad hoc contractual clauses can be used for transferring data out of the EEA. The appropriate data protection authority must approve the clauses.
Federal Cybersecurity Standards
The key requirement for achieving CMMC Level 2 compliance is meeting the requirements of NIST SP 800-171, which consists of the following 14 control domains that contain 110 security requirements:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Systems & Communications Protection
- System & Information Integrity
NIST 800-53 and NIST 800-171 have different audiences, scope, and security requirements. NIST 800-53 is a set of comprehensive security and privacy controls designed for federal information systems. It is largely used by U.S. federal agencies and organizations handling federal data under FISMA.
NIST 800-171 is a collection of security controls for protecting Controlled Unclassified Information (CUI) in non-federal systems. The framework is used by government contractors and private organizations working with the U.S. government.
NIST 800-53 is broader and more detailed, covering everything from low to high-security impact systems in federal environments. It includes technical, operational, and management controls for federal agencies. NIST 800-171 is a subset of 800-53, with fewer controls (110 requirements across 14 control families) focusing only on CUI protection in non-federal systems.
GLBA security requirements are laid out in the standard’s Safeguards Rule. The nine elements of the GLBA Safeguards Rule are:
Element 1: Requires institutions to designate a qualified individual responsible for overseeing and implementing the information security program.
Element 2: Conduct a risk assessment that identifies internal and external risks to customer data security, confidentiality, and integrity.
Element 3: Design and implement security controls to address the risks identified in the assessment.
Element 4: Regularly test and monitor the effectiveness of your controls.
Element 5: Provide employees with security training that reflects your organization’s safeguard controls.
Element 6: Monitor potential risks from third-party vendors.
Element 7: Keep your information security program current. Update security controls based on the results of assessments, monitoring, penetration and vulnerability assessments, and the emergence of new threats.
Element 8: Establish an incident response plan.
Element 9: Your organization’s Qualified Individual must provide a report (in writing) to the Board of Directors or a senior officer at least once a year detailing the status of the information security program.
The biggest challenges in implementing FISMA security controls include:
Resource Constraints: Due to a lack of funding or a failure to fully understand the complexity of the security controls, organizations often fail to secure the personnel and infrastructure resources needed to implement the controls successfully.
Complexity: FISMA includes a range of controls that can cover various systems. Some organizations will not have the knowledge and experience to understand all of the framework’s requirements.
Emerging Threats: The cyber threat landscape continues to quickly evolve. Updating your security controls to account for new threats is challenging.
Federal cybersecurity standards, such as CMMC and FedRAMP, require risk assessments for compliance, which is necessary to secure federal contracts in many instances. Steps for conducting a risk assessment for a federal contract include:
- Identify external (cyberattacks, ransomware, phishing, etc.) and internal (malicious employee activity, infrastructure failure, etc.) threats to your organization.
- Identify vulnerabilities within your organization. Common vulnerabilities include:
- Outdated software
- Weak passwords and/or no multi-factor authentication
- Lack of encryption
- Poor cloud security
- Insufficient physical security
- Assess the likelihood of a threat exploiting one of your vulnerabilities and the impact the incident would have on your organization to determine an overall risk level.
- Document the results of your HIPAA Risk Assessment need to be documented and shared with organizational leadership.
Documentation that could be required to demonstrate NIST 800-171 compliance includes:
- A System Security Plan (SSP) that includes a detailed description of their IT system and security policies and procedures. An SSP is especially important for DoD contractors.
- A Plan of Action and Milestones (POA&M) that details how existing gaps will be addressed. The POA&M must include deadlines for when the appropriate controls will be implemented.
- An incident response plan that includes procedures for detection, analysis, containment, eradication, and recovery.
- Security controls documentation
To develop an employee training program that will meet federal cybersecurity requirements, follow these best practices:
- Require cybersecurity training as part of the new employee onboarding process.
- Require existing employees to go through training at least annually.
- Train employees to identify real security threats such as phishing, smishing, ransomware, malware, and social engineering.
- Execute campaigns, such as a phishing campaign, to test the effectiveness of your training program.
Learn more by reading this blog and listening to the podcast below.
FISMA requires organizations to develop, document, and implement a comprehensive incident response plan that includes procedures for detecting, analyzing, containing, eradicating, and recovering from security incidents. NIST 800-61, also known as the Computer Security Incident Handling Guide, provides highly regarded guidance for incident response, including:
- Incident response life cycle model
- Preparation
- Detection and analysis
- Containment, eradication, and recovery
- Post-incident activity
- Incident response roles and responsibilities
- Incident response policies and procedures
Under FISMA, incidents must be reported to the United States Computer Emergency Readiness Team (US-CERT).
Steps to prepare for a FedRAMP audit include:
- FedRAMP has three impact levels: Low, Moderate, and High. Identify which one is the best fit for your organization.
- Identify a Third Party Assessment Organization (3PAO) to work with throughout the authorization process.
- Conduct a gap assessment to see how your existing security program stands up to FedRAMP requirements, which are largely based on NIST 800-53.
- Design security controls that will address the gaps discovered in the assessment. Maintain a Plan of Actions and Milestones (POA&M) that outlines how the organization will address any remaining vulnerabilities.
- Create a System Security Plan that outlines your system's architecture, security controls, and how you'll meet FedRAMP requirements.
- The 3PAO completes a FedRAMP Readiness Assessment Report (RAR). The intent of the RAR is for the 3PAO to attest the CSP’s readiness for authorization by validating the implementation of the technical capabilities needed to meet FedRAMP requirements.
FedRAMP 20x is in the pilot phase. The program is designed to accelerate the authorization process
The security measures that need to be in place to comply with federal cybersecurity regulations depend on which standard your organization is focused on. FISMA and FedRAMP are largely based on the security controls in NIST 800-53. Major security requirements in NIST 800-53 include access control, developing incident response plans, risk assessments, identity verification, supply chain risk management, and more.
CMMC is based on NIST 800-171, which is a set of controls for protecting Controlled Unclassified Information (CUI). NIST 800-171 has 14 control families, including Configuration Management, Media Protection, System and Communications Protection, and Incident Response.
Security requirements in the GLBA are laid out in the nine elements of the standard’s Safeguards Rule. The elements include designating a qualified individual, conducting a risk assessment, designing and implementing security controls, employee training, monitoring third parties, and having an incident response plan.
Until the DFARS rulemaking process is complete, CMMC compliance is not mandatory. Once CMMC is officially implemented into DFARS (expected in 2025), penalties for non-compliance could include:
- Fines up to $10,000 per unmet control
- Loss of DoD contracts
- Organizations that falsely claim CMMC certification could face legal action under the False Claims Act
Marketing Compliance
Under the Telephone Consumer Protection Act (TCPA) and the Federal Communications Commission’s (FCC’s) implementing rules, prior express written consent is required for telemarketing calls made using an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to residential or wireless numbers. The consent is defined as:
“An agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered.”
To summarize, for express written consent to be valid, it must meet the following requirements
- Written Agreement – The consent must be in writing, which can include electronic formats such as digital signatures.
- Clear and Conspicuous Disclosure – The agreement must clearly and conspicuously state that the consumer is authorizing the company to send them telemarketing calls and/or texts using an autodialer or a prerecorded/artificial voice.
- No Purchase Condition – It must be made clear to the consumer that giving consent is not a condition of purchasing goods or services.
- Identity of the Business/seller – The consent language must identify the specific seller who will initiate the calls/texts.
- Consumer's Signature – The consumer must sign the consent form (electronic or physical signature).
To ensure your email marketing campaigns comply with CAN-SPAM, you need to follow these rules:
- Do not use false or misleading headers
- Do not use deceptive subject lines
- Identify the message as an advertisement
- Include a valid company physical postal address
- Allow consumers to opt out of receiving future emails
- Honor consumers opt-out requests within ten business days
- Ensure the opt-out link remains active for at least 30 days
Organizations that violate the Do Not Call (DNC) provision of the Telemarketing Sales Rule (TSR) can be fined as much as $53,088 per call (amount adjusted annually). The Federal Trade Commission (FTC) is responsible for enforcing DNC regulations.
A consumer who receives a telemarketing call despite being on the registry can file a complaint with the FTC. Also, TCPA provides consumers with a private right of action that allows them to directly seek damages from a company for violations of the National DNC Registry rules.
To honor customer opt-out requests in a compliant manner, businesses should:
- Monitor all text responses for potential opt-outs, including text responses like “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe.”
- Ensure opt-outs are processed promptly.
- Maintain a centralized opt-out list across all platforms and vendors.
- Update systems and staff training to handle opt-out requests from various sources.
To comply with the Telemarketing Sales Rule (TSR), the following information must be disclosed to the consumer:
- The identity of the seller
- That the purpose of the call is to sell goods or services
- The nature of the goods or services being offered
- In the case of a prize promotion, no purchase or payment is necessary to participate or win, and that a purchase or payment does not increase the chances of winning.
For calls on behalf of a charity, the following information must be disclosed:
- The identity of the charitable organization on whose behalf the solicitation is being made.
- That the purpose of the call is to solicit a charitable contribution.
Organizations that rely on third-party vendors for telemarketing, email, or SMS campaigns must actively monitor those partners to ensure ongoing compliance with federal and state marketing laws. Key strategies include:
- Vendor Screening: Before entering into a contract, conduct a thorough background check on telemarketing vendors to ensure they are registered in all states where required.
- Compliance Audits: Regularly audit telemarketing vendors for compliance with state and federal telemarketing laws. This includes checking registration status and ensuring adherence to Do Not Call (DNC) lists and consent requirements.
- Contractual Safeguards: Include clauses in contracts with telemarketing vendors that require compliance with all applicable telemarketing laws. Consider adding indemnification clauses to protect your business from potential legal action.
- Ongoing Monitoring: Compliance is not a one-time event. Implement a system to continually monitor your vendors’ registration status and adherence to legal requirements.
To meet the requirements of telemarketing regulations, organizations must keep the following dialing records:
- The telemarketer who placed or received the call
- The seller or person for which the telemarketing call is placed or received
- The good, service, or charitable purpose that is the subject of the telemarketing call
- Whether the telemarketing call is to an individual consumer or a business consumer
- Whether the telemarketing call is an outbound telephone call
- Whether the telemarketing call utilizes a prerecorded message
- The calling number, called number, date, time, and duration of the call
- The telemarketing script(s) and prerecorded message, if any, used during the call
- The caller identification telephone number, and if it is transmitted, the caller identification name that is transmitted in an outbound telephone call to the recipient of the call (and certain documentation or other proof of authorization for the use of that telephone number/name and the time period for that authorization)
- The disposition of the call, including but not limited to, whether the call was answered, connected, dropped, or transferred
Most state laws are more restrictive than the TCPA or TSR when it comes to calling times, autodialers, required disclosures during a call, established business relationships, etc. Organizations must be aware of the laws in place in all states where they place calls. They should develop policies and procedures that meet the requirements of the most restrictive laws that are applicable.
To help your sales team understand their role in maintaining compliance with telemarketing regulations, provide comprehensive training that covers:
- Express written consent requirements
- Call time restrictions
- The information that must be disclosed at the beginning of a call
- What is considered a misrepresentation under the TSR
- How the National Do Not Call Registry works
- Honoring opt-outs and the organization’s internal DNC policies
- Any state regulations that apply
- Disposition wrong party contacts as a DNC
Here are some steps to take when auditing your marketing practices for regulatory compliance:
- Collect all relevant documentation, including policies and procedures, training records, call logs, and any previous audit reports.
- Review call recordings and scripts to ensure adherence to compliance standards, such as proper disclosures and respectful communication.
- Ensure that your calling lists are regularly scrubbed against national and state DNC registries and that opt-out requests are honored promptly.
- Verify that dialing systems and other telemarketing technology comply with regulations like the TCPA.
- Compile a comprehensive report outlining areas of non-compliance, potential risks, and supporting evidence.
- Offer actionable recommendations for addressing identified issues and work with relevant teams to implement corrective measures.
Under the TCPA, organizations that use certain types of dialing technologies—such as automatic telephone dialing systems (ATDS) or prerecorded/artificial voice systems—must comply with the following rules:
- Obtain express written consent before making calls.
- Only make calls between the hours of 8:00 AM and 9:00 PM at the recipient’s location.
- Scrub their calling lists against the National Do Not Call Registry to ensure calls aren’t being made to numbers on the registry without the necessary consent.
- Maintain their own internal Do Not Call lists and honor requests from consumers to be placed on those lists.
- Display caller ID
- Disclose the agent’s name, company name, and contact information.
- Train all telephone agents on their compliance responsibilities before engaging with customers.
The TCPA requires organizations to get express written consent before sending automated text messages. For express written consent to be valid, it must include:
- The signature of the consumer to be called/texted (can be in electronic or digital form)
- The telephone number to which the signature authorizes calls/texts
- Clear and conspicuous disclosure informing the person that the agreement authorizes the seller to call using an ATDS and/or prerecorded voice
- A statement that the consumer is not required to sign the agreement as a condition of purchase
Organizations must give contacts the ability to opt-out at any time. Text messages need to include an unsubscribe option, such as “Reply STOP to no longer receive texts.” Your system should also recognize additional opt-out words commonly used like, “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe.”
Honor all opt-out requests immediately and keep an internal do-not-call list.
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.