For this week’s “In the News”, perform research on one of the following:
- new testing requirements (e.g. SSAE18 SOC1 or SOC2)
- new testing requriements put into place due to regulations
- how security assessments and testing integrates with other domains, such as cloud network architecture, or software development lifecycle?
Kelly Sharadin says
This article from 2021, reports on the Federal Trade Commission (FTC), expanding the Gramm-Leach-Bliley Act (GLBA) requirements to non-bank financial institutions. Non-bank financial institutions include, “entities engaged in activities that are incidental to financial activities” as well as “finders” companies. The primary objective of expanding GLBA to require these types of institutions to enforce adequate safeguarding of customer data. The expansion of GLBA is the Safeguard Rules which include the following: a written information security program, designation of a qualified individual, written reports to the board of directors, periodic risk assessments, program design based on risk assessment outcomes, access and authentication controls, encrypting customer data at rest and in transit, MFA, oversight of service providers, Penetration Testing and Vulnerability Scanning, data retention and disposal, and an IRP.
Of all the rules prescribed by the Safeguard rules, I find program design based on risk assessment outcomes, to be the most noteworthy. Too often, a company will receive the results of a security assessment and fail to act upon remediation or plan mitigation as part of a long term security roadmap. Periodic security assessments mean nothing if the organization does not make the findings actionable. The Safeguard rules attempts to hold entities accountable for implementing changes based upon their risk and security assessments.
https://www.dwt.com/blogs/privacy–security-law-blog/2021/11/glba-information-security-requirements-non-banks
Mohammed Syed says
“Cyber Risk Management in 2022: New Challenges and Opportunities”
The new testing requirements update due to the technology changes day by day and every organization needs to utilize it in new testing requirements. This program integrates test assessments and audits that regularly verify that an organization has adequate security control and that security control is functioning properly and effectively safeguarding information assets. The most important component of the security assessment program is Security Test, Security Assessment, and Security Audit.
Security tests verify the control is functioning properly, in the latest software development life cycle and cloud architecture should be implemented in SSAE18, SOC1, SOC2, and SOC3. SOC is an auditing procedure that ensures that the service carries securely controls your data to protect the organization and the privacy of clients. Specifically, the security of corporations getting compliant with SOC is the least fundamental need when considering cloud platform or software development life cycle. Security testing should take place on regular schedules, with attention paid to each of the key security control protecting an organization. When the plan to integrate new testing requirements needs to consider the availability of security testing resources and the criticality of the system, and the applications to be tested.
In modern SDLC such as Agile, DevOps use model-based security testing, code-based security testing, static analysis, penetrating testing, and dynamic analysis as well as security regression testing.
https://www.jdsupra.com/legalnews/cyber-risk-management-in-2022-new-4084527/
Anthony Wong says
Earlier this year in March, President Biden signed an executive order called Strengthening American Cybersecurity Act that will require covered entities to report cyber-incidents and ransomware to the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Some of the covered entities or industries include financial services, energy, healthcare, and transportation. According to the article, there are some criteria that must be met before incident must be reported such as if the incident causes “substantial loss in confidentiality, integrity, or availability’, causes a disruption in business or business operations, or unauthorized access or disruption of the business due to a third-party being compromised. Information such as the description of the incident, the vulnerability and exploit, and the type of information affected are some of the details that must be provided when the incident is reported.
Source: https://www.jdsupra.com/legalnews/new-cybersecurity-law-will-require-7181241/#:~:text=On%20March%201%2C%20the%20Senate,Infrastructure%20Security%20Agency%20(CISA).
Kelly Sharadin says
Hi Anthony,
I found the section on whether the CISA reports can be used against the company interesting. “Finally, the Act creates a privilege, shielding the CISA reports from discovery or use in any litigation (state or federal)” Based upon the criteria of the report, if a company failed to remediate vulnerabilties following a risk assessment I would be curious to kow if the privilege would remain valid because that would demostration neglience on behalf of the organization.
Kelly
Vraj Patel says
The audit of an organization’s controls that protects the confidentiality, integrity, and availability of their customers’ data is known as System and Organization Controls (SOC). Within the reporting of the SOC audit to the SAS 70, there are new requirements. SSAE 16 regulates the new requirements. The auditors were to evaluate the effectiveness of the controls over the course of six months and then write a report based on their findings. According to the SSAE 16, the auditor must evaluate the controls’ effectiveness over the full period and provide a finding based on the control’s effectiveness.
Reference:
https://www.globalprivacyblog.com/privacy/goodbye-sas-70-hello-ssae-16-and-introducing-soc2-and-soc3/
Shubham Patil says
Cisco released the “Cisco Cloud Controls Framework” (CCF) to the public, according to the company last month. The CCF is intended to help teams ensure cloud products and services meet security and privacy requirements with a simplified compliance and risk management strategy, “saving significant resources.” Cisco believes it is “extremely challenging and resource- and time-intensive” for cloud-based software providers to meet requirements for security standards and certifications.
The “Cisco Cloud Controls Framework” is designed as the foundational methodology for Cisco to accelerate certification achievements across its cloud offerings and establish a “strong security baseline.”
Cisco’s guide on cloud security compliance is the result of “years of standards research” to certify SaaS products for multiple standards for repeatable practices and efficiencies. The framework comes with guidance on how to implement the controls and the audit artifacts needed to demonstrate control effectiveness. Cisco will regularly update the CCF as regulations evolve and new information is integrated into its compliance processes.
Link: https://blogs.cisco.com/security/announcing-the-public-availability-of-the-cisco-cloud-controls-framework-ccf
Kelly Sharadin says
Hi Shubham,
This really got my attention. FedRAMP is one of the most robust documents for cloud security I have ever come across. Therefore Cisco pulling from FedRAMP as well as other resources to develop this framework for an even more robust certification is interesting. I am very curious to see what industry adoption will look like for CCF in practice. If anything, it is apparent the cloud is not going away anything time soon.
Kelly
Mitchell Dulaney says
“SEC Proposes Substantial New Cybersecurity Requirements for Investment Advisers and Companies”
The SEC has proposed major requirements that would be imposed on investment advisers and investment companies. At present, the SEC does not impose cybersecurity requirements on such companies, so these proposed requirements would be quite groundbreaking. They include a requirement such entities to have written cybersecurity policies to address information security risk, including risks posed by connections to partner or supply chain information systems. They would also require entities to report security incidents that impact the regulated entities or their clients within 48 hours of discovery. There are further requirements regarding annual risk assessments, the management of risks related to end user account security and access control, and the institution of threat and vulnerability management processes.
Because of the diversity of the kinds of organizations and individuals that are impacted by these new requirements, many of the specifics for how the requirements must be met are not defined. Therefore, some interpretation would be exercised by the SEC when evaluating any individual case of noncompliance. Despite the vagueness of these requirements, due to the lack of existing regulation in this space, many organizations will have to move very quickly to bring themselves into compliance if and when these requirements are put into place. Some impacted organizations may not have any components of these requirements implemented already, but the SEC has good reason to protect investors with cybersecurity regulations.
https://www.hklaw.com/en/insights/publications/2022/02/sec-proposes-substantial-new-cybersecurity-requirements
Antonio Cozza says
Wow, this is quite a drastic (and rather needed) change to make for the United States; outside of California’s strict laws, there is not much else like this. The 48 hour mark for reporting on cyber incident discovery is on par with that of GDPR. This would be a step in the right direction for the US, in my opinion.
Antonio Cozza says
In light of all of the recent cybersecurity attacks against critical infrastructure around the world and in the United States, the Strengthening American Cybersecurity Act has been passed, which forces certain “covered entities” (as determined by CISA), to report data breaches to certain federal regulators. The Act was signed into law on March 15, 2022. The primary criteria designating need for reporting and documenting the cyber incident is “a substantial loss in the confidentiality, integrity, or availability,” of information. The act is mainly in response to ransomware, and forces confirmation of payment to be disclosed within 24 hours of payment, and cyber incidents to be reported within 72 hours. Although the main focus was phrased as ransomware, it also includes DoS and malicious code – with or without extortion and encryption of data.
https://www.jdsupra.com/legalnews/new-cybersecurity-law-will-require-7181241/