Transition to ISO 27001:2022

Explore your options as you plan to implement the new controls and processes for your ISO 27001:2022 Certification

The ISO 27001:2022 certification standard was released in October 2022. It has replaced the ISO 27001:2013 edition via a three-year transition period, which ends on October 31, 2025. Companies with an ISO 27001:2013 certification are required to transition to ISO 27001:2022 by October 31, 2025. All ISO 27001:2013 certifications will expire or be withdrawn at the end of the transition period.

It is imperative for companies to connect with their ISO 27001 Certifying Body to undergo a transition audit and confirm that they comply with the new security requirements applicable to the ISO 27001 standard.

By May 1, 2024, all new certifications must be issued against the ISO 27001:2022 edition by the certifying bodies. After this date, all recertification audits must also utilize the ISO 27001:2022 edition. While there are changes to the list of controls, ISO 27002:2022 also defines a purpose for individual controls to better explain each control’s intent. The options for the existing and new customers are given below.

If you are a current ISO 27001-certified organization: 

a) If your full recertification audit is due before May 1, 2024:

        1. You could continue with the 2013 version 
        2. You could transition to the 2022 version 

b) If your full recertification audit is due after May 1, 2024, you can only be certified against ISO 27001:2022 

c) If your surveillance audit is due before Oct 31, 2025

        1. You have the choice to continue with your 2013 version
        2. You also have the option to transition to 2022 and get your transition to 2022 audit completed along with your surveillance audit

d) However, all transition audits to 27001:2022 need to be completed by Oct 31, 2025 from the ISO 27001:2013 version. 

If you are considering getting ISO 27001 certified:

        1. You can get the 2013 version certified until May 1, 2024
        2. After May 1, 2024 you can get certified only against the 2022 version

Changes to ISO 27001:2022

A summary of the changes to the ISO 27001 standard are:
Changes have been made to the following requirements:

        • 4.2 Understanding the needs and expectations of interested parties
        • 4.4 Information Security Management System
        • 6.2 Information security objectives and planning to achieve them
        • 6.3 Planning of changes
        • 8.1 Operational planning and control
        • 9.1 Monitoring, measurement, analysis and evaluation
        • 9.3.2 Management review inputs
        • 10 Improvement

Annex A controls

        • The overall number of controls within Annex A is now 93 compared to the 114 controls in the previous edition.
        • They have been regrouped from 14 control objectives to 4 broad themes: Organizational, People, Physical, and Technological Controls.
        • Several previous controls have been consolidated into broader new controls, and 11 new controls have been added, including:
        1. Threat Intelligence
        2. Information Security for the use of Cloud Services
        3. Physical Security Monitoring
        4. Configuration Management
        5. Information Deletion
        6. Data Masking
        7. Data Leakage Prevention
        8. Web Filtering
        9. Secure Coding

In ISO 27002:2022, there are five control attributes that include:

        • Control Type
        • Information Security Properties
        • Cybersecurity Concepts
        • Operational Capabilities
        • Security Domains

Transition Audit Timelines

As per the guidelines of the IAF, certifying bodies are required to ensure their clients are made aware of the Transition Audit timelines as outlined below:

        • Minimum of 0.5 auditor days for the transition audit when it is carried out in conjunction with a recertification audit
        • Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit
        • When the certification document is updated because the client successfully completes only the transition audit, the expiration of their current certification cycle will not be changed.
        • All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.

Prepare for your ISO 27001 Transition Audit

B2B contracts that are based on the ISO 27001 standard require clients to maintain the validity of their certification. As per the IAF guidelines, certified organizations have the option to undergo their transition audit while their ISO 27001:2013 certification cycle is valid. When they apply for recertification, they must undergo their certification audit per ISO 27001:2022 edition.

To ensure that you comply with the new controls and documentation requirements, your organization needs to prepare for the transition audit and ensure that your ISMS complies with ISO 27001:2022 controls and processes.

To ensure you are ready for your transition audit, you need to conduct an internal audit for a thorough gap analysis. This can be done with an organization that offers consulting services and is aware of the protocols of the ISO 27001:2022 edition. Organizations that provide consulting services are not authorized to offer certification services.

It is advisable to prepare for your annual surveillance audit along with your transition audit since the IAF guidelines highlight the importance of completing them together before your ISO 27001:2013 certification expires. Preparing for both will also ensure that you are poised to succeed in your recertification audit and maintain your certification status. This will ensure you are compliant with the security requirements of your B2B contracts that rely on it.

Undergo your Transition Audit and ISO 27001:2022 Certification with databrackets

databrackets holds the distinction of being recognized as an authorized certifying body for ISO 27001:2022 by IAS Online. Our certification is consistently renewed as per IAF Guidelines, and it is a testament to our commitment to excellence in information security management.

This prestigious certification signifies that our team of ISO Auditors possesses the expertise, rigor, and credibility to assess and confirm your organization’s compliance with the latest ISO 27001 standards.

Our certification services not only validate that you have implemented robust security measures to protect sensitive data but also provide assurance to stakeholders, clients, and partners that their information assets are in trustworthy hands. Our role as an authorized certifying body highlights our dedication to promoting best practices in data security and helping businesses navigate the complex landscape of information security management.

Contact us to book your transition audit from ISO 27001:2013 to ISO 27001:2022 today!

Connect with an Expert
Schedule a Consultation
Start for Free

Related Links:

Technologies To Detect And Prevent Ransomware Attacks 

Sources of Ransomware Attacks on Healthcare Systems

What are the new controls added to ISO 27001 in 2022?

How to Select a Security Vendor

 

Author: Srini Kolathur, Director, databrackets.com

The technical information presented in this blog has been carefully reviewed and verified by our Director, Srini Kolathur. Srini is results-driven security and compliance professional with over 20 years of experience supporting, leading, and managing global IT security, compliance, support, and risk assessment in fortune 100 companies. Some of his key areas of focus are SOC 2, ISO 27001, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework,  HIPAA, Security Risk Assessment, CMMC 2.0 among others. He is a CMMC Registered Practitioner (RP), CISSP, CISA, CISM, MBA. He is active in several community groups including Rotary International and TiE.

Anatomy of a Ransomware Attack and Lessons Learned

Anatomy of Kaseya ransomware attack and lessons learned : Zero Trust Security

The average ransomware attack caused $1.85 million in losses to the company in 2021, up 41% from 2020. This estimate factors in  the amount paid, downtime, expense for IT technicians, device cost, network cost, lost opportunity, and more. Leadership turnover is another cost that few companies consider; after a ransomware attack, 32% of C-level employees leave. Also, 80% of targeted organizations are re-attacked.

What is Ransomware?

Malicious software, known as “malware,” encompasses all computer-harming software like Trojans and viruses. These attacks take advantage of weaknesses in people, systems, networks, and software to infect a victim’s computer, printer, smartphone, wearable, or other endpoints. Ransomware is a type of malware that uses encryption to lock a user out of their files, then demands payment to unlock and decode it. Instructions on the amount and how to pay are displayed, generally ranging from a few hundred to thousands of dollars in Bitcoin. The attacker often gives the target a limited amount of time to make a payment before all data is destroyed. today.

Ransomware attack

Kaseya’s VSA Mass Ransomware attack

Ransomware attack-Kaseya-databrackets infographics

Kaseya VSA is an RMM (Remote Monitoring and Management) system that keeps tabs on your network from afar. Managed service providers use it to manage their customers’ computers, servers, networks, and related infrastructure, including email, phones, firewalls, switches, and modems. Endpoints, such as client workstations and servers, have the RMM agent installed.  This program allows MSPs to manage and monitor their platforms from a single location, saving time and money.

Kaseya serves 35,000 companies. These include 17,000 managed service providers, 18,000 direct or VAR (Value-Added Reseller)  customers, and many end users at their supported enterprises.

The number of companies using Kaseya software and the potential levels of access have made this one of the most popular targets for ransomware attacks. Threat actors who target Kaseya VSA have a vast attack surface.

The Attack

What happened to Kaseya?

In July 2021, the REvil ransomware gang used Kaseya VSA remote monitoring and management software to lock up 50 to 60 MSPs and their clients.

Who was affected by the attack in Kaseya?

The Kaseya ransomware attack hit over 50 MSPs and between 800 and 1500 businesses.

Consider that these 37,000 customers are only 0.001 percent of Kaseya’s total. This may seem to be a small number, but when one managed service provider (MSP) is breached, it has a knock-on effect on all the apparent other businesses it serves. The impact can quickly spread if it were to gain momentum, and reports have shown that it can take weeks or months for the full effects of an attack to become apparent.  The initial fifty managed service providers (MSPs) could quickly balloon into the hundreds, and affected companies can easily grow into the thousands.

Does anyone know who launched the Kaseya cyberattack?

The ransomware attack on Kasyea was carried out by the REvil RaaS group, also known as Sodinokibi.

Ransom-as-a-Service (RaaS) groups of the criminal underworld let anyone who wants to hold a company for ransom use their services. This group is responsible for around 300 ransomware campaigns every single month. The key driver is financial motivation.

The Trigger

What Was the Root Cause of the Kaseya Cyber Attack?

REvil used zero-day exploits to get into Kaseya’s VSA Software as a Service (SaaS) platform and spread malicious software to its customers and systems. Ransomware actors then exploited the weakened systems to encrypt all data.

Kaseya’s managed service provider (MSP) customers have the Kaseya VSA agent (C: Program Files (X86)KASEYAID>AGENTMON.EXE) installed on their computers.

This component is accountable for retrieving data from remote Kaseya servers. This agent pulls from Kaseya’s cloud servers.

Threat actors circumvent security by signing malware. Malware installers mask themselves as Kaseya traffic. Kaseya’s platform signed the virus because it’s wrapped in it. Thus, malware can bypass all protections on clients’ systems.

Huntress and others in the industry say that the Ransomware attack chain included bypassing authentication, letting files be uploaded without control, and running code from afar.

How did hackers get the information to overcome authentication?

After exploitation, the first malicious request was made to the public-facing file /dl.asp.

This file had an authentication logic problem. The end user could connect with a valid Kaseya agent GUID but no password. Without a password, the actor might access further authentication-required services.

The attack analysis showed malicious access with a unique agent GUID. The threat actors merely knew agent GUIDs. No logs showed failed attempts.

How did threat actors get a unique Agent GUID?

The agent GUID is a random 15-character string unrelated to the hostname. The event logs showed no Agent GUID or display name brute-forcing attempts.

There may be a few alternatives.

  1. A valid Agent GUID has been anticipated by the threat actors
  2. Threat actors created a “rogue” agent with a new agent GUID.
  3. Threat actors stole an agent GUID from a VSA agent-running host.
  4. Other vulnerabilities leaked Agent GUIDs
  5. Agent GUIDs and display names were publicly available.

If the threat actor only had Agent GUIDs, it would be tougher to match them to the organization.

What are the indications of compromise?

A collection of these technical details and Indications of Compromise (IOCs) has been made available by Kaseya. This list includes network, endpoint, and weblog indicators.

The Response – Aftermath

Didn’t Kaseya Close Everything?

Kaseya disabled the VSA SaaS platform so its customers wouldn’t be exposed to malware.  Then, they enlisted the support of the FBI, the CISA, and third-party suppliers like Huntress and Sophos to deal with the problem. The corporation has also assumed the duty of communicating this information to its clients. MSPs themselves have a responsibility to inform their clients about the attack. Part of this process is actively looking for the signs of compromise that Kaseya has shown. After spotting the threat, Kaseya shut down their VSA SaaS platform and directed clients to shut down their on-premises servers at 1400 ET. This might explain why so few VSA customers were affected by a vulnerability that was so big and widespread.

Did Kaseya pay the ransom?

Kaseya denies paying the REvil cybercrime organization as it distributes a ransomware decryptor. Kaseya announced on July 22 that it had gotten a decryption tool from a “third party” and was working with Emsisoft to restore affected organizations’ environments. The update sparked speculation about the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team speculating that it was a disgruntled REvil affiliate, the Russian government, or Kaseya themselves who had paid the ransom.

On July 13, REvil’s dark web domains stopped working, which supports the idea that the universal decryptor key was given to law enforcement. The cybercrime group initially asked Kaseya for $70 million but lowered its price to $50 million. Kaseya said, “the decryption tool has proven 100% effective at decrypting files that were entirely encrypted in the attack.”

What Are the Payment Terms for Ransomware?

The ransom demanded from each victim ranges from $50,000 to $5 million.

However, there is also a $70 million master key available as part of a bundled deal paid in Bitcoin.

 

Has there ever been a larger ransomware attack than this one?

The criteria for the “largest” ransomware assault include the following three elements, which are also factors to consider when negotiating a ransom:

  • Ransom demand
  • Number of systems affected
  • Total damage

WannaCry was the biggest ransomware attack in terms of how many computers were affected. It affected 230,000 machines in 150 countries, but the total ransom was only $130,000. Experts in cyber security have put the cost of the WannaCry assault anywhere from the hundreds of millions  in July 2021, including a multinational software company called Kaseya. The department also said that it had seized $6.1 million in funds that may have been used to pay a ransom to Yevgeniy Polyanin, a Russian citizen who is 28 years old and is accused of using Sodinokibi/REvil ransomware attacks on multiple businesses and government agencies in Texas on or around August 16, 2019. According to the accusations, Vasinskyi and Polyanin infiltrated the internal computer networks of many victim companies and encrypted their data with Sodinokibi/REvil ransomware.

Lessons Learned

How can businesses safeguard themselves against or lessen the impact of Ransomware?

Most ransomware attacks can be avoided or minimized by

  • Implementing user education and training
  • Automating backups
  • Minimizing attack surfaces
  • Developing an incident response plan
  • Investing in an EDR tool and MDR
  • Purchasing ransomware insurance
  • Storing physical and remote backups
  • Implementing zero-trust security

It’s important to have both local and remote backups, since backups stored in the cloud can also be attacked. Attacks like Kayesa can cause less damage when there are business continuity plans and regular backup testing.

Zero-Trust should be implemented.

Zero-trust security can mitigate ransomware attacks. Unlike traditional models, zero trust views the entire world as its boundary. All communication must happen between me (the program), my computer (the user), and myself (the user). You can modify the channels through which they can communicate and the privileges they have when doing so. In a zero-trust setting, the attacker has much less space to move around, no matter how they got into your system in the first place.

How can databrackets help you?

To secure data, apps, and networks from increasingly complex assaults, many organizations use Managed Security and Compliance Services, which include SIEM, incident handling, and Threat Intelligence.

The Managed Security and Compliance services from databrackets will check your organization’s readiness for security and find any weaknesses to protect them.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

Vulnerability Assessment vs. Penetration Testing

Know the difference between vulnerability assessment and penetration testing; and the importance of implementing both

Growing need for VAPT infographic-databrackets

Every business with digital assets is at risk of being hacked, no matter how big or successful it is on a global scale. Reports show one ransomware attack occurred every 11 seconds in 2021.  These attacks could hurt anyone, from a multimillion-dollar company to a small business starting to make some sales online.

A vulnerability assessment report tells you where potential risk is and the steps you can take to reduce it. A vulnerability assessment focuses on your systems, network, and the places people can connect.

A Penetration Test or Pentest is an authorized simulated attack on computer systems to assess security. Penetration tests simulate various business-threatening attacks and can examine any system component with the right scope. Penetration testers use the same Tools, Tactics, and Procedures (TTPs) as attackers to find weaknesses in a system and show how they affect business.

Comparing penetration testing and vulnerability assessments helps understand their roles in your organization’s security practices and determine your needs.

 

Vulnerability Assessment

 

What is a Vulnerability Assessment?

Vulnerability assessments identify, classify, and prioritize computer, application, and network vulnerabilities. Vulnerability assessments examine information system security flaws; it checks for vulnerabilities, assign severity levels, and suggest solutions.

Why are Vulnerability Assessments needed?

A vulnerability assessment determines an organization’s areas that need improvement. This process helps the company understand its assets, security flaws, and risk, reducing the likelihood of a cyberattack. It also guides risk assessment for weaknesses.

Depending on your organization, you may need regular vulnerability assessments to stay compliant. Compliance regulations have evolved to address security issues and vary by region/industry. Examples include GDPRs, PCI DSS, and HIPAA. These standards require regular assessments to demonstrate sensitive customer data is being protected properly. Vulnerability Assessments are comprehensive security processes that include:

  • Checking security protocols
  • Password safety of routers and Wi-Fi networks
  • Reviewing network strength against network intrusions, DDoS, and MITM attacks
  • Network port vulnerability scanning

How often do you need to perform a Vulnerability Assessment?

How often assessments must be done is set by compliance requirements. While legal regulations may require them less frequently, in the best-case scenario, assessments should be done once a month. Businesses generally get the recommendation to scan their internal and external systems at least once every three months.

Major standards’ frequency levels:

  • Payment Card Industry Data Security Standards (PCI DSS): Every three months
  • The Health Insurance Portability and Accountability Act (HIPAA): Does not require scanning but mandates that a detailed assessment process must be set up
  • Cyber Security Maturity Model Certification (CMMC): Once a week to once every three months, depending on what auditors need
  • National Institute of Standards and Technology (NIST): Every three to four months, depending on how the organization is run

What’s in the Vulnerability Assessment Report?

Vulnerability Assessment involves vulnerability scanning and technical judgment. A Vulnerability Assessment report includes an organization’s security policy and other security products utilized. The Vulnerability Assessment suggests risk-mitigation measures afterward.

A Vulnerability Assessment report analyzes an organization’s systems, identifies vulnerabilities, and rates their severity. Security professionals use automated and manual testing tools for these assessments.

How do Vulnerability Assessments benefit you?

Vulnerability Assessments help you:

  • Discover security flaws to help organizations stay one step ahead of attackers
  • Catalog all network devices, including the purpose and system information
  • Plan upgrades, installations, and inventory of all enterprise devices
  • Define network risk
  • Optimize security investments with a business risk/benefit curve

How do you perform a Vulnerability Assessment?

  1. Establishing the testing scope

Establish a Vulnerability Assessment methodology:

  • Locate your sensitive data
  • Find hidden data
  • Identify mission-critical servers
  • Select systems and networks
  • Check ports, processes, and configurations
  • Map the IT infrastructure, digital assets, and devices
  • Streamline the process
  1. Identifying vulnerabilities

Conduct a vulnerability scan of your IT infrastructure and list all security threats. This step needs an automated vulnerability scan and a manual penetration test to ensure correct results and reduce false positives.

  1. Analyze

A scanning tool generates risk and vulnerability assessments. Most tools have a CVSS (common vulnerability scoring system) score. These scores show weaknesses. Prioritize them by severity, urgency, potential damage, and risk.

  1. Addressing vulnerabilities

After identifying and analyzing vulnerabilities, choose a fix—options include mediation and remediation.

Remediation resolves vulnerabilities. It can be done by installing security tools, keeping products up to date, or using other methods. All stakeholders must participate in vulnerability remediation based on identified priorities.

Google Trends for Vulnerability Assessment vs. Penetration Testing

Trends_Vulnerability Assessment_PenTest

Google trends show that penetration testing’s relative interest nearly peaked last year. Organizations are grouping Vulnerability Assessment and Penetration Testing (VAPT) to improve security maturity.

Penetration Testing

What is Penetration Testing?

Penetration Testing (or Pentest) is the authorized simulation of various business-threatening attacks on computer systems to evaluate security. Penetration tests determine if a system can handle attacks from authenticated and unauthenticated users and system roles. Pen testers use the same tools, methods, and processes as attackers to find weaknesses in a system and show how they may affect business. Pentest can examine any system component with the right scope.

Why is Penetration Testing important?

  • Find vulnerabilities that traditional IT security tools miss
  • Identify weak spots in an application or network that hackers might use to get into the system
  • Establish customer and company trust
  • Protect company data and reputation; data leaks ruin reputations

Preparing for attacks from hackers or employees who leak confidential information is important. A non-destructive penetration test can identify security vulnerabilities before an attack and recommend improvements.

How often do you need to perform Penetration Testing?

At least once a year, penetration testing should be performed to improve IT and network security management and to reveal how malicious hackers may exploit newly discovered threats (0-days, 1-days) or emerging vulnerabilities. For example, PCI DSS compliance requires annual penetration testing or major infrastructure or application upgrades.

IT Governance recommends an annual Level 2 penetration test for high-profile or high-value organizations. Organizations with a low-risk appetite should do level 1 penetration tests often (usually every three months).

What’s in the Penetration Testing report?

Penetration Testing reports detail security test vulnerabilities. The report lists weaknesses, threats, and solutions. The Pen Test Report provides a complete overview of vulnerabilities with a POC (Proof of Concept) and priority remediation rating for each issue and its impact on your application/website.

A good penetration testing report includes an executive summary, vulnerabilities, business impact, and recommendations to fix them.

How do you perform Penetration Testing?

Planning and reconnaissance, scanning, system access, continued access, and analysis/report comprise the penetration testing process. Ethical hackers can look at a system, figure out its strengths and weaknesses, then choose the best tools and methods to break into it. Penetration testing begins long before a simulated attack.

Planning and Reconnaissance

The first penetration phase involves simulating a malicious assault to obtain as much system information as possible. Ethical hackers look at the system, its weaknesses, and how the technology stack reacts when a system is broken. The methods include Social engineering, dumpster diving, network scanning, and domain registration information retrieval. Employee names, emails, network topology, and IP addresses are searched. The audit goals determine the type of information and investigation depth.

Scanning

Penetration testers scan systems and networks based on planning findings. The scan identifies system vulnerabilities that could be exploited for targeted attacks. All this information is crucial to the success of the next steps.

System Access

Pen testers use system vulnerabilities to enter infrastructure. They escalate privileges to show how deep they can get into target environments.

Continued Access

In this step, the Pentest identifies which data and services one can access to gain the most privileges, network knowledge, and system access. Pentesters should stay in a system long enough to mimic hostile hackers’ intentions.

Analysis and Reporting

The security team writes a comprehensive penetration testing report of their results at the last stage. Finally, they recommend safeguards to prevent future attacks. Attacks have skyrocketed in recent years and don’t appear to be slowing down, so the number of precautions needs to be adjusted accordingly.

How does Penetration Testing benefit you?

  • Reveals the system’s weaknesses
  • Reveals the system’s strengths
  • Prevents Hackers from Infiltrating Systems
  • Verifies if your system design meets the current regulations
  • Helps ensure an experienced hacker cannot access your data
  • Shows how a hacker might attack your system. This distinguishes them from most other testing choices
  • Helps establish customer trust, showing you’re correcting problems and working hard to serve clients well
  • Helps budget your security expenditure

 

Vulnerability Assessment vs. Penetration Testing

Vulnerability Assessment vs. Penetration Testing
Vulnerability Assessment
Penetration Testing
Purpose
Identifies, analyzes, remedies, and discloses security problems. Security techniques help companies limit their “attack surface.”
Detect and exploit computer system flaws. This simulated attack finds vulnerabilities that attackers could exploit.
Frequency
On average, it is performed every quarter
At least once a year
Scope
Finds and categorizes system vulnerabilities.
Exploits weaknesses for insights.
Report
Lists all system vulnerabilities detected during a scan by severity and offers fixes.
Details vulnerabilities found during a security test, list flaws, threats, and possible remedies.
Performed by
Vulnerability scanning is a largely automated process
Penetration testing is a hybrid process that combines automated scanning with manual interaction.
Timeline
Automated vulnerability assessment saves time and money.
A penetration test is a time-consuming and costly process.
Cost
Vulnerability assessments typically cost $2,000–$2,500, depending on the number of IPs, servers, or apps checked.
Website penetration testing costs $349–$1499 per scan.
Depending on your needs, SAAS or web application scans cost $700–$4999.
Website penetration tests cost $2500–$50,000.
Pentesting mobile and web apps cost $1500–$5000.
Cloud, network and device pen testing quotes vary in cost $400–$2000.
White-box penetration testing: $500–$2000 per scan
Black-box penetration testing: $10,000–$50,000 per scan
Grey-box penetration testing: $500–$50,000 per scan
Limitation
Rarely yield zero false positives.
Exposes the network to fraudsters, hackers, or severe data loss.
Best Suited
Suitable for a multimillion-dollar SaaS firm or a small e-commerce venture that relies on data that must routinely check for security flaws.
Ideal for firms with sophisticated applications and valuable data.
Depth
The report will detail all potential vulnerabilities and may rank vulnerabilities by network threat.
The penetration tester acts like a hacker to attack vulnerabilities (in an ethical manner) without stealing, exploiting, or destroying network data.

 

Why might an organization need to conduct Vulnerability Assessments and Pen Testing?

Most of the time, Vulnerability Assessments and Penetration Tests are grouped. A good security program will use vulnerability and penetration testing to improve security maturity.

Conclusion

Vulnerability scans are often confused with penetration tests but provide different benefits. The best vulnerability management solutions regularly find, evaluate, report, and rank weaknesses in software and network systems. The findings are presented in an easily understandable format to protect your business-critical assets.

Vulnerability scans cannot replace penetration tests. Vulnerability scans identify risks at a high level while penetration testers investigate them. Penetration tests can show if vulnerabilities can be exploited to access your environment, whereas vulnerability scans cannot. Most vulnerability scans are automated, making them a better option for daily use. Alongside penetration tests, reviewing your environment’s vulnerabilities frequently can alert you to new vulnerabilities and their severity.

How can databrackets help with VAPT?

Before an attacker can discover the network, application, cloud service, and code vulnerabilities, databrackets’ A2LA-accredited process and pen testers can quickly and cost-effectively identify security vulnerabilities.

Contact us to learn more about how our services and specialists can help your company defend against security threats and attacks.

NIST Security Standards

The NIST security standards are a key resource for setting the organization’s network security and overall security posture

NIST Security Standards databrackets infographicsOrganizations of all sizes are vulnerable to data theft and loss.  Vulnerability is regardless of the asset at risk – consumer information, intellectual property, or private corporate files.  The United States federal government and its commercial contractors have long relied on the National Institute of Standards and Technology (NIST) to provide information security standards and recommendations.  This blog will analyze NIST security standards and compliance to help improve your cybersecurity program.

NIST creates information security standards and guidelines, including minimum requirements for federal systems. However, such standards and procedures shall not apply to national security systems without the express approval of relevant federal officials exercising policy authority over such systems.

NIST compliance is essentially meeting the requirements of one or more NIST standards. The organization’s principal function is to provide guidelines (especially for security controls) applicable to various businesses and agencies. NIST is releasing several security standards widely used worldwide in response to the rising demand in the security sector.

Although NIST has been active for some time, the NIST CSF (Cybersecurity Framework) was born out of the 2014 Cybersecurity Enhancement Act passed in December of that year. The NIST Cybersecurity Framework (CSF) is one of their most popular security standards. This widely accepted framework provides organizations with guidance to help organizations manage cybersecurity risk.

What Are NIST Security Standards?

Businesses increasingly realize that network security requirements are a vital component of a contemporary organization and critical to its survival.

According to IBM, only 23% of corporations said they had an incident response plan for their entire company before the pandemic, indicating that businesses were unprepared for cyberattacks.

Cyberattacks are now more common than ever due to the pandemic.  Businesses must act to safeguard themselves and their customers.

Companies are searching for direction in their cybersecurity and are hoping that frameworks like NIST can deliver it.

What Is NIST?

The National Bureau of Standards, as it was known until 1988, was established in 1901 as a non-regulatory organization.  The main aim was to produce standards in a variety of fields.  This included manufacturing, environmental research, public safety, nanotechnology, information technology, and others.

Since its inception, NIST’s mandate has expanded to include an increasing number of businesses, including cybersecurity (under IT). NIST standards, particularly their cybersecurity framework, are meant to be voluntary guidelines for all organizations, with the exception of those engaged in government contracts, which must follow them.

NIST Security Google Trend

‘NIST’ has reached the highest search interest in August-September ’22 since February ’22, edging towards an all-time high on Google Search in the U.S.  This is mainly due to its convening requirement to create a risk-based approach for organizations to improve their security posture.

Key NIST Security Standards

NIST CSF

The NIST Cybersecurity Framework (NIST CSF) is the benchmark for designing a cybersecurity program. This framework, developed by the National Institute of Standards and Technology, tackles the absence of standards in cybersecurity by providing a consistent set of rules, guidelines, and standards for enterprises to adopt across the board.

The NIST cybersecurity framework effectively organizes and develops an organization’s cybersecurity program. It is a set of guidelines and best practices designed to assist organizations in developing and improving cybersecurity posture. The framework proposes a series of suggestions and standards to help your organization better prepare to recognize and detect cyber-attacks and rules for responding to, preventing, and recovering from cyber disasters.

The NIST CSF specifies your organization’s security procedures to protect digital assets from unwanted access. It does not create new security requirements or solutions that organizations must implement. Rather, the framework provides organizations with the best cybersecurity practices.

These practices are the five basic functions listed below:

Identify: Raise awareness within your organization about the need to manage cybersecurity risk. Then, determine the systems and data needed to safeguard your organization.

Protect: Put in place security measures to protect your systems and data from attackers. These steps may include cybersecurity solutions, organization-wide security policy, and data management training for staff.

Detect: Good cybersecurity necessitates increased visibility into enterprise networks, systems, and devices—a well-planned cybersecurity strategy, including protocols and tools for detecting cybersecurity incidents.

Respond: Create crisis plans to eliminate threats and quickly mitigate harm.

Recover: Implement a disaster recovery policy to restore data and services disrupted by your cyberattack, learn and grow from every cybersecurity event, and communicate your findings throughout your organization. 

The framework also offers four tiers for assessing an organization’s cybersecurity posture.

Tier 1 – Partial: The organization does not adhere to a minimum cybersecurity requirement and does not have a written security plan. Cybersecurity measures are frequently improvised and established in response to a previous occurrence.

Tier 2 – Risk-informed: Although there are no organizational-wide cybersecurity safeguards, the organization is aware of cyber supply chain threats. Some cybersecurity measures are in place but not implemented at all levels of the business.

Tier 3 – Repetitive: The firm formalizes implementing a company-wide cybersecurity policy, which is reviewed and modified to reflect the ever-changing technological world.

Tier 4 – Adaptable: The organization’s cybersecurity policy is constantly adjusted to line with industry standards and developing technology.

NIST 800-53

The National Institute of Standards and Technology created the NIST 800-53 standard and compliance framework for cybersecurity. An ongoing framework seeks to dynamically develop standards, controls, and evaluations by risk, cost-effectiveness, and capabilities.

The NIST 800-53 framework offers a base of guiding components, strategies, systems, and controls that can neutrally support any organization’s cybersecurity needs and priorities.

NIST 800-171

The NIST 800-171 document specifies how federal contractors and subcontractors should maintain Controlled Unclassified Information (CUI). It is also intended for non-federal information systems and organizations.

Executive Order 13556, signed by President Obama in 2010, mandated that all federal agencies in the United States preserve CUI more stringently. Following several high-profile breaches of government entities, the federal government increased its focus on cybersecurity. The goal was to create a consistent strategy for data sharing and transparency that calls for adherence by all agencies.

As a result, the Federal Information Security Modernization Act (FISMA) was passed in 2014, followed by NIST 800-53 and NIST 800-171 in 2017. Since then, various iterations and upgrades to NIST 800-171 have been released to keep CUI safe inside the government contractor ecosystem.

FIPS 140-2 

The Federal Information Processing Standard 140-2 (FIPS 140-2) is an information technology security accreditation procedure that verifies that private-sector cryptographic modules meet well-defined security standards.

Other  standards

Firms not subcontracted by a government contractor or employed directly by the government do not require NIST CSF compliance. However, many of its procedures and activities apply to other laws that require compliance, including HIPAA, PCI, and PII.

NIST Compliance for Federal Agencies

All organizations conducting business with the federal government, including academic institutions that receive federal funds, must conform to the NIST criteria to qualify for government contracts.

Anyone processing, storing, or transmitting potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, or other federal or state agencies must adhere to NIST compliance guidelines.

Executive Order 13800 made the CSF mandatory for all federal entities in the United States. However, compliance with the NIST CSF is optional for commercial firms, while many private sector organizations prefer to employ these standards, which are routinely updated to combat changing cybersecurity threats.

NIST Compliance for the Private Sector

Compliance with NIST standards is optional for private-sector companies that do not compete for government contracts. Nonetheless, adopting NIST standards has various advantages that make the proposal well worth exploring.

The flexible nature of the NIST cybersecurity framework can be highly valuable when an organization is attempting to chart its path to better protecting its critical infrastructure, implementing effective security measures, and reducing the risk of cyber assaults.

If you follow NIST principles, you don’t have to start from scratch when designing your cybersecurity strategy. Adopting NIST shows that your company is serious about data security and developing robust security procedures.

If you answered yes to any of the following questions, NIST compliance is a good next step for your company:

Do you handle HIPAA-compliant data?

Do you manage regulated, unclassified information regularly?

Do you have a large number of third-party vendors and contractors?

Will you ever compete for a contract with the United States government?

Do you want to work as a service provider or a small company contractor in national security?

Do you work on projects adhering to the Federal Information Security Management Act (FISMA)?

Seeking NIST compliance does not have to be as difficult and time-consuming as it may appear. NIST compliance criteria have become industry standards, particularly for mitigating cybersecurity risks such as data breaches. As the COVID-19 outbreak subsides and the organization resumes normal operations, databrackets can assist you in remaining competitive.

Comparing NIST with other standards

Compliance standards and frameworks such as NIST CSF, ISO 27001, and SOC2 guarantee the integrity and protection of your organization’s data as well as the data of your customers.

However, these regulations are not similar, and it’s not always clear which one applies to your company.  To determine which is ideal for you, let’s compare these frameworks. To know more, please visit our blog

Cost of complying with NIST security standards

Organizations often spend between $5,000 and $15,000 to be assessed for NIST compliance. If problems that need to be fixed are discovered during the examination, they can cost between $35,000 and $115,000 to remedy.

How databrackets can help you comply with NIST security regulations?

We offer an A2LA-accredited comprehensive suite of self-assessment and consulting services to help you navigate the NIST Cybersecurity framework requirements.

We have compared well-known security frameworks and standards with the help of our partners and consultants. Our analysis and assessment focus on practical elements you should consider before implementing the controls in place for each framework.

For more information, get in touch with our specialist to learn how databrackets can put your organization’s compliance in order right away.

Is HITRUST Worth The Investment?

HITRUST certification helps healthcare companies to effectively manage information risk. It is worth it if is considered an investment rather than a one-time cost.

Blog banner image databrackets is HITRUST worth it?

What is HITRUST?

HITRUST, or Health Information Trust Alliance, is a non-profit organization that uses the ‘HITRUST approach’ to help the healthcare industry control data protection standards and effectively manage data, information risk, and compliance. It’s similar to HIPAA, but instead of being written and enforced by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI (Payment Card Industry)-like enforcement system for businesses to adopt. HITRUST is a recommended framework trusted by many larger healthcare companies, health networks, and hospitals to manage risk along with other frameworks.

 

Why is HITRUST important?

In the United States, HITRUST is the healthcare industry’s security framework getting adopted primarily in hospitals It sets an industry-wide standard for handling Business Associate compliance. For a variety of reasons, HITRUST is slowly getting adopted in the healthcare industry along with other certifications:

HITRUST is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework, with periodic updates and annual audit revisions. This ensures that those who follow the HITRUST CSF(Common Security Framework) work tirelessly to ensure their safety.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST CSF within two years. As a result, companies must consider “what HITRUST entails” and “what changes are needed to be made to achieve and maintain certification.”

HITRUST Certification has the strictest requirements with high-risk data that can demonstrate that an entity is a leader in compliance because they have the certification to back it up.

Is HITRUST worth it?

HITRUST Certification won’t be easy.

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority may be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Several businesses are taken aback by the HITRUST certification. Why?

  • Firstly, the cost of assessment and assessor services are high. Budgets are often tight, and data protection may be a substantial investment as the cost might be too steep for small and medium enterprises, and HITRUST might be perceived as more expensive. For enterprises, HITRUST Certification could be seen as an investment rather than an expense
  • Many customers are hesitant to invest in HITRUST because they fear failing
  • A company choosing to get HITRUST certified, must first adopt the HITRUST CSF (Common Security Framework) which is updated regularly with multiple versions. You need to stay on top of the update, use the right protocol and technologies to be able to use it effectively. This may be a daunting task for many companies
  • Assessment may include up to 400 control criteria and take upto 8 weeks depending on the scope and complexity of the company. This may be severely time consuming

The HITRUST Certification Fee

 

If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.

 

What exactly is included in this price?

Costs directly related to:

– The HITRUST MyCSF® gateway and services are made available

– Companies can take a readiness assessment and rating it

– Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

– Employee time spent on participation

– Security data recording and updating

– Initial setup

– Developing corrective action plans and remediation initiatives

– Assistance in locating and submitting necessary documents

Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 controls included in a SOC 2 audit.

The HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program, which is one of the most tangible benefits of the framework. It combines information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control must be assessed using the HITRUST Maturity Model, which has five levels.

The HITRUST CSF certification process covers much more ground than any other security evaluation. In most cases, 2,000-2,500 separate data points are examined. Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope.

Dependability

The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also increased scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved in its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program and work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. They must complete a training course, pass an exam, and retain certification through regular refresher courses. HITRUST helps organizations ensure the evaluation and certification process is accurate through service.

Can you have a data breach after a HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

HITRUST Alternatives

The HITRUST CSF is a certifiable and widely accepted security framework with a list of prescriptive controls to demonstrate HIPAA compliance. However, as alternatives to HITRUST, several SMEs comply with other security governance frameworks like the National Institute of Standards and Technology [NIST], HIPAA, SOC Reports – SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.

NIST is a set of voluntary guidelines, and processes that companies use to reduce the risk of a cybersecurity threat. It aims to improve security and resiliency by implementing 108 security controls to achieve NIST compliance.

Many HIPAA requirements may not be understood in accordance with their intended objectives. HITRUST aims to provide an integrated and holistic approach to demonstrate compliance with HIPAA security requirements.

HIPAA is a federal law with national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Based on the certification goals and requirements of our clients, we offer alternative frameworks NIST, ISO 27001 or SOC 2 certifications. Different certifications involve different costs and levels of efforts, so it is imperative to consider your size, requirement and budget before you seek certification. IF you company falls under a broad range of industries or comes under a regulated industry, SOC 2 may be the best option. If your company processes electronic health information, HITRUST may be the better option.

Talk to us to understand your certification category and know more information

About databrackets

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

American Association for Laboratory Accreditation (A2LA) has accredited databrackets for technical competence in and compliance with the Inspection Body Accreditation Program.

databrackets has been accredited by the American Association for Laboratory Accreditation (A2LA) as a Cybersecurity Inspection Body for ISO/IEC 17020:2012 vide its Certificate Number: 5998.01.

The Cybersecurity Inspection Body Program accreditation provides added trust and assurance in the quality of assessments performed by databrackets. A2LA’s third-party accreditation offers an independent review of databrackets’ compliance to both ISO/IEC 17020 (Requirements for the operation of various types of bodies performing inspections) as well as competence in technical program requirements for the desired scope of accreditation (I.e. SOC II, HIPAA/HITECH, PCI, etc.).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001 Certification for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, read here.

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Explore the top cybersecurity frameworks that are critical to protecting company data like NIST SOC2 ISO27001 HIPAA and others in this blog

Blog banner databrackets comparing security frameworks
Over the last decade, an increasing number of organizations have been demanding security and compliance based certifications before awarding contracts to SaaS and other service providers. This has lead to an increase in the demand for certifications like SOC 2, NIST, ISO 27001 etc. These certifications help to standardize the cybersecurity measures taken to protect data and safeguard the brand reputation of the organization. They have also led to critical benchmarks in various industries and need to be understood before your organization selects the right one.

We, at databrackets, with the help of our partners and consultants, have compared popular security standards and frameworks (mandatory and voluntary). Our analysis focuses on practical aspects you need to consider before implementing the controls under each framework.

To begin our comparison, we looked at Google Trends for the interest in these security frameworks over the last decade.

Security Standards Comparison Banner
As seen in the report, HIPAA/HITECH security standards have the highest interest level in the US market, followed by NIST, SOC 2, and ISO 27001.

Comparing Security Frameworks

The comparison parameters in the charts below focus on the information you need to get an overview of the security standards and their relevance to your organization.
Key Features
ISO 27001
SOC 2
NIST Standards
PCI-DSS
HIPAA / HITECH
Other Standards/ Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.)
Notes
Certification
Yes
Yes
Not Applicable. You can get attested for compliance by a third-party.
Yes
There is no agency authorized to certify HIPAA compliance.
Yes
You need to engage the certifying bodies/ approved vendors.
Approach
Risk-based
Controls-based
Controls-based
Controls-based
Controls-based
Maps to individual frameworks of each standard body
Principle
Information Security Management Systems
Trust Services Criteria & Ethics
Control Families
PCIDSS standard
HIPAA rules including Technical, Administrative and Physical Safeguards
Depends on the individual frameworks of each standard
Technology platform specific controls are not covered by the standards /certification bodies
Certification Method
Authorized Certification Bodies
Authorized CPA Firm (Readiness Assessment can be done by a vendor)
Self (Audit and Attestation can be done by a third-party)
Authorized firm who have PCI-QSA Certified
Self (Audit and Attestation can be done by a third-party)
Third-party vendors
Third-parties require accreditation to issue certification
Best Suited For
Service Organization
Service/Product Organization
Different industries require different levels/standards of compliance
Service Organization
Healthcare, SaaS, and any organization handling Protected Health Information of US Citizens inclduing vendors handling PHI
Service/Product Organization
Some sort of security and data privacy certification is becoming a part of most industries
Popular in …
International
Companies operating in North America
US Federal/ Commercial / Manufacturing
International
USA
Companies operating in North America
Customer Acceptance (Customer Requirements)
Preferred (Mandatory in some cases)
Preferred (Mandatory in some cases)
Not Mandated
Preferred (Mandatory in some cases)
Mandatory
Depends on the Industry and marketplace where business is conducted
Duration
Point-in-time
6-month period(Type 2)
Point-in-time
3-6 Months
Point-in-time
Point-in-time
Surveillance audit is in place for most of the certifications
Certification Frequency
Every 3 years with annual surveillance audits
Annual
Not Applicable
Annual
Annual
Mostly Annual
Cost
$$
$$$
$$
$$$
$$
$$$ (HITRUST certifications cost 50k -200k)
Engaging an experienced vendor helps to ensure documentation and audit support. This saves cost in the long run.

Below is a quick summary of each security standard and framework:

NIST Security Guidelines

NIST Security Standards are based on best practices from several security resources, organizations, and publications. They were designed as a framework for federal agencies and programs requiring security measures. Several non-federal agencies have also implemented these guidelines to showcase that they comply with authoritative security best practices.

NIST Special Publication 800–53 is the most popular among the NIST security series. It provides the steps in the Risk Management Framework for security control selection for federal information systems. This is in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The NIST Cybersecurity Framework (NIST CSF) has also attracted a lot of interest and attention from a variety of industries.

NIST has released the final version of Special Publication (SP) 800–219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). Security Professionals can leverage the macOS Security Compliance Project (mSCP) to secure and assess macOS desktop and laptop system security in an automated manner.

ISO 27001

ISO 27001, is a more risk-based standard for organizations of all shapes and sizes. Although there are more than a dozen standards in the ISO/IEC 27000 family, ISO/IEC 27001 is well known for defining the requirements for an information security management system (ISMS). ISO 27001 enables and empowers organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to third parties. The latest update to ISO 27001 is scheduled to be released in late 2022.

SOC 2

reports assess the security controls of a Service Organization in accordance with AICPA’s Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.

SOC 2 compliance is often included as the eligibility criteria for SaaS and other service providers as they bid for B2B contracts. Type 1 and Type 2 reports meet the needs of a broad range of B2B customers who want assurance about the security of their customer data.

HITRUST

HITRUST stands for the Health Information Trust Alliance. A HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements based on a standardized framework.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) allocated a proposed rule for changes to the act in December of 2020 and a Final Rule is expected in 2022 with the following changes:

Increased Patient Access — the HIPAA Right of Access into the HIPAA Privacy Rule allows individuals to be more in control of their health and well-being decisions, which includes but not limited to:.

  • Allow patients to inspect the medical record PHI in person and/or take notes or photos
  • Reduce the time needed to provide access to PHI from 30 to 15 days
  • Allow patients to request a transfer of their PHI to personal health applications.
  • To post estimated fee schedules for PHI access and disclosures

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards governed by the Payment Card Industry Security Standards Council (PCI SSC). This framework has been designed to secure credit and debit card transactions against data theft. PCI-DSS is a requirement for any organization that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information.

Cloud Security Alliance

The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of objective questions to a cloud provider to ascertain their compliance with the Cloud Controls Matrix (CCM).

FedRamp

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the US that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

Shared Assessments

Shared Assessments provide the best practices, solutions, and tools for third-party risk management to create an environment of assurance for outsourcers and their vendors.

How databrackets can help you comply with security regulations

databrackets specializes in assisting organizations to secure sensitive data and comply with regulatory requirements. By leveraging databrackets’ SaaS assessment platformawareness training, policies, procedures, and consulting expertise, our customers and partners are meeting the growing demands for data security and evolving compliance requirements more efficiently. Contact us here to learn more.

Top 5 Things You Should know about SOC 2 Compliance

Top 5 things you should know about this crucial framework SOC 2 Compliance

Introduction

SOC 2 provides valuable insights into your organization’s security posture at any given time. It is an auditing procedure and a crucial framework that applies to all technology, product, and cloud computing service providers that store customer data. It ensures that companies securely manage data to protect the interests of your organization and the privacy of its clients.

SOC 2 Compliance report not only provides valuable insights into your organization’s security posture but also provides you with a competitive edge.

Passing the SOC 2 audit process provides you the much-required peace of mind that your systems and networks are secure. But a SOC 2 readiness test helps you locate the gaps in your procedures, internal controls, and documentation even before the auditor finds them.
Check your readiness score here. Following are the top 5 things based on our years of experience in helping companies with SOC 2 readiness:

Is SOC 2 mandatory?

SOC 2 is neither a compliance law nor a regulation. But It is a complex set of requirements that must be carefully addressed. Compliance is the key driver for Customer assurance.
A SOC 2 report is designed to protect customer data from unauthorized access and compliance is a crucial measure to avoid costly security breaches.

Tenets of SOC 2 Compliance

SOC 2 does not prescribe standards but simply audits and confirms that the processes are actually being followed in practice. In other words, it covers five basic trust service “principles”: security, availability, processing integrity, confidentiality, and privacy.

Things to monitor for SOC 2 Compliance- Alerts, Triggers, Visibility

Alerts

SOC 2 requires you to set up alerts for:

  • Exposure or modification of data, controls, configurations
  • File transfer activities
  • Privileged filesystem, account, or login access

Triggers

SOC 2 prescribes alerts whenever there is unauthorized access to customer data

Visibility

You must have visibility at the host level. User activity, processes, network connections, and threat-prone areas require visibility. You should seek compliance mechanisms to conduct behavior-based monitoring to detect suspicious events.

Can I fast-track SOC 2 Compliance?

The answer to this question really depends on many factors – the size of your organization, your readiness score, the resources available, and the type of audit –SOC 2 Type 1 or 2 you need. Depending on these elements, Type 1 may take up to a month, while Type 2 may take 3 to 12 months. So, fast-tracking SOC 2 compliance is possible only when all resources – controls, policies and your technical stack are readily available and securely configured. Most companies start the SOC 2 path only after a customer requests an audit report. But, getting to a realistic timeline requires an expert recommendation and a dedicated team. We work with clients to pre-assess, identify critical tasks, and offer expert advice on project management to get you the realistic timeline.

What pitfalls/ mistakes should I prevent?

  • Not doing a pre-assessment: Not performing a readiness test, can lead to unexpected gaps and failures during the audit. It can also lead to a longer time to completion of the audit
  • Limiting to core applications: Some companies believe in testing security controls only on the core applications. What they don’t know is that some controls are non-technical in nature that can trip their security posture.
  • Not allowing ample time for the audit completion: Companies that need Type II reports need to be assessed for about 100 security controls which take time and in order to be compliant, they must put in ample time and effort.

How can we help you with SOC 2 Compliance?

Achieve your SOC 2 compliance attestation with our team of security experts of who can streamline the audit process, prep you for the journey, and help you succeed with SOC 2 compliance.

Read our SOC 2 Compliance Guide and engage with our team of security experts who can prep you for your SOC 2 journey, streamline the audit process and help you succeed at SOC 2.

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History October 15, 2018

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.