Month: January 2023

PCI DSSv4.0

  • Payment Card Industry (PCI)

Updated Regulation for PCI DSSv4.0

What is PCI DSS?

The PCI Security Standards Council (PCI SSC) serves as a worldwide platform where stakeholders in the payments industry collaborate to establish and promote data security standards and resources, ensuring secure payments on a global scale.  Their updated regulations for PCI DSSv4.0 allow for a flexible approach to meet the standard requirements with the introduction of a “Customized Approach” in addition to the “Defined Approach”. Note: the “Customized Approach” is only recommended for entities with a robust security program and risk management practices.

Approaches to PCI DSSv4.0

What are the drivers behind the update?

  • Ensure the standard meets the security needs of the Payment Card Industry (PCI)
  • Add flexibility to support different methodologies to achieve security
  • Promote security as a continuous process
  • Enhance validation methods and procedures

When will updated regulation for PCI DSSv4.0 go into effect?

  • Existing PCI DSSv3.2.1 will remain active for 2 years (through March 31, 2024)
  • New PCI DSSv4.0 requirements will go into effect March 31, 2022, and either version can be used until March 31, 2024.
  • After March 31, 2024, the updated regulation for PCI DSSv4.0 will be required.

What do I need to do?

  • Review the updated requirements of PCI DSS (Link).
  • Determine whether the Defined Approach or Customized Approach is best for your organization, and consult with your Assessor if the Customized Approach is the preferred validation approach.
  • Define an implementation plan for the updated requirements.
  • Determine when the  assessment will become effective for your organization (prior to March 21, 2024)

Process for PCI DSSv4.0

How can Socium Security help?

Socium can assist entities that are designing their security programs for PCI DSS compliance with services around completing the Self-Assessment Questionnaire (SAQ) and penetration testing services on in scope systems.

How can I learn more?

Refer to the PCI DSSv4.0 Resource Hub for information, documentation, and updated news regarding v 4.0.

Overview of PCI DSSv4.0

California Privacy Rights Act (CPRA)

  • California Privacy Rights Act (CPRA)

CPRA

The California Privacy Rights Act (CPRA) is a ballot measure approved by voters in November 2020.

Who is a ‘consumer’?

A consumer is natural person who is a California resident, as defined in the state’s tax regulations.

What rights do consumers have?

The CCPA creates six specific rights for consumers:

  1. the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;
  2. the right to delete personal information collected from the consumer;
  3. the right to opt-out of the sale of personal information (if applicable);
  4. the right to opt-into the sale of personal information of consumers under the age of 16 (if applicable);
  5. the right to non-discriminatory treatment for exercising any rights; and
  6. the right to initiate a private cause of action for data breaches.

The CPRA creates two additional rights:

  1. the right to correct inaccurate personal information; and
  2. the right to limit use and disclosure of sensitive personal information.

What is a consumer’s personal information’?

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

What is a consumer’s ‘sensitive personal information’?

SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number
  • a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
  • a consumer’s precise geolocation
  • a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
  • a consumer’s genetic data

What constitutes a ‘sale’ of personal information?

The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

What does ‘sharing’ personal information mean?

The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

When does CPRA go into effect?

The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA won’t become “operative” until Jan. 1, 2023.

How can Socium Security help?

Socium Security can assist organizations with building a privacy program that will enable compliance with existing Privacy related regulations including the CPRA.

California Consumer Privacy Act (CCPA)

  • California Consumer Privacy Act (CCPA)

CCPA

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents (“Consumers”). It is a law that gives consumers more control over the personal information that businesses collect about them.

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect Jan. 1, 2020. California’s Office of the Attorney General has enforcement authority.

The CPRA, a ballot initiative that amends the CCPA and includes additional privacy protections for consumers passed in Nov. 2020. The majority of the CPRA’s provisions will enter into force Jan. 1, 2023, with a look-back to Jan. 2022.

Who does it apply to?

The CCPA will apply to for-profit businesses that collect and control California residents’ (“Consumers”) PI, do business in the state of California, and meet at least one of the below conditions.

  • Buys, sells or shares personal information of 50,000 consumers or devices
  • Annual gross revenue is greater than $25 million
  • Derives 50% of its annual revenue from the sale of its customers’ personal information

CCPA Specific Definitions

  • Consumer — Consumer is any natural person who is a California resident.
  • Processing – Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
  • Collector – A “collector” is someone who buys, rents, gather, obtain, receive, or access any personal information pertaining to a California resident by any means.
  • Seller – A “seller” is someone who sells, rents, releases, discloses, disseminates, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.

While not all “collectors” are “sellers,” a seller is most likely a collector.

  • Service Provider – Service Provider is a for-profit entity that processes information on behalf of a CCPA-covered business. Note – CCPA differentiates between third parties and service providers.
  • An organization is a “third party” unless
    • it is the “business” that collects PI from consumers, or
    • it enters into a contract with a “business” that requires such organization to follow “service provider”–type restrictions.

Consumer Rights

Right to Know/Access – Right to access specific pieces of personal information the business has collected from consumers and the categories set forth (twice annually, free of charge) 

Right to Deletion – Right to request the business to delete any personal information collected of Consumer. The CPRA also requires businesses to send the request to delete to third parties so that all parties are aware that it must be deleted, subject to some exceptions.

Right to Opt-in and Opt-out – Right to opt-out (i.e. stop selling) of the sale of personal information to third parties and business provide a mandated opt-in for the sale of children’s personal information under the age of 16. Opt-out request can be submitted through “Do Not Sell My Personal Information” button on the homepage of organization’s website.

Right to Opt-in: The CPRA expands this right to include sharing of minor consumer’s personal information as an additional basis requiring affirmative authorization (“opt-in”). The CPRA states that an organization cannot sell or share the personal information of a consumer who is less than 16 years old (“minor”) unless the business has received “opt-in” consent i.e., affirmative authorization for the sale or sharing of that information.

Right to Opt-out: The CPRA expands this right to include sharing of personal information about the consumer to third parties as well. Additionally, the CPRA provides consumers access and opt-out rights with respect to the processing of their personal information that is based on automated decision making, including profiling.

Right to Non-discrimination (also called “Right to Equal Services”) – Right to receive equal services and pricing from business even after consumer exercises their privacy rights.umer Rights

Rights to Disclosure – Right to request business that sell personal information provide information related to specific aspects of the business data practices. The CPRA expands this right to include sharing of personal information as an additional basis for disclosure of the information specified under the CCPA to the consumer upon receipt of a verifiable consumer request.

Exceptions to the opt-out right –

  • If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

Rights to Rectification – A consumer has the right to request an organization that maintains inaccurate personal information about the consumer to correct that information, taking into account the nature and purposes of the processing of the information.

Rights to Limit Use and Disclosure of Sensitive Personal Information – Consumers have the right to restrict the usage of their sensitive personal information collected.  The business must also ensure the user has easily visible access to a link on every webpage that makes the invocation of this right more convenient. This must be done by having a prominent “Limit the Use of My Sensitive Personal Information (SPI)” link on their homepage. SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals: a consumer’s social security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, etc.

Under “Right of Know/Access”, a Consumer may request that business disclose the below:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties

Additionally, CCPA also provides consumers with a private right of action and statutory damages, if certain unencrypted and unredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure (refer subsequent slides).

How can Socium Security help?

Socium Security can help companies design security programs to meet the CCPA requirements and provide virtual DPO services to manage the ongoing operational aspects of the requirements.

GDPR

  • General Data Protection Regulation (GDPR)

GDPR

The General Data Protection Regulation (GDPR) was passed by European Parliament in 2016 to establish data privacy and security standards for EU citizens. It is driven by fundamental privacy rights derived from the 1950 European Convention on Human Rights and introduces specific penalties;

  • The less severe infringements could result in a fine of up to €10 million, or 2% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages
  • The more serious infringements occur when the organization denies or disrespects the basic principles at the heart of the GDPR, such as lawfulness, data subject rights, etc. These types of infringements could result in a fine of up to €20 million, or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages

The GDPR follows the following outline:

Data protection principles

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal data accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Accountability

The GDPR says data controllers have to be able to demonstrate they are GDPR compliant.

Data Security

The organization must implement appropriate technical and organizational measures, and follow time based data breach reporting.

Data protection by design and default

Data protection principles must be considered in the design of any new product or service.

Data Processing

Specific scenarios are outlined to justify the processing of personal data.

  1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
  2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
  3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
  4. You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
  5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
  6. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

Consent

  • Consent must be “freely given, specific, informed and unambiguous.”
  • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
  • Children under 13 can only give consent with permission from their parent.
  • You need to keep documentary evidence of consent.

Data Protection Officer (DPO)

  1. You are a public authority other than a court acting in a judicial capacity.
  2. Your core activities require you to monitor people systematically and regularly on a large scale. (e.g. Google.)
  3. Your core activities are large-scale processing of special categories of data listed under Article 9 of the GDPR or data relating to criminal convictions and offenses mentioned in Article 10. (e.g. You’re a medical office.)

Data Subject Rights

Listed below are a data subjects’ privacy rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Who does it apply to?

Any organization that processes personal data of an EU citizen or resident, even if the organization itself is not located in the EU.

How can Socium Security help?

Socium Security can help with assessments and program development and managed services supporting GDPR requirements.

Health Insurance Portability and Accountability Act (HIPAA)

  • HIPAA

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed for healthcare organizations to safeguard the privacy of electronic health information and was later supported by a Privacy Rule and a Security Rule.

  • HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.  Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
  • HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).

Who does it apply to?

HIPAA was intended to protect individually identifiable health information, or Protected Health Information (PHI) by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. 

How can Socium Security help?

Socium Security can assist organizations with completing the risk assessment process utilizing the Security Risk Assessment (SRA) tool, and to design and implement a security program based on the requirements of HIPAA.

SOC2 Compliance

  • SOC2 Certification

SOC2 Certification

Service Organization Control (SOC) is a trust-based cybersecurity framework and auditing standard designed by the American Institute of Certified Public Accountants (AICPA) to demonstrate a service provider’s operational controls. The Trust Services Criteria are grouped across the following:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Who does it apply to?

The SOC2 standard is intended to indicate a service provider’s ability to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. The SOC2 control requirements can be validated by a type 1 or type 2 audit report. A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.

How can Socium Security help?

Socium Security can provide assessment and readiness services for organizations that need to meet internal or external stakeholder expectations using the SOC2 audits and reports. We also have partners who can are licensed to conduct the audit and reporting services to complete the cycle.

CIO 2023 Priorities: Cybersecurity

  • CIO 2023 Priorities: Cybersecurity

    The mantra of the year: Trust no one

CIO Journal: CIO 2023 Priorities - Cybersecurity

As companies race to combat cyber threats, cybersecurity will remain a top investment priority for corporate technology executives in 2023. These threats, as well as the associated business risk, have grown in recent years. The FBI’s Internet Crime Complaint Center reported a record 847,376 cyberattack complaints in 2021, with potential losses exceeding $6.9 billion.

The key takeaways from CIO Journal survey:

  • Cybersecurity is a top priority
  • Cybersecurity is an increasingly collaborative effort 
  • Zero-Trust Approach
  • Multi-Factor Authentication

Link to full article

NIST 800-53

  • NIST 800-53

NIST 800-53

The National Institute of Standards and Technology (NIST) special publication 800-53 rev 5, Security and Privacy Controls for Information Systems and Organizations, is the latest version of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices. This control framework is often mapped to other frameworks due to its popularity and relevance in the industry.  The implementation is broken into 3 control baselines, Low, Medium, and High, so that the program can scale to the specific threats and risk profiles of the organization.

Who does it apply to?

The guidance document is meant to cross industries and organization sizes, particularly with the control baselines that enable varying implementations aligned to risk profiles.

How can Socium Security help?

Socium Security can provide assessment and program development services for organizations that wish to align with the NIST 800-53 framework, including policies, processes and control implementation advisory.

ISO 27001 / ISO 27002 Information Security Framework

  • ISO 27001 / 27002 Information Security Framework

ISO 27001 / 27002 Information Security Framework

The International Organization for Standardization (ISO) created a standard for Information Security that is the basis for certifications to demonstrate effective cybersecurity programs for internal and external stakeholders. Some organizations will determine they need a full audit and certification. Other organizations may decide to “align” with ISO requirements.  The decision is mainly dependent upon determining the business drivers for the recurring investment and organizational change.

ISO27001:2022 is the latest iteration of the 27001 series that provides the framework for implementing an Information Security Management System (ISMS) which provides continual improvements to secure information assets across the pillars of confidentiality, integrity and availability. The framework is comprised of clauses and controls. Clauses outline the organization and management controls to maintain the program and manage risk, while controls outlined in Annex A are the activities required to mitigate the risks identified from the risk assessment process. Certification is derived from the ISO 27001 series requirements over that can be evidenced over a period of time.

ISO27002:2022 is the latest iteration of the 27002 series that supports the ISMS from 27001 with additional implementation guidance and control details found in Annex A of the ISO 27001 standard.

Who does it apply to?

The ISO standards are meant to apply to any organization, region, or industry, and are typically followed by larger international organizations and those that operate out of Europe and Asia.

How can Socium Security help?

Socium Security can help organizations determine their own readiness for an audit. We can assess, design and build a security program aligned to the ISO standards in preparation for eventual certification by an accredited audit firm. Read about our guidance for first time ISO 27001 Audit Readiness guidance.

CMMC v2.0 (NIST 800-171)

  • CMMC v2.0

CMMC v2.0

With this final rule, posted on 10/15/2024, the DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This rule is effective December 16, 2024. The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. The full published document can be found here

The Defense Federal Acquisition Regulation (DFARS) established a rule to implement a Cybersecurity Maturity Model Certification (CMMC) framework to assess contractor implementation of cybersecurity requirements to protect specific data types within the DoD supply chain. CMMC Model 2.0 is currently within the rulemaking process with the objective to:

  • Safeguard sensitive information to enable and protect the warfighter
  • Enforce DIB cybersecurity standards to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. 

Who does it apply to?

The primary purpose of CMMC practices and processes is to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

 FCI – means “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

 CUI – is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.”

 CMMC is designed to assure the DoD that a contractor and or subcontractor can adequately protect FCI and CUI at a level in proportion with the risk. It is used to verify the implementation of processes and practices and certifying that a contractor and or subcontractor complies with the CMMC standard.

A contractor on a DoD contract needs to comply with the Standard. The contractor is required to obtain a CMMC certificate. If a contractor does not store or transmit CUI but does possess FCI, they must be certified at CMMC Level 1.

CMMC is based on the NIST 800-171 r2 security requirements organized across the following families:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical Protection
  • Personnel Security
  • Risk Assessment
  • System and Communication Protection
  • System and Information Integrity

How can Socium Security help?

Socium Security can provide assessment and program readiness services for organizations that are or will be processing FCI and / or CUI in support of federal contracts. This will establish a security roadmap and operational program to meet the Federal requirements.