Frequently Asked Questions
Cybersecurity Compliance
To prepare for a potential ransomware attack, organizations should do the following:
- Implement security measures that include:
- Deploying antivirus and anti-malware software.
- Utilizing email filtering and security protocols to block phishing and other malicious emails.
- Limiting user access and permissions to only what's necessary for their roles.
- Dividing your network into segments to limit the spread of ransomware in case of an infection.
- Keeping all operating systems, applications, and software up to date with the latest patches and updates.
- Requiring strong passwords and multi-factor authentication
- Regularly back up all critical data and systems. Store protected backups offline or in an isolated environment to safeguard them from ransomware encryption. Regularly test the effectiveness of your backup and recovery procedures.
- Create a detailed incident response plan that includes incident detection, containment, eradication, communication, and recovery. Conduct Tabletop exercises to test your plan and identify areas for improvement.
After discovering a data breach, organizations’ top priorities should be containment, damage assessment, and notification.
Containment: Immediately disconnect any systems or network segments where the breach is believed to be active to prevent further spread. Change the passwords of compromised accounts and disable remote access. Secure any physical areas related to the breach.
Damage assessment: Identify the compromised data, determine affected services or resources, and the potential impact of the breach. Collect and preserve evidence from the breach, including log files, system snapshots, and other relevant data.
Notification: Notify the people whose data was impacted, the regulatory bodies as required by law, and the relevant stakeholders within the organization.
Penetration testing should be done at least once a year. Organizations may want to conduct more frequent testing depending on:
- Their risk profile and the sensitivity of the data being handled.
- Regulatory compliance: Certifying against infosec frameworks (ISO 27001, PCI DSS, etc.) or complying with laws (HIPAA, GLBA, etc.) could require additional pen tests.
- System or web application changes: Additional penetration testing may be necessary to account for changes to your IT infrastructure, such as new hardware, software or after significant changes to your web application.
The responsibilities of a Virtual Chief Information Security Officer (vCISO) can typically be tailored to meet the needs of the business the vCISO is serving. Common responsibilities businesses will task their vCISO with include:
- Trusted advisory and leadership support
- Security strategy and governance
- Security architecture and program development
- Risk management and vulnerability identification
- Incident response development and management
- Audit preparation
- Certifications and compliance
Small businesses can manage cybersecurity risks with some basic security measures, including:
- Requiring strong passwords and multi-factor authentication.
- Regularly updating all software and operating systems to patch security vulnerabilities.
- Installing anti-virus and anti-malware software.
- Implementing data in transit and at rest encryption.
- Providing employees with security awareness training that teaches them how to identify and avoid security threats like phishing, ransomware, and social engineering. Training should be conducted at least annually.
Businesses that can’t hire a full-time employee dedicated to cybersecurity can use a third-party vendor for additional support. Hiring a Virtual Chief Information Security Officer (vCISO) allows businesses to leverage the knowledge of experienced cybersecurity professionals to target high-priority tasks for an agreed-upon number of hours.
Balancing cybersecurity with user convenience can be tricky. A risk-based approach that implements controls based on the sensitivity of data and systems. Multi-factor authentication is a way to add an extra security layer without overly burdening the user. Single Sign-on (SSO) lets users access multiple applications with a single set of login credentials, minimizing password fatigue that can result in weak passwords. Automating software updates can ensure users are on the most secure versions of platforms without requiring them to take any action.
Here are some popular and effective tools for monitoring security threats:
Security Information and Event Management (SIEM): SIEM solutions can be used for continuous monitoring, and collecting and analyzing log data from sources like firewalls, intrusion detection systems, and applications to provide real-time threat detection and correlation.
Endpoint Detection and Response (EDR): EDR solutions monitor endpoint activities, detect suspicious behaviors, and respond to threats. They leverage behavioral analysis and machine learning to identify threats.
Network Monitoring Tools: These tools can analyze network traffic, identify anomalies, and provide real-time alerts when security incidents occur.
Threat intelligence Platforms: These platform solutions are designed to aggregate, analyze, and manage threat intelligence data from multiple sources to help organizations detect, understand, and respond to cyber threats more effectively.
When vetting third-party vendors, have them complete a questionnaire to gather information about their governance, organizational structure, security controls, and technology. The line of questions should include:
- Who in the organization is responsible for cybersecurity?
- How is C-suite leadership involved in cybersecurity?
- How does your business protect customer information?
- Is your business utilizing AI do deliver services?
- Do you have AI Usage Policy and Procedures
- Do you outsource any IT services?
- What are your security training practices?
- What are your security measures for software and hardware?
- What are your data recovery capabilities?
- Do you conduct penetration testing and vulnerability scanning?
- Is an incident response plan in place?
- Have you experienced a cyber incident? If yes, please describe.
- How do you monitor for unauthorized access?
When you select a third-party vendor, include your cybersecurity requirements in the contract. Some requirements to consider are:
- Maintaining Security Certifications: If the vendor holds a security certification like ISO 27001, SOC 2, or PCI, put in the contract that they’re required to maintain that certification. Consider requiring a copy of the report or assessment that was conducted to maintain the certification.
- Incident Notification Timeline Requirements: The SEC requires public companies to disclose material cybersecurity incidents within four days of their discovery. If a vendor experiences a data breach or other cyber incident involving your data, you must know about it quickly to meet the SEC requirement. Specify a timeline in the contract that will give you at least 24 hours to report the incident.
- Technology Changes: Require your vendors to notify you of any significant IT infrastructure changes they make. For example, moving services from a data center to a cloud provider.
- Termination Clauses: Your contracts should clearly state that failing to adhere to the cybersecurity requirements will result in the partnership's termination.
Training employees to identify and react to potential cyber threats is vital to an effective cybersecurity program. Studies of cyber incidents consistently find that human error is the leading cause of data breaches.
Here are three ways organizations can improve their cybersecurity awareness training program:
- Implement a bi-annual Security Awareness Program focused on interactive role-based training. Conducting cybersecurity training sessions twice a year, instead of just once, will demonstrate to employees the importance of this initiative and keep what they have learned fresh in their minds.
- Implement a quarterly phishing campaign that evaluates and reports on the organizational effectiveness of the employee Security Awareness Training Program. The goal is to ensure 100% employee saturation through the campaigns.
- Enhance your incident response team’s training by introducing breach and attack simulations that allow your organization to evaluate the efficacy of its security controls.
Organizations can assess the effectiveness of their cybersecurity strategy by analyzing the following key performance indicators (KPIs):
- Security incidents/intrusion attempts
- The average time to detect (TTD) a cyber threat
- The average time to respond (MTTR) to a threat
- The average time to contain a threat
- Security Program Maturity Score: Based on frameworks like NIST CSF, ISO 27001, or CIS Controls.
InfoSec Certifications
Here are some best practices for mid-sized companies implementing ISO 27001.
Designate a project leader and team: A successful ISO 27001 certification requires a team effort. Designate a leader for the project and assign them the personnel needed to execute the required tasks. Be sure everyone on the ISO team understands their roles and responsibilities.
Gap analysis: Conduct a gap analysis to identify where your current security policies, procedures, and controls fall short of the ISO 27001 requirements for an information security management system (ISMS).
Design and implement controls: Design security controls that will address the gaps and vulnerabilities discovered in the gap analysis.
Audit your controls: Once the controls are implemented, you’ll need to test them to make sure they are working as intended. When your organization is satisfied with the effectiveness of the security controls, it can begin working with a third-party certification body on ISO 27001 certification.
Common challenges in achieving SOC 2 compliance include:
Identifying a Scope: This is one of the first and most critical steps in the SOC 2 compliance journey. Properly identifying what systems, processes, and data should be included in the audit can save time and expenses down the road.
SOC 2 focuses on the 5 AICPA Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The Security principle is required for all organizations. When crafting their scope, organizations need to identify which other principles are relevant to their operations. Organizations often also choose to include Availability and Confidentiality in their scope. Organizations may also choose to incorporate other frameworks into their SOC 2, such as HIPAA, PCI, or HITRUST.
Securing the Resources Needed: The SOC 2 process takes most organizations between six months and a year to complete. Implementing the selected control frameworks will require a significant effort. Failure to account for the personnel requirements can lead to mistakes and delays.
Implementing Security Controls: This is where the rubber meets the road for SOC 2 compliance. Designing and implementing security controls tailored to your operations can be a long and challenging process. Implementation and ongoing control management must be considered during the control design process. Implementation is not the final step, you need to continuously test your controls to ensure they’re effective.
Evidence Gathering: Your auditor will request a variety of documentation based on your identified controls. Auditors will pull samples of control performance over the audit period to verify the control was implemented throughout the period. Required evidence could include the following:
- Asset inventory
- Policies and procedures
- Change management documentation
- System access evidence
- Personnel training evidence
- System descriptions
Develop a plan for gathering and organizing the required documentation.
PCI DSS compliance is essential for any entity involved in handling payment card data, including merchants, service providers, acquirers, and issuers. The ultimate responsibility for safeguarding cardholder data lies with any organization that stores, processes, or transmits it. Payment brands and acquiring banks enforce these standards and may levy fines for non-compliance.
Merchants
- Level 1 (High Volume/Breached): Typically process over 6 million transactions annually.
- Validation: Require an annual Report on Compliance (RoC), a comprehensive audit performed by a Qualified Security Assessor (QSA).
- Levels 2-4 (Lower Volume): Transaction volumes vary by level and payment brand.
- Validation: Can generally complete an annual Self-Assessment Questionnaire (SAQ). Some acquiring banks may still require QSA/Internal Security Assessor (ISA) involvement for certain SAQ types.
Service Providers
- Level 1 (High Volume): Typically process over 300,000 transactions annually.
- Validation: Must provide an annual Report on Compliance (RoC) by a QSA. They also need quarterly ASV scans and annual penetration tests.
- Level 2 (Lower Volume): Typically process under 300,000 transactions annually.
- Validation: Can generally complete an annual Self-Assessment Questionnaire (SAQ D for Service Providers). Quarterly ASV scans are also typically required. Clients may request a QSA-led RoC for greater assurance.
Issuers
- Responsibility: All payment brands mandate that their issuing members (financial institutions that issue payment cards) comply with PCI DSS for their environments handling cardholder data.
- Validation: Many large issuers, especially those directly connected to payment networks, are often required to undergo an annual Report on Compliance (RoC). All issuers must maintain robust PCI DSS compliance programs and protect sensitive cardholder data.
In essence, while the specific validation method differs based on your role and volume, the core obligation to protect cardholder data according to PCI DSS standards is universal across the payment industry.
The amount of time it takes to complete a SOC 2 report depends on whether an organization is doing a Type 1 or a Type 2 report. A Type 1 only requires that the controls are in place during the audit. A Type 2 audit tests the effectiveness of controls over a period of time, normally ranging from ninety days to one year. While a Type 1 is quicker, your clients may prefer a Type 2 as it shows a long-term commitment to the control implementation.
Audit timelines vary per organization. A Type 1 can take anywhere from 1-3 months. A Type 2 typically takes between three months and one year.
A SOC2 report is valid for twelve months. Organizations must conduct an annual audit to keep their report valid.
Healthcare Compliance
The essential steps to achieve HIPAA compliance include:
- Understand the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
- Designate a HIPAA Compliance Officer who oversees compliance, conducts risk assessments, manages training, and develops and enforces policies.
- Identify where and how PHI is used.
- Conduct annual risk assessments to identify potential vulnerabilities and risks to patient information.
- Develop written policies and procedures that align with HIPAA requirements for data access, storage, and disposal.
- Implement administrative, physical, and technical safeguards to protect patient data.
- Provide workforce training on HIPAA regulations, privacy protocols, and data security.
- Develop procedures to notify impacted individuals and the Office for Civil Rights if a data breach occurs.
- Validate the compliance of your third-party vendors and business associates.
- Assess HIPAA policies and procedures yearly to make any updates in alignment with new laws and regulations.
- Create a thorough sanctions policy.
- Keep records of all policies, procedures, training, audits, and breach notifications.
Strategies healthcare organizations can use to ensure the security of electronic health records (EHR) include:
- Implement access controls that limit user access to the minimum necessary and terminate user access when no longer required.
- Require strong passwords and multi-factor authentication.
- Encrypt data in transit and at rest.
- Conduct penetration testing to identify system vulnerabilities.
- Establish data backup and recovery plans to ensure data availability.
- Provide your staff with comprehensive security training.
- Implement real-time monitoring systems to detect and alert suspicious activity or potential security breaches.
- Conduct an annual risk assessment.
The HIPAA Security Rule states that covered entities and business associates must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
NIST SP 800-66 provides guidance to help implement the HIPAA Security Rule:
- Prepare for the assessment by understanding where ePHI is created, received, maintained, processed, and transmitted.
- Identify potential threat events and sources to the organization and its operating environment.
- Identify vulnerabilities within the organization that a threat actor could exploit.
- Determine the likelihood that a threat would occur and exploit identified vulnerabilities.
- Determine the impact of the threat and risk to ePHI.
- Document the risk assessment results.
Organizations must do the following after there is an unsecured breach of protected health information to comply with the HIPAA Breach Notification Rule:
- If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered.
- If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach, and media notification is required.
- Provide individuals impacted by the breach with a written notice via first-class mail or notice via email if the individual has consented to receive notices electronically.
HIPAA requires covered entities and business associates to train “all members of its workforce on the policies and procedures with respect to protected health information.” Training must cover all three HIPAA Rules.
HIPAA also requires all new employees to be trained within a reasonable time after beginning their job. Employees must receive renewed training when policy or procedure changes impact their job functions.
Here are some methods healthcare organizations can use to securely communicate patient information to patients, other providers, and internally:
- Use an email platform that utilizes data encryption.
- Use a secure patient portal that allows patients to communicate with your staff, view test results, and schedule appointments.
- If you’re using a messaging app, be sure it has strong access controls, data encryption, and audit trails.
- All communication platforms should have strong password requirements and multi-factor authentication.
- Train your staff on how to properly use all communication platforms, and not to import patient information into any Artificial Intelligence technologies.
The penalties for a HIPAA violation can range from $137-$68,928 per incident, with a maximum penalty of $2,067,813 over a calendar year.
To validate third-party vendors’ HIPAA compliance, healthcare organizations can do the following:
- Send questionnaires to vendors that ask about their security policies, procedures, and controls. The organization can use the answers to perform a basic evaluation.
- Organizations can rely on third-party assessments to evaluate their vendors’ security posture. If the vendor has an ISO or HITRUST certification or has undergone a SOC 2 audit, they should be able to provide you with evidence of a formal evaluation of their security.
- Vetting a vendor’s security isn’t a one-and-done process. You’ll need to perform ongoing evaluations to ensure your vendors continue to meet your security and compliance requirements.
- Train third-party vendors with your internal HIPAA training or require proof of completion by an external party.
- Require evidence of the disposal of protected health information they may have had access to upon the termination of the contract.
HIPAA requires policy and procedure documentation to be retained for at least six years from the date of creation or the date the policy/procedure was last in effect.
The Department of Health and Human Services provides an Audit Protocol to help covered entities and business associates determine whether their policies, procedures, and implementations meet the requirements in the HIPAA Security, Privacy, and Breach Notification Rules.
Steps that can be taken to secure mobile devices accessing patient data include:
- Strong password requirements and multi-factor authentication.
- Only authorize specific mobile devices to access and modify patient data.
- Encrypt all sensitive data stored on the device, both at rest and in transit.
- Enable remote wiping and locking capabilities to erase or lock the device in case of loss or theft.
- Use a secure, private Wi-Fi network for accessing patient data. If public Wi-Fi is necessary, utilize a VPN to encrypt the connection.
- Keep all software, including the operating system and applications, up to date with the latest security patches.
- Create a BYOD policy and have employees acknowledge their understanding.
Data Privacy Regulations
The requirements in the two laws are similar; however, there are some differences. Outlined are a few key differences between GDPR and CCPA requirements:
- The GDPR requires that organizations have a lawful basis to process personal data, while the CCPA requires businesses to have a legitimate purpose for processing
- The GDPR requires opt-in consent to use website cookies that track personal data. The CCPA only requires businesses to provide the ability to opt out of certain types of tracking.
- The CCPA has no restrictions on international data transfers. The GDPR requires an adequacy decision or adequate safeguards if the country has not been deemed to have adequate data protection laws.
The GDPR is a European Economic Area (EEA) regulation to protect the personal data and privacy of natural persons in the EEA.
The CCPA is a California law to protect the personal information and privacy of California residents. It applies to any business, regardless of location, that:
- Have annual revenue of $25 million or more
- Control or possess the data of 100,000 or more California residents
- Derives 50% or more of its revenue from the sale of personal data
Businesses can manage customer data deletion requests by following these steps:
- Establish a clear data deletion policy
- Implement a secure verification process
- Operate from an accurate data inventory and records of processing activities to ensure awareness of where personal data is processed
- Notify processors of deletion requests
- Maintain records of erasure requests
Penalties for GDPR non-compliance can range from 2% to 4% of total global revenue or up to €20 million, whichever is higher, depending on the type of violation.
Steps organizations can take to ensure their cookie management practices align with privacy regulations include:
- Providing a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website or a “Your Privacy Choices” link that drives to the appropriate preference center to make a do-not-sell request.
- Properly categorizing cookies and tags.
- Providing a privacy notice that states cookies are used on the website and explains how they work.
- Ensuring your privacy controls work as described in your privacy notice and as required under the CCPA.
- Creating an opt-out process that does not require more steps than opting in.
The role of the Data Protection Officer under the GDPR should include but not be limited to:
- Working towards compliance with all relevant data protection laws
- Monitoring data protection impact assessments
- Monitoring data protection training for employees
- Collaborating with the supervisory authorities
A DPO is required when:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
To verify third-party compliance with data privacy standards, organizations should leverage the following strategies:
Conduct regular audits: Audit vendor practices to verify compliance with data protection policies, contracts, assess their security controls, and identify vulnerabilities.
Monitoring and reporting: Implement a vendor monitoring program that includes access logs and data sharing protocols.
Contractual agreements: Include specific contractual clauses outlining data privacy obligations, including data processing, security measures, and data breach notification procedures.
The GDPR gives data subjects the following data portability rights:
- The data subject has the right to receive the personal data they provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit that data to another controller without hindrance from the original controller.
- The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
This right is only available where the processing is carried out based on consent, explicit consent, or pursuant to a contract and processed by automated means.
Organizations can prepare for an audit by data protection authorities by doing the following:
- Conduct a comprehensive data inventory
- Map and document the flow of data throughout the organization
- Conduct a risk assessment to identify vulnerabilities and use this assessment to build out a data protection program
- Design and implement data governance policies that outline how data is handled, protected, and processed
- Appointing a Data Protection Officer (if applicable)
- Train employees on data protection policies and procedures
The GDPR includes rules for cross-border transfers of personal data from the European Economic Area (EEA) to countries outside the EEA.
If the European Commission has decided that a country has an adequate level of data protection, data transfers to that country are allowed without further authorization. If data is being transferred to a country that has not been determined to have an adequate level of data protection, the data exporter must take steps to safeguard the data, which could include:
- Standard Contractual Clauses are clauses approved by the European Commission that establish contractual obligations for protecting data during the transfer.
- Binding Corporate Rules set policies for protecting data being transferred within a corporate group.
- Ad hoc contractual clauses can be used for transferring data out of the EEA. The appropriate data protection authority must approve the clauses.
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.