Other Articles:


Organizational Requirements

About the Anatomy of a Cybersecurity Program Series

In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions to improve the posture of your own organization. No solution, remediation or mitigating countermeasure is one-size-fits-all;  however, I will do my best to provide information from a generic enough standpoint that you should be able to at least find value in the knowledge even if it is not relevant to your environment.


Updated: 23 January, 2019

Organizational Requirements

There have been a number of recent news articles/stories that have shined some light on this often over looked section of ‘Cyber Security Strategies/Plans’. All Enterprise Security Risk Assessments look for it and most regulatory bodies address it with a few sentence or short paragraphs. Even HIPAA does it with one sentence “The Organizational Requirements section of the HIPAA Final Security Rule addresses the contracts/agreements an organization must have in place with partners with whom PHI/ePHI is shared with.”.  The NIST Cybersecurity Frame Work (NIST-CSF) addresses these organizational requirements throughout all phases from “Identify” (who do I need and  nature of these agreements) to “Recover” (reporting requirements, who communicates, when and what to 3rd part stakeholders).

Sets Minimum Level of Security Countermeasures

The bottom line is, you need to have Vendor Contracts and/or MOU (Memorandums of Understanding) in place and executed. These written agreements spell out what your vendors and business partners are required to do in order to protect the data you entrust to them. It sets the minimum level of security countermeasures they are required to use protecting your network and data from unauthorized access.

Legally Binding Cybersecurity Document

In our HIPAA example above, that one sentence requires the generation of a Business Associate Agreement (BAA) that covers 10 sub-parts of the HIPAA Security Rule; addressing all local and state reporting requirements as well as anything else the legal department feels is necessary. This is a legally binding document between both parties; it should be available to an auditor upon request and reviewed regularly (annually to every 18 months).

  • How important is this?
  • Is it just a box to check off?
  • Why does it need to be available to everyone “upon request”?
  • Who do I need one with?

My First Remote Shell Thru a Vendor – 25K Records, Worth over $500K

During my very first Penetration Test, I got my very first Remote Shell (Victory!!) into the VLAN segment that just happened to be where the all business-critical servers were segmented; this system was vendor owned and managed. The organization did not have administrative access, could not patch the system and contractually the vendor was not required to let them have access to the OS, only a WEB API. Making matters worse, this system contained over 25,000 records containing PII, the database was not backed up and had an accounts receivable value of nearly $500K. That was several years ago, but it was also the same point of entry as one of my more recent engagements.

Not Just a Legal Document

The purpose of requiring that these agreements are ‘available upon request’ is not to make it easier for the auditor making the request. The intent is to make sure the document, with the contractual obligations, is available to everyone responsible for implementing and enforcing the contract. This is not just a legal document to be stored in ‘Contracting’ or ‘Logistics’, only seeing the day of light during a renewal/review period. It tells those implementing and enforcing the Vendor Contracts/BAAs/MOAs what should be done by whom and to what standard. In addition to any mandated regulatory language, make sure the Vendor Contracts/BAAs/MOAs contain provisions for the following:

  • Incident definition
  • Incident reporting
  • Patching interval/exceptions
  • Security scan interval
  • Minimum encryption levels (both in transit and at rest)
  • Risk acceptance notifications
  • Password length, complexity and change frequency
  • Minimum baseline profile

Consider Types and Levels of Cybersecurity Insurance Required

Another area you might want to consider, in light of the frequency and prevalence of hacking incidents, is Cybersecurity Insurance. Specifically determine your requirements for minimum amounts of 1st and 3rd party coverage areas and limits. Get with a reputable commercial agent to determine what policy types and limits best fit your organization.

Who Do I Need to Include?

With whom should you execute these contracts? The answer is anyone that may have physical or electronic access to your sensitive data. The following is a quick list of outsourced vendors often overlooked, forgotten or dismissed as not important:

  • Co-locations and ISPs
  • Cloud Storage and hosted services
  • SAAS providers
  • Document Disposal/Shredding Companies
  • Outsources Printers/Vendors
  • Product/Parts Deliver Services
  • Janitorial Services
  • Security Guards
  • Facility Contractors (HVAC, Alarm/Fire, etc.)

Discuss Organizational Requirements NOW!

Go through your compliance matrix today!  The time to discuss or review Organizational Requirements is NOW! Not after a compromise/breach or once the vendor relationship becomes so ingrained in your business processes that it can’t easily be replaced. Work with your legal department. Make sure the language in any of your Vendor Contracts/BAAs/MOAs is clear, detailed and enforceable within yours and your vendor’s jurisdictions.

 

Happy Hunting!!

 

 

Find out how our friendly security experts can help you today

Get more info

Follow Spohn

Other Posts

What Cyber Security Certification Do We Need?

Updated 15 January, 2019 That is the question (or something very similar) that I invariably get after presenting the results of a security engagement where the seemingly obvious were exploited.  These are the kinds of exploits that lead to administrator-level access to systems in hours (or even minutes), and that could expose sensitive organizational data … Continued

HIPAA Understood: Information Access Management

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Termination Procedures

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Workforce Clearance Procedure

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

A Head in the Sand Approach Leaves Many Networks Vulnerable

Many responsible for networks security take a “Head in the Sand” approach to ‘Cybersecurity Risk Assessments’! Following a previous information security breach, I was speaking with an industry colleague who shared with me that he had been in discussions with the victim organization regarding a technology that would allow them to identify and address vulnerabilities … Continued

HIPAA Understood: Authorization and/or Supervision

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Workforce Security

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Privileged Access Management 

About the Anatomy of a Cybersecurity Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions … Continued

HIPAA Understood: Assigned Security Responsibility

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

SamSam and Atlanta: Don’t be the Next Victim

Over the last 5 years, we have seen a number of shifts in security technologies and targets. One thing that’s been evident is that no one is immune. In the past 12 months we have seen breaches affect HBO and Equifax in the corporate world; more than 200,000 systems affected in over 100 countries in … Continued

HIPAA Understood: Information System Activity Review

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308(a)(1)(ii)(C) Sanction Policy

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308(a)(1)(ii)(B) Risk Management

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Data Classification: Start Here!

About the Anatomy of a Cybersecurity Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions … Continued

HIPAA Understood: Rule 164.308(a)(1)(ii)(A) Risk Analysis

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308 Administrative

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Anatomy of a Cybersecurity Program

Our Enterprise Security Risk Assessment is one of our most frequently requested services. This assessment is often performed against industry best practice or can be mapped to several different regulatory compliance standards including: HIPAA, NIST, FFIEC, etc. The goal of this service is to not only evaluate the technical controls that are required to safeguard … Continued

HIPAA Understood: An Introduction

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Social Engineering: Hacking the Human Brain

How do you hack a network with every modern safeguard and tool in place and a seasoned team of veteran professionals at the helm of your IT department? Surprisingly enough it doesn’t take that much. After all, who needs to be an all-star hacker looking for a small crack to wiggle through if they can … Continued

The Equifax Hack – A Huge Deal

Important Updates 9/13/17  – Since the last posting it was discovered that Equifax had the default login credentials of “admin” for user and password on an Argentina server which exposed the personal information of 14,000 employees. 9/14/17  – The actual exploit that disclosed the 143 million US credit records was CVE-2017-5638. It was announced/released March … Continued

Cybersecurity Cultures Aren’t Built in a Day

Do your users look at every link in every email with suspicion – even if it appears to come from an internal email address?  Do they look at each social media link as a potential danger to the well being of their friends and family? Or do they think it’s crazy they can’t share the … Continued

ePHI – Most Valuable Data Records Sold on the Dark Web

“HIPAA Security Officers – Your networks really ARE the PRIMARY target of the ‘Bad Guys’, ‘Bad Actors’, ‘Hackers’, etc. Whatever you want to call them, make no mistake – you are charged with safeguarding what they want. Do your security countermeasures rise to the level of the threat or are you simply content with being … Continued