now browsing by tag
DOJ Emphasizes Adequate Funding in Updated Compliance Guidance | Health Care Compliance Association (HCCA) | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #
Report on Medicare Compliance 29, no. 21 (June 8, 2020)
Whether an organization shows its commitment to compliance with dollars is a new focus of the second update to guidance on evaluating compliance programs from the Department of Justice (DOJ). In its updated Evaluation of Corporate Compliance Programs, released June 1, DOJ indicates that adequate funding of the program and its people helps distinguish between a paper and an active program.
The guidance is used by white-collar prosecutors who evaluate compliance programs when deciding whether to file fraud charges and what the charges should be. Compliance officers also use the guidance to benchmark their organization’s compliance program. DOJ published the first version in 2017 and revised it in April 2019. The Evaluation of Corporate Compliance Programs modifies the Principles of Federal Prosecution of Business Organizations in the Justice Manual.
There are detailed questions about compliance programs in the guidance, which is organized around three “fundamental questions” that prosecutors try to answer when evaluating effectiveness. The 2020 version modified the second question to refocus on resources:
“Is the corporation’s compliance program well designed?“
“Is the program being applied earnestly and in good faith?” In other words, is the program adequately resourced and empowered to function effectively?
“Does the corporation’s compliance program work” in practice?
In elaborating on resources, DOJ explained that “prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.’ [Justice Manual § 9-28.800]. In addition, prosecutors should determine ‘whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.’ [Justice Manual § 9-28.800].”
The emphasis on funding doesn’t come as a shock. “You would have to have adequate resources before you get to adequate or better effectiveness,” said attorney Gabriel Imperato, with Nelson Mullins Broad and Cassel in Fort Lauderdale, Florida.
Prosecutors have always factored in the funding of compliance programs, although it’s significant to see this in writing, said Kirk Ogrosky, former deputy chief of DOJ’s fraud section. “You can have compliance officers who are making a fraction of what other senior executives are making,” he said.
The guidance also encourages organizations to advance compliance at all times, even during an investigation, said former federal prosecutor Robert Trusiak, an attorney in Buffalo, New York. As DOJ states, “In answering each of these three ‘fundamental questions,’ prosecutors may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.” DOJ reinforces this point when it talks about the risk assessment. “Prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
In other words, Trusiak said, “effective compliance is not set it and forget it. Compliance is an iterative process.”
DOJ Revises Other Questions
DOJ’s revisions ripple through the rest of the document, which is loaded with specific questions about commitment by senior and middle management, risk assessments, due diligence, communication with employees, oversight of third parties and other hot topics.
For example, the 2019 guidance asked whether the organization’s risk assessment was “current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
The 2020 guidance drills down. “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?”
There are also more questions about how organizations ensure that policies get in the hands of employees and vendors. For example, “have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?” The stakes also are raised on employee awareness of the hotline. “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”
Imperato noted that DOJ “dwells a fair amount on third-party due diligence” and whether it continues after the deal is done. For example, DOJ asks, “What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post acquisition audits, at newly acquired entities?”
Questions on learning from mistakes were also tweaked. “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” There are other changes to questions, including, for example, about training and “monitoring investigations and resulting discipline.”
Imperato said he will attach the updated guidance to his board training, along with other documents. “This automatically becomes the benchmark…for setting up a compliance program and determining its effectiveness.”
Ogrosky noted, however, that even well-funded, effective compliance programs may fail to detect bad actors. “Fraud is a non-self-revealing offense,” he said. “The people who commit fraud at large corporations are doing it to avoid the compliance folks.” He’s referring to flat-out fraud, not a debate about whether an arrangement fits within a safe harbor, for example.
Whether fraudsters inside corporations are unmasked depends more on whether executives ask the right questions vs. looking the other way, Ogrosky said. For example, if a salesperson outperforms his or her peers 50 times over, managers should dig into it. “If a contractor is able to do what no one has been able to do, ask why, because the fraud is not self-revealing.” DOJ will expect the corporation to accept some responsibility for bad actors, even when they have good compliance programs, he said.
1 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), http://bit.ly/2Z2Dp8R.
2 U.S. Dep’t of Justice, Justice Manual, Principles of Federal Prosecution of Business Organizations, § 9-28.000 (2020), http://bit.ly/2GtxXFt.
The post DOJ Emphasizes Adequate Funding in Updated Compliance Guidance | Health Care Compliance Association (HCCA) | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | # appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #hackerspace | The Four Signs of an Effective Compliance Program: Quality, Consistency, Oversight and Efficiency
An effective compliance program has a critical impact on an organization’s ability to operate with integrity, consistency, quality and maintain trust and credibility with organizational stakeholders including customers, partners, vendors, employees, and investors. It is also an important component of an effective risk management program.
When I was leading IT security and compliance engagements at a Big 4 firm, I helped many companies in the technology, fintech and financial services space design internal control environments to safeguard their information systems and data. I also conducted assessments of my clients’ internal control environments, to help them strengthen and streamline their risk posture. My clients asked me all kinds of questions that really revolved around one theme: At the end of the day, how do I make sure that what we’re doing as an organization is actually effective in mitigating the risks that matter?
In this article, I will discuss four key characteristics of an effective compliance program, why each one is important, and how these elements can be achieved. If your compliance program has these elements, you can be confident that you’re on the right track in mitigating the risks that matter.
This topic is timely, given how quickly the current cyber risk landscape is evolving. For instance, due to increasing connectivity between organizations and reliance on third-party vendors, third-party data breaches accounted for more than half of all data breaches in the first half of 2019. Meanwhile, newer data privacy laws like the GDPR and CCPA are difficult and costly to comply with, and they use steep fines and penalties to sanction non-compliant organizations.
The four signs of a mature and effective compliance program
An effective compliance program should align to a broader risk management strategy. Risk assessments should be performed at least annually, and more frequently for higher risk areas. The ultimate goal of an effective risk management strategy is maintaining a risk environment that is within an acceptable risk tolerance level for the organization. To accomplish this, an organization must identify their risks, define risk tolerances (risk levels that are acceptable) and then design controls in a manner that effectively addresses the risks.
Below, are some questions to consider in evaluating the quality of your compliance program:
- Does your risk strategy include a comprehensive view that considers both existing and emerging risks?
- How are risk tolerance levels defined?
- Are key stakeholders involved in setting risk tolerance levels?
- How effectively does the design of the control mitigate the risk?
- Is there a control redundancy strategy, in case a critical control fails there is another control in place to address the risk?
- Are your controls independently validated to confirm their effectiveness?
By using innovative compliance management software like Hyperproof, it is easy to ensure your control environment effectively aligns to your overall risk management strategy. As new risks are identified, Hyperproof provides visibility to see if existing controls are already in place to address the risks, or if new controls are needed.
Hyperproof also enables you to see the gaps between your existing control set, and what would be needed to adopt leading cybersecurity frameworks like NIST SP 800 series or the ISO 27000 series.
The design of the control impacts how effective the control is. Additionally, consistency in performing the control process is an important factor in having an effective compliance program. In this context, consistency means that your controls are operating at the specific time interval, and in the same manner, as they were designed to. To ensure that your controls are operating consistently, you’ll need to have sufficient oversight and visibility into the performance of control processes.
For instance, deploying patches is an important component of vulnerability management. If patches are not consistently deployed, at the time that they become available, your systems may be left exposed to vulnerabilities. As such, it is important to have visibility into control processes that were not performed timely so that you can quickly resolve issues. This is particularly important for high risk areas like vulnerability management.
Continuous compliance helps you manage risk more effectively. With continuous compliance, control processes are consistently performed, and evidence from the control processes are evaluated and actioned accordingly. If you are evaluating control processes on a continuous basis, you have an opportunity to refine your risk management strategies in real-time.
For example, if you are using a SIEM solution that does not have both logging and monitoring alerts turned on, it could potentially prevent notifications of attack indicators. The lack of notifications and alerts reduces the ability to make timely adjustments to network controls. This scenario could have been prevented with continuous compliance. Specifically, continuous compliance would have discovered, in a timely manner, that logging and monitoring alerts were not turned on.
I have found that many organizations delay collecting and evaluating evidence, until right before they need to submit that evidence to their auditor or security assessor. By delaying evidence collection and evaluation, organizations miss the opportunity to adjust and adapt their risk environment. If evidence is only collected and evaluated before an audit or assessment, the control process becomes a lagging indicator with little room for adjustment.
Technology can make a big impact, when adopting continuous compliance. For instance, you can use a compliance management solution like Hyperproof to keep all your evidence organized (e.g. linked to the right control/requirement) and use automated reminders to alert control operators to review controls on a regular basis and submit evidence on time.
Additionally, Hyperproof has a feature called ‘Freshness’. You can set a ‘Freshness’ policy to remind yourself and your team to review controls on a cadence and ensure that all controls are appropriately evaluated throughout the year. This helps ensure that no one will forget any of their compliance tasks, which ultimately makes your entire organization more secure and resilient.
Compliance operations software like Hyperproof can also eliminate duplicative work (e.g., having to collect the same piece of evidence five times to meet five different compliance frameworks) by helping users identify common controls and common evidence across compliance frameworks.
3. Governance and oversight
Governance and oversight is a key component of an effective compliance program. At the highest level, senior risk leaders need the right information to effectively monitor the effectiveness of the compliance program and make adjustments as needed. Adjustments may include areas such as incorporating new controls to address emerging risks, redesigning weak control processes to make them stronger, or developing new training to improve security awareness among employees.
At a tactical level, a compliance manager needs another set of information to understand how prepared they are for upcoming audits or assessments, quickly see which controls they need to act on, and ensure that control processes are performed correctly and on time. They should also have visibility into the issues that need immediate attention or escalation.
Getting sufficient visibility into the effectiveness of a compliance program can be a difficult challenge for many organizations. This is especially an issue for organizations that manage their compliance efforts in a variety of different tools such as elaborate spreadsheets, email inboxes, and file storage systems like Box, Dropbox or OneDrive.
However, when organizations start to manage all of their compliance projects in one single place, it becomes a lot easier to gather the right set of metrics for decision making.
For instance, Hyperproof gives organizations a central location where all of their compliance requirements, controls, and proof can be stored and managed so that compliance managers and external auditors can see everything in one streamlined system. It allows compliance managers to quickly answer questions such as, “Where are we with our evidence collection?”, “What controls need to be updated or redesigned?”, and “What do the examiners need to see?”.
Hyperproof also helps senior risk leaders understand how well their current compliance program stacks up against several best-in-class cybersecurity and data privacy frameworks.
Efficiency has to do with how well an organization is managing its resources, including time, employees, and budget. Being efficient means that your team is able to achieve quality, consistency and effective oversight with an optimal amount of resources. With limited resources, it is particularly important to focus your compliance efforts on the more critical areas.
Making compliance activities more efficient is key to reducing the cost of compliance, which always seems to be going up due to factors such as the rise of data privacy regulations, the growing awareness of third-party risks, a rise in vendor-to-vendor audits, and the shortage of cybersecurity talent.
In terms of operational efficiency, technology will be incredibly important. In fact, Hyperproof was built to help organizations become far more efficient in compliance management. Not only does Hyperproof serve as a single source of truth for all of your compliance activities, it can reduce the administrative work around collecting evidence and managing tasks (e.g., updating controls) by half.
Hyperproof comes with a set of features that enable greater efficiency, including:
- Crosswalk: Helps users identify the overlapping requirements and controls between various compliance frameworks
- Integrations with file storage systems where evidence is stored and productivity tools
- Collaboration capabilities between compliance managers, control operators, senior leaders, and external auditors
- Automated reminders to review controls and evidence
- Smart folders and labels to efficiently link a batch of evidence to controls
Related content: The Complete Guide to Continuous Compliance
With compliance, it’s important to understand what it actually takes to become compliant and maintain that position. I have discussed four key elements of an effective compliance program. Organizational focus should be placed on quality, consistency, effective oversight, and efficiency. Deliberate attention to each area will ultimately lead to a well functioning compliance program.
Additionally, effective risk management is about being proactive instead of reactive. That includes quickly responding to the alerts indicating weaknesses of critical systems, and consistently evaluating/updating the control processes established for prevention/mitigation of potential security incidents.
When compliance costs are rising quickly for organizations of all industries, sizes and types, prioritizing the right areas — with a solution that is agile, intuitive and cost effective — becomes essential.
The post The Four Signs of an Effective Compliance Program: Quality, Consistency, Oversight and Efficiency appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Petrina Youhan. Read the original post at: https://hyperproof.io/resource/four-signs-of-an-effective-compliance-program/
View full post on National Cyber Security
Although our research shows that achieving and maintaining PCI compliance builds trust with your customers, it’s all too easy to forget that being found non-PCI compliant could cost you more than your reputation whether or not you’ve suffered a data breach. If your business stores, processes or transmits payment card data then you need to compliant with the Payment Security Industry Data Security Standard (PCI DSS.) A set of twelve requirements convened by the major credit card providers, PCI DSS was set up in order to minimise the level of risk that credit companies and consumers exposed themselves to with each transaction. Although not written into law, a raft of regulations allow punishment for non-compliance to be issued from numerous organisations and under a multitude of circumstances. Every year businesses are asked to prove PCI compliance by way of completing self-assessment questionnaires (SAQs) by their banks. Which one you complete is determined by what type of business you are and how you take card payments. The objective is to ensure that wherever in your organisation cardholder data is present, it is adequately protected. Even if you outsource your PCI DSS compliance to a third party or another company, legal and regulatory culpability still falls on you. If you are found to be non-compliant you will most probably face a raft of financial costs, such as:
- Fines – These are at the discretion of your acquiring bank but have been known to range from tens to hundreds of thousands of pounds.
- Recurring charges – You could also face recurring charges from your merchant account. Again, this is entirely at the discretion of the banks but has been known to run into hundreds of pounds a month.
- Increased costs of insurance and claims – Non-compliance increases the risk of sensitive cardholder being exposed should a business suffer a data breach. It also means that your network is insecure and vulnerable to attack in other areas and is therefore seen as high risk from insurers. This could increase your premium and affect insurance claims should you need to make one.
But this is just the tip of the iceberg when considering the cost of non-compliance. Should a business suffer a breach and be found non-PCI compliant the cost can increase exponentially and in several ways.
Credit card data is personally identifiable information (PII) and therefore means it is subject to more regulation that PCI DSS alone. Within Europe the General Data Protection Regulation (GDPR) sets out how PII should be stored, transmitted and handled. PCI DSS and the GDPR sit on the same branch in that a breach of PCI compliance is a breach of the GDPR and therefore is subject to the same punishment for non-compliance. Financially, this can mean a fine of up to £17m or 4% of a business’ global turnover in the most severe cases, and since coming into effect in 2018 the highest fines issued have been for breaching financial details, with British Airways and Equifax being two high profile examples. But fines are not just limited to data in the EU:
- Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian equivalent of the GDPR, and a breach could cost a business up to CAD$100,000
- The Australian Privacy Act has been amended recently, meaning that a breach could cost companies who suffer a data breach AU$10 million, or 10% of a company’s annual domestic turnover
The USA is also increasing regulation around data privacy on a state by state basis. Most recently the Californian Consumer Privacy Act (CCPA) adds protection to the data of Californians, and a number of states are set to follow suit with their own versions of this (see our data privacy infographic.)
But it’s not just immediate fines that should concern businesses. Because the legal culpability for compliance falls on the merchant, the costs of non-compliance can snowball as potential lawsuits from customers, again the British Airways data breach being a prime example of this. Our own research also shows that consumers will stop spending with organisations should they suffer a data breach, which could also negatively impact profit.
What is clear is if businesses choose to ignore PCI DSS, they are not just risking a set of small charges from their banks and merchant services. Should a company suffer a breach of financial data the cost will likely snowball because of global data protection standards. Add to this that consumers will spend their money elsewhere if a data breach occurs and it could cost companies financially and by loss of reputation and trust. This then poses the question of how can businesses achieve and maintain PCI compliance with the least amount of friction?
The answer is to descope from requirements of PCI DSS where possible. Solutions such as Agent Assist and PCI Pal Digital allow businesses to take payments by phone or any digital channel from customers without sensitive credit card data being seen, heard or stored. Not only will this prevent fines for non-compliance, it will safeguard your reputation with your customers.
The post Back to the basics – What is the cost of non-PCI Compliance? appeared first on PCI Pal.
*** This is a Security Bloggers Network syndicated blog from Knowledge Centre – PCI Pal authored by Stacey Richards. Read the original post at: https://www.pcipal.com/en/knowledge-centre/news/back-to-the-basics-what-is-the-cost-of-non-pci-compliance/
View full post on National Cyber Security
In the age of GDPR and CCPA, there seems to be more conjecture about compliance and personal privacy than there is about the weather. It’s understandable, as predicting the conditions outside seems a lot easier than devising and implementing an effective data protection strategy.
With headlines about data breaches being far too frequent and substantial fines for non-compliance becoming a growing reality, pleading naivety to the issues and impacts is neither sympathetic nor sufficient for organizations of any size or type. The good news is there are a number of tools and solutions available that can automatically detect risks and protect personal data while reducing exposure to legal and financial risks.
Begin With People, Not Technology
But before jumping into any technology solutions, it’s imperative to start with an understanding of how it will impact all organizational stakeholders. Start by circling the wagons and enlisting the cooperation and insights of your business leaders as well as legal and compliance teams. Too often, chief information security officers (CISOs) face growing compliance challenges due to a lack of cohesive efforts across their companies. Resistance from employees is a tough hurdle to clear, especially if they believe that complying with new security policies will make their jobs more difficult.
C-level buy-in is a prerequisite to successful policy implementation. Unless these important influencers see and feel the element of risk, it’s going to be difficult to implement any sort of program. Consider a two-phase approach as a best-practices tactic. Start by identifying the lowest-hanging fruit and implement something that is relatively easy for everybody in the organization to leverage and get behind.
Making changes where they are easiest to leverage is a good way to build confidence and momentum. Even if this reduces only 15% of your risk, you’re on the road—so stay focused on achieving steady, incremental progress. At times, the process can be daunting, at least at first, but don’t be sidetracked by analysis paralysis. Instead, continue holding meetings on what will be implemented next and move forward.
Putting the Proper Rules in Place
Rolling out plans and policies to employees requires a foundation of proper rules to guide the entire process. While a mandatory compliance course is an admirable start, it’s important not to overwhelm employees out of the gate. However, believing that a 20-minute session provides sufficient preparation is shortsighted. Instead, it’s highly recommended to implement a policy that includes catching and educating employees whenever inappropriate or risky activity is detected.
It’s crucial for everyone to understand—and embrace—the big picture. Rules and policies regarding compliance and personal privacy are not meant to restrict personal productivity. Instead, they aim to protect employees, the business and customers. In short, it’s crucial to drive home the credo that the company cares about its employees and customers and doesn’t want to put anyone at undue risk. The best and most effective way for everyone to participate is to know the rules.
Think about this in the context that typical office workers send approximately 40 work-related emails and receive about 90, according to TechJury. Therefore, a company with 1,000 employees is dealing with 40,000 to 90,000 emails every day, many containing potentially private personal data. Bring the 80/20 Rule into play here: If 80% of the potential data risks are caused by 20% of the behavior, putting policies in place to safeguard personal data as it’s created in emails and files can deliver immediate and significant risk reductions.
Create a Technology Tool Framework
Once everyone knows and understands the rules, it will be easier to construct a technology framework of tools to help detect and mitigate risk. Balance is optimum, so avoid locking down too much data, as the result will stifle employees’ and customers’ ability to transact business. To minimize risk while maximizing reward, it’s important to select technologies and tools that balance the need to protect information with the ability to achieve widespread adoption.
Favor a crawl-walk-run approach, as it is not necessary to roll out the entire strategy on day one. Instead, identify the riskiest endpoints and focus initial efforts there. Then don’t be afraid to rely on test cases along the way. Tweak the process to align with how the organization functions and employees work. Going with solutions that have AI and machine learning capabilities can assist in training the solution to provide the best and most flexible fit while automating some processes to reduce the burden on employees.
Once up and running, continue the gradual rollout: “Walk” with a small group before you “run” with the entire organization. Remember, this is not a set-it-and-forget-it situation; expect to revisit and tweak policies and settings on a regular basis.
Think of your data protection solution as an engine. Once it’s in place, occasional tuning is required to maintain exceptional performance. It’s also important to choose an engine that permits interoperability with other solutions that may be worth adding and leveraging as business and company conditions, as well as regulations, emerge and evolve.
There’s No End and No ‘Compliance’ Button
A comprehensive and compliant data protection strategy is as necessary to businesses today as having a website. In measuring up to regulations such as GDPR and CCPA, as well as others, regulators aren’t expecting everything will be immediately perfect, but be assured they will be judging circumstances according to demonstrative and definitive steps taken. So get moving and keep moving—there’s no end and no easy button. Privacy and security are everybody’s business and everybody’s concern.
The post #cybersecurity | #hackerspace |<p> Compliance and Privacy in the GDPR Era <p> appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Third party minimum cyber compliance for My Health Record skipped: Audit Office
Source: National Cyber Security – Produced By Gregory Evans Less than 2 percent of My Health Record trial users opted out The Department of Health and Australian Digital Health Agency (ADHA) agree that around 500,000 Australians will opt out of having a My Health Record. Read more: https://zd.net/2segsBw The Australian National Audit Office (ANAO) has […] View full post on AmIHackerProof.com
The nature of audit is changing as the systems which underlie our operations become more sophisticated and robust. With this increased sophistication comes increased reliance on technology-related controls to mitigate operational and financial risk, as well as increased access to transaction-level data. You will be responsible for assisting in all aspects of execution: from identifying opportunities for us to focus on, to developing the infrastructure and analyses to make progress in those areas. Further, you will serve as an Information Technology subject matter specialist and support the execution of Operational, Financial and Technology-related reviews.
In this capacity you will execute planned audit procedures, working to identify any issues and solve problems at the root cause. You’ll help the team understand how the audit function supports our overall business objectives and participate in scoping internal audits and risk assessments through an established process. You’ll be on top of deadlines and will create scalable reporting systems to communicate results of audits to both internal audiences and regulatory compliance agencies. You have a hands-on, tactical approach for resolving issues, and an eye for detail ensures that everything is balanced at the end of the day.
View full post on National Cyber Security Ventures
Source: National Cyber Security News
Cybersecurity challenges and risks continue to emerge as top threats to business as usual for large and small organizations alike. The ability to meet these threats requires understanding emerging standards. Compliance with these new standards can help organizations implement a proven risk management framework without having to reinvent the wheel. Demonstrable adherence to such frameworks helps with managing liabilities that may arise.
Compliance to many is a dirty word and often misunderstood especially in the area of information security and risk management. However, in response to the increasing number of data breaches and real economic loss as well as threats to national security, regulators and policy makers are increasingly responding with laws, policies and regulations. There is an increasingly prescriptive set of security requirements that must be met by businesses and organizations operating online. Some of the recent data breaches have shown that cybersecurity risk can originate from the supply chain of vendors and business partners.
Understanding this dynamic, the U.S. Department of Defense started the ball rolling in 2013 requiring businesses and contractors to implement 110 specific security requirements described in NIST Special Publication 800-171 as part of a modification to the Defense Federal Acquisition Regulation Supplement (DFARS).
View full post on National Cyber Security Ventures
Security of data in the cloud is a hot topic, especially with so many data breaches occurring during 2017 and the introduction of GDPR being just months away.
The field of security is so broad, it can be difficult to know where to start. In the last twelve months, I’ve had one friend who has had her cloud servers hacked and crypto ransomware installed, forcing payment of a two bitcoin ransom. Another friend had her cloud email server hacked, with the attacker modifying the bank account details of outgoing invoices and redirecting payments from the company’s bank account to the hacker’s. Both instances were security breaches and data breaches, resulting in direct financial loss.
To try to break down this broad topic and provide a how-to guide tailored towards GDPR compliance, I’ve devised four actionable steps across two categories:
Let’s examine each step in turn.
1a. System level security: fully understand the limits to the security provided by your cloud service
Are your machines fully patched with the latest operating system security updates? Are your firewall rules in place? Do you find it strange that I’m asking these questions in a discussion about cloud security? The first step to security is understanding what you’re responsible for, and what your cloud provider is responsible for; failure to do so can be catastrophic.
It’s very commonly argued by vendors that cloud services have a higher level of security than achievable by an average system administrator. For example, if you host your email on Office 365, compared to running your own email server in your basement, it’s likely to be more secure against hacking attempts. After all, if you run your own server, you are responsible for managing the entire security of your server, from setting up your firewall rules, to monitoring intrusion attempts, patching and installing security updates, backing up data, ensuring 24×7 power supply and internet connection, and everything else in between.
“Therefore the cloud is safe!” – This can easily be the impression you’re left with after attending enough cloud marketing presentations. But you have to be very cautious about getting complacent or completely misunderstanding the cloud provider’s security claims. For example, when you fire up a virtual machine in a public cloud like Amazon or Microsoft Azure, this does not mean that this machine is secure and that your cloud provider will provide security and monitoring services. In this situation, you’re consuming a platform-as-a-service (PaaS), which means that you are responsible for whatever you put on that platform, including the operating system.
Therefore it is critical for you to know what’s in your service contract and to understand what is your responsibility.
It’s also critically important to remember that when you use cloud services and store data in the cloud, you are in effect implicitly granting your cloud provider access to that data. Inevitably, selected employees of the cloud provider will have access to that data, so you are relying on the hiring policies and security procedures of the cloud provider to ensure that the cloud provider stays friendly and does not “go rogue”. Thus, many people fail to realise that outsourcing storage and services to the cloud reduces one set of risks but increases another. From 2015 to 2017, the Swedish Government and its agencies suffered massive data breaches after moving data to the cloud. Not only were the details of most Swedish citizens leaked, foreign IT workers from Serbia, Romania and the Czech Republic were given varying access to the data – a clear breach of data sovereignty that risked national security.
1b. Access level security: keep your access credentials and access controls secure
Assuming that you understand the limits of the cloud-provided security, the next step is to keep your access credentials secure.
This sounds basic, but recent large scale data breaches at Deloitte, Accenture, Uber, and (more recently) the Australian Broadcasting Corporation (ABC), clearly show that insufficient security practices are in place.
In the ABC data breach, around 1,800 daily MySQL database backups were leaked, alongside emails and login credentials to other data repositories, from a poorly secured public-facing AWS S3 bucket.
Some basic tips are:
2a. Data level security: encrypt your data wherever possible
High quality encryption technologies, properly used, will deliver the highest levels of security for your data. Many security experts argue that using client-side encryption is the only way to safeguard data when it’s stored on other people’s infrastructure such as the cloud.
The beauty of encryption is that it can be an extremely effective last-line-of-defence that stops a security breach from becoming a data breach. Not only is encryption a good cyber-defence practice, it’s specifically referenced in the EU’s General Data Protection Regulation (GDPR). Article 32 (1)(a) of GDPR guidelines calls for the “pseudonymisation and encryption of personal data”, taking into account the state of the art and implementation costs.
When the Australian Red Cross Blood Bank leaked the personal details of 550,000 blood donors (including names, addresses and details of sexual behaviour) it was done from an unencrypted database backup. Had this backup been encrypted, the server misconfiguration would have resulted in a leak of encrypted data and not a full data breach. Under the rules of GDPR, a leak of encrypted data is unlikely to result in a risk to people’s rights and freedoms, and therefore does not need to be mandatorily reported.
However, because encryption is perhaps the most misunderstood area in cybersecurity, it is most often not implemented, or is implemented so poorly it is ineffective. Being a highly specialised field full of confusing acronyms and marketing hype, buyers (and even vendors) often fail to comprehend what security they’re actually getting. This frequently leads to the “tick the box” mentality where people don’t understand what they’re buying, but because it’s advertised as “military grade”, it must be good. This is of course, a logical fallacy, but reflects the situation that buyers often have little idea if they are purchasing real security or merely ‘snake oil’.
The ideal encryption system should meet a number of requirements:
2b. Take local backups of critical cloud data
The final procedure for security revolves around backup. If the cloud contains your only copy of important data, you run the risk of suffering permanent data loss, even if you think your cloud provider has been taking backups.
In 2014, SaaS provider Code Spaces and all of Code Spaces’ customers learnt that lesson the hard way. Code Spaces provided source code management tools such as Git to its customers – in effect the company was a “safe haven” and repository of data for its customers, offering what it advertised as a robust cloud service, fully backed up and with the security of being hosted on Amazon AWS.
However, a hacker managed to gain access into Code Spaces’ AWS control panel account, and subsequently started to cause chaos. After a melee with Code Spaces’ engineers and a failed ransom attempt, the hacker proceeded to delete all of Code Spaces’ AWS objects: S3 buckets, EC2 machine instances and all the backups. This led to permanent data loss, and without a local copy of the data, it subsequently put Code Spaces out of business. Worse still, their customers also faced permanent data loss, unless of course they were savvy enough to have kept their own backup of their data instead of relying on Code Spaces.
The lesson here is clear: ultimately, you are responsible for your own data. If you choose to delegate that responsibility, you will suffer the consequences if your provider gets hacked or otherwise fails to meet their obligations.
There are two ways in which you can backup your cloud data – to take a cloud-to-cloud backup, or a cloud-to-local backup. The former has some appeal, in that an organisation can be fully in the cloud without running any local infrastructure. However, as all of the examples of security breaches mentioned here has shown, hackers can and do regularly compromise access-level security, and when they do, they can cause permanent data loss.
The cloud-to-local backup option is more secure in that sense. If you regularly download your data to a local storage device such as a hard drive (of course, securely encrypted), and then air-gap that hard drive by disconnecting it and placing it in a safe or cabinet, it becomes immune from hacking. It’s simply a cheap, low-tech solution that’s better at preventing remote hacking attempts than the world’s most expensive firewall.
We’ve seen that there is no single magic pill for data security, and that migrating to the cloud is absolutely not a silver bullet. Despite the marketing hyperbole and mantras regarding how safe the cloud is, history clearly demonstrates that organisations must still take careful steps to safeguard their own data.
By breaking down security into four broad areas, and focusing on those areas, organisations can shore up their cybersecurity defences and use the cloud securely. Encryption and backup are two ways in which you can take responsibility and control for your data – because ultimately while you can delegate some level of system level security to the cloud provider, the data is always yours to take care of.
Especially now, with unprecedented levels of cybercrime and the May 2018 GDPR date just around the corner, it has never been more important to review all IT security practices and avoid becoming a statistic.
View full post on National Cyber Security Ventures
Description Owning all compliance processes by partnering with IT, Security, Engineering, Internal Audit and external Audit teams to ensure our processes and solutions comply with existing and future regulations by supporting a risk driven approach to make valuable recommendations on standardization of processes and controls, and influence changes and decisions….
View full post on National Cyber Security Ventures
Description Laserfiche, a leading enterprise content management (ECM) software company, is looking for a dynamic and driven individual to coordinate third-party audits and manage the corporate risk management program. The IT Risk and Controls Manager will have an opportunity to impact the company’s growth and work on fast-paced, high-profile projects. If you have excellent communication skills and the drive to …
View full post on National Cyber Security Ventures