Category : Compliance

QSA’s are friendly… As long as you pick the right one… (Part 2)

QSA Partner. Continuation from Part 1…

Selecting a QSA partner

Back to the joys of selecting a QSA partner!  I know when I contact them they are all going to want to know a lot of details about my business, including technical configurations.  This is because of a PCI audit like many other audit frameworks needs to verify the policy and configuration details of just about, every component of your business and networks to properly scope the amount of work for your environment.  This includes standard server images hardening process to firewalls, antivirus, change management, software development, physical access, visitors, vendors, policies, etc.

read more

NIST 800-171 requirements for contractors

Meeting NIST Requirements while using SaaS Software.

December 312017, Organizations who process, store, and transmit Controlled Unclassified Information (CUI) need to comply with NIST Special Publication 800-171.  The question organizations need to consider is what does it mean for their SaaS Applications? How do you do it in the “bring your own cloud,” (BYOC) world we live in? I am going to walk you through critical things you need to think of for SaaS applications about as you go through this.

read more

QSA’s are friendly… As long as you pick the right one… (Part 1)

It’s that time again. Yes, time to find this year’s auditor.  You’d think that after 10 years of contacting, meeting with, planning and doing in-depth level 1 audits for multiple customers per year, for ZZ Servers a managed private cloud provider for PCI & HIPAA businesses, finding a Qualified Security Assessor (QSA) to work with would be easy.  Maybe it would be especially easy because, before ZZ, I was a PCI QSA doing the level 1 audits/code reviews/penetration tests myself!

read more

OWASP Top 10 Vulnerabilities List is Changing

OWASP!!! RUN!!!!

OWASP is changing their TOP 10! Ok, so this really isn’t as serious as I thought, but, wait, what is that? IT IS!  Whether IPv4 or IPv6, common vulnerabilities can be found all over the place. OWASP, is finally updating their Top 10. So let’s look at some of the finer points.

read more

“Compliance is for BIG Business!” OR so you think.

Compliance – The Issue

If a small business CEO thinks about compliance, he or she might think it’s relegated to big businesses. Who else has the funding, the personnel, and of course, the time to attend to compliance? And does it really matter anyway? Who’s going to come after a small business that doesn’t have a compliance department or deep pockets to sue?

Unfortunately, that’s not the problem. The issue is that a small company has suppliers, customers, and colleagues who are all part of a larger value chain, stretching from supplier to manufacturer to reseller to customer. Every link in the chain communicates with at least one other link. Some of those links are tiny, some are huge. Sometimes the communication is a phone call. Sometimes it’s a wire transfer.

Small Company X may not be the target, but their Huge Customer Q is excellent prey! Remember, this is exactly how Target was hacked a few years back. For companies that think, “We’re too small to make a difference,” this example should serve as official notice.

But we’re a small company…

The value chain problem is old news at this point; we all know how hacks can “travel” from supplier to customer, and so forth.

What is new is the ability of a small company to meet compliance and security needs without having to hire employees, build a department, and trudge through the tiny details themselves. With new GRC tools built as SaaS platforms and priced affordably, it’s possible and relatively straight forward to implement. Add in Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and make them affordable, and now you’re cooking with fire!

What’s it going to cost me?

So let’s get down to brass tacks: What does it cost to have my security, compliance, and IT handled for me? OK, remember, these are estimated numbers but here we go. MSP’s charge about $100 per person per month. That’s the rule of thumb, so it might be more costly for a complex environment or highly regulated systems.

MSSP charges are a lot more variable. If you want them to only monitor your firewall, that’s a few hundred bucks per month or less. If you want the provider to execute vulnerability scanning and policy review, help you plan your incident response, do forensics, etc., it can range from $2000 per month to $15k per month, or more, depending. But remember, a lot of those costs don’t increase incrementally as you grow; they might only tier when you hit 50 people, 100 people, 250 people, etc.

As for GRC platforms, some of them are built as shrink wrap, but the SaaS options are offered for as low as $20 per person per month.

Let’s forecast the costs for a 25 person company that’s using an MSP for outsourced IT, an MSSP for compliance policy review, vulnerability scanning and management, and a GRC platform that helps everybody get their compliance tasks and evidence handled.

25 people

MSP – $100 per month per person /25 people – $2500 per month

MSSP – Vulnerability scanning and management, Incident response hours, compliance – $4000 per month, flat rate

GRC – $20 per person per month /25 people – $500 per month

For approximately $7k a month, you can have your IT, IT security, compliance, and incident response handled. Add in another $10-15k for an annual penetration test and you end up at a yearly total of around $99,000, essentially the cost of a single employee. Because most full time employees also require HR administration and benefits, you could be saving an additional 30% or so on taxes, healthcare, and insurance on top of the person’s salary. Effectively, one headcount cost will handle the majority of your compliance, security, and IT needs, and these programs will be managed by dedicated specialists.

OK, but are we really at risk?

If you’re running a small business you might be thinking, “That’s a chunk of change!” Remember, though, when Target was breached through their small HVAC vendor, it cost Target a lot more than $100,000. And I bet they stopped using that HVAC vendor, which equals a ton of lost revenue for the small company. That one breach might also have cost the HVAC vendor future business relationships. If they were thinking straight, though, once they were notified of their part in the breach they rushed to implement better security controls, bought cyber insurance, and contracted with outside partners to keep systems and compliance up to date. None of that is cheap, and it’s even more costly to add after the organization has already been affected (think: buying health insurance after a preexisting condition versus before).

When you realize that value chains are effectively one entity, all connected, all together, then making sure you’re protected helps not only the value chain you’re in now, but reduces the sales friction for all the value chains you could be in, for those new customers you’d like to conduct business with in the future. Working with suppliers in new verticals also becomes easier because your company can pass compliance and security questionnaires, plus your IT team (the MSP) keeps your technology up to date and within the scope of new regulations. More and more regulations are put in place every month; don’t fall behind.

What’s next?

If all of this sounds like a lot to digest and a huge financial burden, keep in mind that all of the solutions mentioned here are modular. This isn’t an “all or nothing” approach. If your business already employs an IT team, great, you might not need an MSP! Have a compliance officer? You might not need the GRC tool! Etc.

Of course, small businesses could always operate without any security or compliance management. Does anybody know what happened to the HVAC company that facilitated the Target breach? I think they’re actually still in business, but that’s surprising. The statistics tell us that over 70% of small businesses which suffer a cyber incident don’t remain in business.

The interconnectedness of the internet, payment systems, fulfillment houses, and suppliers means that all companies—not just big ones—need to meet basic standards, including minimum viable security and compliance. Value chains will want secure and compliant companies, and shun companies which aren’t.

Simple as that.

read more

HIPAA

Healthcare Providers

As healthcare providers rely more and more on evolving technologies to store and transmit their data, compliance has become an increasingly complex landscape to navigate. Managing the security requirements from federal and state agencies and other third parties can be a daunting task, one that consumes considerable energy, expense, and effort. When you consider that healthcare organizations and their IT vendors must not only achieve compliance but prove that they are a trustworthy resource, it’s obvious that the industry needs a system that is clear, efficient and secure. The basic compliance rule book, of course, comes straight from HIPAA. By now experienced providers are familiar with HIPAA’s baseline of requirements; they must ensure the confidentiality, integrity, and availability of any data they create, receive, maintain, or transmit, while providing reasonable protection against threats. This all sounds reasonable enough until providers dig a little deeper for an actionable roadmap and instead find vague language with a lot of loopholes.

HITRUST

Consider, for instance, HIPAA’s guidelines that allow for considerations such as the size, complexity, and capabilities of the organization, including technical infrastructure, hardware, and software capabilities, costs of security measures, and the probability of potential risks when selecting controls to implement. These guidelines are too elastic to provide specific and reliable direction for providers – nor does following them offer a solid guarantee of data protection. As a result, providers that follow HIPAA requirements are often unsure of what constitutes “reasonable and appropriate” protections. Often they implement controls without reasonable justification – or worse, implement controls that aren’t sufficient. They conduct inadequate risk assessments or skip them entirely. When you consider how many significant fines the OCR issued in 2012, the need for standardized and actionable guidance becomes clear. This is where the Health Information Trust Alliance (HITRUST) comes in.

CFS

Developed by healthcare and IT professionals, the HITRUST Common Security Framework (CSF) helps organizations by providing an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. By integrating the diverse set of existing requirements applicable to agencies and businesses, HITRUST seeks to eliminate the inconsistencies and wasted resources so typical in reporting healthcare compliance. This is not to say that HIPAA is a waste or should be ignored. HITRUST should be seen, rather, as an important, industry-managed approach to meeting HIPAA security rule requirements. HITRUST can offer providers a trusted benchmark from which they can measure and manage their own compliance – while offering proven protection to their customers. The Value of the HITRUST CSF When you consider that virtually every healthcare provider has more than just one compliance obligation, the advantages of the HITRUST CSF becomes clear. By translating HIPAA and HITECH requirements into an actionable roadmap that is cross-referenced to many other security and data privacy regulations, the CSF provides organizations with a prescriptive set of controls that can be used to manage compliance across a broad range of regulatory requirements. This comprehensive approach reduces complexity, risk and cost while protecting sensitive patient and other data.

Standards for Healthcare Providers

With one simplified compliance process, the CSF: Incorporates existing, globally recognized standards such as HIPAA, NIST, ISO, PCI, FTC Red Flag and COBIT Reduces risk of non-compliance with HIPAA Scales according to your organization’s size, type and complexity Provides clear, actionable guidelines Evolves according to your needs, as well as changes in both the healthcare industry and the regulatory environment The Benefits of HITRUST Certification Right now it is virtually impossible to claim that your organization is “certified HIPAA compliant” as no formal process or status exists. Yet HITRUST offers a third-party assessment that verifies your organization has met all of the industry-defined certification requirements of the CSF. What benefits can certification offer you? To start, it can save you considerable time and money when it comes to audits; because the consolidated controls view from the CSF provides visibility into the controls overlap among multiple regulatory requirements, you’ll be able to demonstrate exactly how your controls program is meeting the combined requirements. With one assessment, you can generate multiple reports addressing multiple legislative, regulatory or best practice frameworks such as HIPAA, PCI or NIST. Yet perhaps the most far-reaching and competitive advantage relates to your brand. Consumers today are aware of and concerned by cybercrime and privacy breaches, and most are too cynical to truly believe an organization’s marketing claims of data protection. Yet a third-party attestation – one benchmarked against a recognized controls framework specifically designed to fully address the letter and spirit of HIPAA – can lend your security program both credibility and prestige.

In the End

Once HITRUST CSF Certified, your organization will be able to advertise its compliance and security, with the proof to back it up. A Foundation for Better Healthcare When it comes to compliance, the world of healthcare technology can be a complicated place. HITRUST certification simplifies compliance by offering providers a tailored set of controls, founded on the expertise and best practices of leading healthcare and IT experts, for an assumed set of risks and compliance requirements. By helping organizations of all sizes and backgrounds become certified, the CSF ultimately allows providers to spend less time worrying about compliance – and spend more time focused on patient care.

read more