ZenGRC

Simply Powerful GRC

Risk Management

Automate Evidence Gathering with Vulnerability Management Integration

· ·

Evidence gathering for vulnerability management programs has historically been made up of many manual tasks. Different individuals from separate teams gather information and attempt to consolidate the data to make it usable. 
Vulnerability management programs have been designed to identify, classify, prioritize, remediate, and mitigate vulnerabilities most often found in software. One can imagine the sheer amount of data involved in the vulnerability management process and the next steps that come after a vulnerability assessment or vulnerability scanning. 

Many organizations use the data collected to feed information technology security, risk management programs, application patching, attack surface reduction, and operating systems patching. One can see the lure of automating evidence gathering via vulnerability management integration when so many other processes depend on it.

Vulnerability Management Solutions

Vulnerability scanning is at the core of a cybersecurity and vulnerability management program. 

Scanning enables information security teams to find vulnerabilities at a scale manual evaluation is unable to compete with. Vulnerability scanners evaluate security vulnerabilities, operating systems, and web applications looking for security risks and common vulnerabilities. 

Evidence gathering is a key component here as it enables the prioritization of vulnerability data. The ability to tie vulnerability data and threat intelligence together in an automated fashion is what gives mature security teams the ability to execute security controls and resolve Common Vulnerabilities and Exposures (CVE).

How to Automate Evidence Gathering with Vulnerability Management Integration

Automated evidence gathering allows organizations to gather as much information and evidence about different types of attacks and malicious activities as possible. 

Vulnerability management software and vulnerability management tools are on the front line acting as the scan engine for threat detection. Integrating the evidence collected with a Governance, Risk, and Compliance solution (GRC) like ZenGRC is critical to take actionable steps towards timely vulnerability remediation. 

There are several security frameworks like NIST CSF, PCI, ISO, and SOC 2 that help IT security personnel builds robust security controls that leverage collected evidence for remediation purposes. However, the real power comes from the integration between GRC platforms and vulnerability management. Most often, the integration comes in the form of a plugin that facilitates communication between GRC and the vulnerability management system. 

While a plugin enables the capability, there is often configuration that must be done. It is recommended that organizations automating evidence gathering with vulnerability management integration look for a GRC platform with out of the box pre-configured rules that are easy to leverage and replicate for additional use cases.

Summary
Automated evidence gathering with vulnerability management integration ultimately aims to ease vulnerability remediation. To act on detected vulnerabilities, the system needs evidence to tag the vulnerabilities and prioritize them for remediation. 

Following a cybersecurity framework like the NIST CSF aids not only in IT security but detecting vulnerabilities in the first place. Automation allows organizations to exponentially scale the manual steps of identification, classification, prioritization, remediation, and mitigation. 

The key to automating evidence gathering is having the right GRC and vulnerability management platform that has a robust connector between them.

What is the Segregation of Duties as it Relates to Controls?

· ·

Segregation of duties (also known as separation of duties) is a key concept of internal controls that aims to prevent fraud and errors.

The main concept underlying segregation of duties (SOD) is that no employee or group of employees should be in a position to commit and conceal fraudulent activity or errors in the normal course of their duties.

Auditors will look for segregation of duties as part of their analysis of an organization’s system of internal controls. The auditors will downgrade their opinion of a company’s system of internal controls if there are any failures in the segregation of duties.

Traditional internal control systems depend on assigning certain responsibilities to different employees or segregating incompatible functions. The general premise of SOD is to prevent one person from having custody of assets as well as being responsible for maintaining the accountability of those assets.  In other words, share responsibilities of a key process that disperses critical functions of that process to more than one person, department, or company.  

In general, the principal incompatible duties to be segregated are:

  • Custody of assets
  • Authorization or approval of related transactions affecting those assets
  • Recordkeeping or reporting of related transactions
  • Reconciliation of audit.

Depending on the size of an organization, functions and designations may vary. When duties cannot be segregated, the company should implement compensating controls. 

Compensating controls are internal controls intended to reduce the risk of an existing or potential control weakness. If one person can perform their day-to-day activities and conceal errors and/or irregularities in the course of performing those duties, that one person has been assigned duties that are incompatible with SOD. 

Although there is no internal control audit standard or accounting stipulation that calls for specific requirements for SOD, maintaining a system of effective internal controls does require the appropriate segregation of duties. 

For a company’s system of internal control to be effective, there must be adequate segregation of duties among the workers who perform accounting procedures or internal control activities and those who handle assets. 

Generally, an organization should design the flow of transaction processing and related activities so that the work of one person is either independent of, or serves to check on, the work of another. This reduces the risk that errors will go undetected and limits the opportunities that one person can misappropriate assets or hide intentional misstatements in the company’s financial statements.

 

Top Strategies for Digital Risk Protection

· ·

Would you leave your business doors open and unlocked when no one is there? Of course not. So why would any organization with a digital presence fail to have an effective digital risk protection (DRP) program?

DRP is the proactive piece of the cybersecurity puzzle, and imperative for every organization.

Learn how to implement this imperative cyber risk management strategy in three simple steps:

  • Identification – Discover the five actions you must take to identify all your digital risks, and how.
  • Mitigation – Learn which controls work best for DRP, and which compliance frameworks will help you create the most effective program for your enterprise.
  • Automation – Understand the three “must-have” features for digital risk management software.

Duration: 1 hr

Watch the Recording

5 Strategies to Mitigate Business Risk During Coronavirus

· ·

man holding an umbrella protecting him and his stack of gold coins from the falling rain

Business risk in the United States may be higher during the novel coronavirus pandemic than at any time in our generation, making risk management a must.

What are your strategies for risk mitigation—not only in your enterprise but up and down your supply chain—amidst COVID-19 disease outbreaks?

Business interruption is a growing concern right now. 

The Risks Are High

A recent Pew Research Center report finds that 43 percent of small businesses are closed, at least temporarily, because of pandemic risk.

And among the U.S. businesses with paid employees, 40 percent are in high-risk industries, the report states.

These enterprises, in particular, are more likely to face business continuity issues including supply chain disruptions, absenteeism, cybersecurity breaches, and other potential impacts caused by this infectious disease outbreak.

Even when times are good, only about half of enterprises will last five years or longer, according to the U.S. Small Business Administration

The Economy Is Reeling

But the coronavirus outbreak has made COVID-19 one of the most devastating of infectious diseases seen in human history, beginning its spread from Wuhan, China, around the world—hitting hard in the U.S. including in New York and prompting the World Health Organization to declare it a pandemic.  The global economy has been reeling.

Travel restrictions were among the first dampers placed on business operations, with flights to the United States from China and Europe halted in an attempt to contain the COVID-19 disease spread.

Enterprises limited business travel, as well, and instituted remote-work policies that, in turn, increased the risk of cybersecurity breaches. 

Keep Your Business Healthy

The Centers for Disease Control and Prevention (CDC) has provided strategies for minimizing health risks and maximizing the well being of your employees and their family members while keeping business up and running. But what about the health of your business operations?

For that, you need a different set of response plans. Here are some strategies we recommend:

  1. Focus on resilience. Cybersecurity resilience, which acknowledges that breaches happen and aims to restore systems quickly after an attack, is important. But so is operational resilience, which aims to keep critical business functions and services up and running and minimizing business disruptions.

 Business continuity planning and contingency planning should already have mechanisms built-in to protect critical assets (your so-called “crown jewels”) and ensure smooth crisis management. Resilience is as resilience does. However, devise scenarios to test your response plans so that, when a crisis occurs, everyone knows what to do.

  1. Know your risks. Proactive risk assessments are ideal, but if you don’t have an up-to-date risk assessment in place, perform one now. Understanding all the business threats, including those caused by the virus, will help with your decision-making as you fine-tune response plans in light of shifting virus “hot spots” and other changes.
  2. Increase your pandemic preparedness. Although we’re in the midst of a pandemic, if you don’t have a pandemic preparedness plan, this is the time to formulate one.

Even as states start to open up for business again and people begin to venture outside their homes, a second wave of COVID-19 could hit.

If the influenza pandemic of 1918 is any indication, the second wave could be more devastating than the first. Make your pandemic plans now, and be aware: Many business insurance policies do not cover losses caused by epidemics or pandemics.

  1. Stay abreast of assistance programs. Federal, state, and local governments are creating and funding programs to help businesses weather the pandemic. Even Facebook has a small-business grant program. Is your enterprise eligible for aid?
  2. Maintain your compliance. Staying compliant with regulations and industry standards can be an effective way to manage risk at any time. Amid the confusion and stress of a pandemic, compliance frameworks can provide the reassurance of structure.

The best compliance and risk management programs today use digital solutions to help with risk assessments, test controls, find compliance gaps, issue alerts when gaps occur, provide detailed risk mitigation and compliance checklists, and manage workflows—all automatically, freeing you to focus on keeping your business, personnel, and customers safe and healthy during the COVID-19 pandemic.

ZenGRC performs all these tasks and more, including unlimited self-audits, audit trail documentation, and integration with all of your business applications. Contact us today for a free consultation, and embark on the path to worry-free, comprehensive risk and compliance management.

Risk Assessment Checklist NIST 800-171

· ·

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is a subset of IT security controls derived from NIST SP 800-53.  NIST SP 800-53 provides a catalog of cybersecurity and privacy controls for all U.S. federal information systems except those related to national security. 

The IT security controls in the “NIST SP 800-171 Rev. 2 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” are mandatory when nonfederal entities share, collect, process, store, or transmit controlled unclassified information (CUI) on behalf of federal agencies.

CUI is defined as any information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or governmentwide policy.  

This NIST SP 800-171 checklist will help you comply with NIST standards effectively, and take corrective actions when necessary. 

When you implement the requirements within the 14 sets of controls correctly, the risk management framework can help you ensure the confidentiality, integrity, and availability of CUI and your information systems.

Areas to Address on Your NIST SP 800-171 Checklist

The following is a summary of the 14 families of security requirements that you’ll need to address on your NIST SP 800-171 checklist. 

Access Controls

Access control centers around who has access to CUI in your information systems. To comply with NIST SP 800-171, you must ensure that only authorized individuals have access to sensitive data in the information systems of federal agencies. 

You should include user account management and failed login protocols in your access control measures. You should also consider increasing your access controls for users with privileged access and remote access.  Access controls must also cover the principles of least privilege and separation of duties. It is essential to create a formalized and documented security policy as to how you plan to enforce your access security controls.  

Awareness and Training

This section of the NIST SP 800-171 focuses on whether organizations have properly trained their employees on how to handle CUI and other sensitive information. 

That means you have to be sure that all of your employees are familiar with the security risks associated with their jobs, plus all the policies, including your security policy and procedures.

Audit and Accountability

You’ll also have to create and keep system audit logs and records that will allow you or your auditors to monitor, analyze, investigate and report any suspicious activity within your information systems. And any action in your information systems has to be clearly associated with a specific user so that individual can be held accountable.

Consequently, you’ll need to retain records of who authorized what information, and whether that user was authorized to do so. Identifying external and internal data authorization violators is the main thrust of the NIST SP 800-171 audit and accountability standard.

Configuration Management

This deals with how you’ve built your networks and cybersecurity protocols and whether you’ve documented the configuration accurately. How your network is configured can entail a number of variables and information systems, including hardware, software, and firmware.

Be sure to analyze your baseline systems configuration, monitor configuration changes, and identify any user-installed software that might be related to CUI.

Identification and Authentication

Be sure to authenticate (or verify) the identities of users before you grant them access to your company’s information systems. Specifically, NIST SP 800-171 states that you have to identify and authenticate all users, processes, and devices, which means they can only access your information systems via approved, secure devices.

Consider using multi-factor authentication when you’re authenticating employees who are accessing the network remotely or via their mobile devices. You should also ensure they create complex passwords, and they don’t reuse their passwords on other websites. 

You also might want to conduct a NIST 800-171 internal audit of your security policies and processes to be sure you’re fully compliant.

Incident Response

In the event of a data breach or cybersecurity threat, NIST SP 800-171 mandates that you have an incident response plan in place that includes elements of preparation, threat detection, and analysis of what has happened.

Also, you must detail how you’ll contain the cybersecurity threat, recover critical information systems and data, and outline what tasks your users will need to take. You also must establish reporting guidelines so that you can alert designated officials, authorities, and any other relevant stakeholders about an incident in a timely manner.  

Essentially, these controls require an organization to establish an operational incident handling capability for systems that includes preparation, detection, analysis, containment, recovery, and user response activities.  Testing the incident response plan is also an integral part of the overall capability.  

Maintenance

Under NIST SP 800-171, you are required to perform routine maintenance of your information systems and cybersecurity measures. That means you must establish a timeline of when maintenance will be done and who will be responsible for doing it. 

You also need to provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct maintenance on your information systems. 

Media Protection

NIST SP 800-171 requires that you protect, physically control, and securely store information system media that contain CUI, both paper and digital. So you need to assess how you store your electronic and hard copy records on various media and ensure that you also store backups securely.  Only authorized personnel should have access to these media devices or hardware. 

Personnel Security

Be sure you screen new employees and submit them to background checks before you authorize them to access your information systems that contain CUI. It’s also critical to revoke the access of users who are terminated, depart/separate from the organization, or get transferred. 

Physical Protection

According to NIST SP 800-171, you are required to secure all CUI that exists in physical form. Ensure that only authorized users have access to your information systems, equipment, and storage environments. Be sure you lock and secure your physical CUI properly. You also need to escort and monitor visitors to your facility, so they aren’t able to gain access to physical CUI. 

Risk Assessment (also called Risk Analysis)

Assess the risks to your operations, including mission, functions, image, and reputation. Assess your organizational assets and people that stem from the operation of your information systems and the associated processing, storage, and/or transmission of CUI.

For example: Are you regularly testing your defenses in simulations? How regularly are you verifying operations and individuals for security purposes?

A risk assessment is a key to the development and implementation of effective information security programs. A risk assessment can help you address a number of cybersecurity-related issues from advanced persistent threats to supply chain issues. 

You can use the results of your risk assessment to establish detailed courses of action so you can effectively respond to the identified risks as part of a broad-based risk management process. 

Security Assessment

Periodically assess the security controls in your information systems to determine if they’re effective. Because cybersecurity threats change frequently, the policy you established one year might need to be revised the next year. 

Set up periodic cybersecurity review plans and procedures so your security measures won’t become outdated. To comply with the security assessment requirement, you have to consistently review your information systems, implement a continuous improvement plan, and quickly address any issues as soon as you discover them. 

System and Communications Protection 

At some point, you’ll likely need to communicate or share CUI with other authorized organizations. As such, NIST SP 800-171 sets standards for the systems you use to transmit CUI, as well as the cybersecurity measures that you should take. You should regularly monitor your information system security controls to ensure they remain effective.

System and Information Integrity 

The system and information integrity requirement of NIST SP 800-171 covers how quickly you can detect, identify, report, and correct potential system flaws and cybersecurity threats. It’s also important to regularly update your patch management capabilities and malicious code protection software.  

More about NIST SP 800-171

NIST published Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations in June 2015. The purpose of this NIST special publication is to provide direction to federal agencies to ensure that federal data is protected when it’s processed, stored, and used in nonfederal information systems.  NIST SP 800-171 has been updated several times since 2015, most recently with Revision 2 (r2), published in February 2020 in response to evolving cybersecurity threats.   

The NIST 800-171 standard establishes the base level of security that computing systems need to safeguard CUI. Since every organization that accesses U.S. government data must comply with NIST standards, a NIST 800-171 risk management framework compliance checklist can help you become or remain compliant.

NIST SP 800-171 was developed after the Federal Information Security Management Act (FISMA) was passed in 2003. The NIST special publication was created in part to improve cybersecurity.

It’s “a national imperative” to ensure that unclassified information that’s not part of federal information systems is adequately secured, according to the National Institute of Standards and Technology. This helps the federal government “successfully carry out its designated missions and business operations,” according to the NIST.

According to the Federal CUI Rule by the Information Security Oversight Office, federal agencies that handle CUI along with nonfederal organizations that handle, possess, use, share, or receive CUI or that operate, use, or have access to federal information and federal information systems on behalf of federal agencies, must comply with:

  • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems 
  • Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems
  • NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.

Based on best practices from several security documents, organizations, and publications, NIST security standards offer a risk management program for federal agencies and programs that require rigorous information technology security measures.

The NIST SP 800-171 aims to serve system, information security, and privacy professionals, including those responsible for:

  • System development, e.g., program managers, system developers, system owners, systems integrators, system security engineers
  • Information security assessment and monitoring, e.g., system evaluators, assessors, independent verifiers/validators, auditors, analysts, system owners
  • Information security, privacy, risk management, governance, and oversight, e.g., authorizing officials, chief information officers, chief privacy officers, chief information security officers, system managers, and information security managers 
  • Information security implementation and operation, e.g., system owners, information owners/stewards, mission and business owners, systems administrators, and system security officers.