Cloud Security Compliance

We help you build sustainable programs that improve security and reduce regulatory burden.

Cyber Defense Group is experienced with taking a diverse group of clients through the compliance journey. As multiple regulatory requirements are being increased annually, we focus on keeping your business up to date. We aim to help your business meet requirements rapidly to allow you to start achieving your goals. We offer Compliance-as-Code which reduces compliance drift within cloud infrastructure management solutions.

Security Compliance Types

ISO27001

ISO27001 is an international standard for information security, published by the International Organization for Standardization.

SOC2

SOC2 was developed by the AICPA for managing customer data based on “trust service principles”. SOC2 is primarily used for companies operating within the United States.

CMMC

CMMC is a standard for organizations in the United States which work with the Department of Defense (DoD).

NIST 800-53

In order to prevent mass variance, the National Institute of Standards and Technology (NIST) constructed a set of standards for all federal agencies to follow:

HIPAA

The Health Insurance Portability and Accountability Act is a US law enacted in1996 which governs the data protection and privacy of health records.

GDPR

The European General Data Protection Regulation is a data protection and privacy regulation for EU citizens. Any company operating within the EU borders must conform to this regulation.

CCPA

The California Consumer Protection Act is a California data protection and privacy law for residents of California.

CIS 20

The CIS 20 is a list of 20 actions and practices an organization’s security team can take on such that cyberattacks, or threats, are minimized and prevented.

Cybersecurity Should be an Advantage, not a Cost Center. Let’s Get to Work.

ISO27001 Compliance

What is ISO27001?

While there are regional and national standards for security compliance, there is also a widely used international standard: ISO 27001. ISO 27001 is part of the ISO 27000 standards, with this specific one receiving further updates throughout the years.

ISO 27001 presents a compliance standard and a structure for an information security management system (ISMS) for those handling information and data that must be protected, and its confidentiality secured.

To prove compliance with ISO 27001, a business will need its ISMS to be certified as compliant. Having said certification allows the business to demonstrate its willingness to follow security protocols.

Scope of an ISMS and Compliance

ISO 27001 provides companies with a guideline and framework for building an ISMS. The ISMS acts as the focal point of security management and extends far beyond just the IT department.

The ISMS should, as a whole, include an analysis of potential security risks and threats, set in place tools and protocols to address the previous security risks, and create protocols to ensure the security of the company’s information and data.

Each company/organization will have an ISMS that is best suited to its needs. Some companies handle certain information that can require stricter controls within the ISMS. Furthermore, the ISMS can be chosen to apply to only specific geographic and business regions.

Busy SRE teams save time by partnering with trusted third parties

You may have been relying on your already strained SRE teams to automatically embed security into the SDLC. This is why security is usually pushed right. By partnering with a third party like CDG, you are able to free your SRE teams to ensure your main business is functioning, while leaning on us to shift your security left.

Achieving Certification

Information Security Management System (ISMS)
A business can receive a certification proving its ISMS is compliant according to ISO 27001. Certification is achieved by having an accredited body manage a complex auditing process through three different phases.
The audit will analyze the ISMS scope, information security policy, results of risk assessments, security objectives, contracts with third party vendors, compliance with regional regulations, and more.

The auditors will assess the ISMS based on the company’s dealings, structure, nature, and use of data. As part of the auditing process, the ISMS will face a cursory review of its operation and policies, then a formal testing of the ISMS will occur in order to determine whether the security mechanisms and policies are appropriate and up to standard, and, finally, subsequent audits will be conducted to ensure the ISMS remains ISO 27001 compliant.

SOC 2

Defining SOC 2​

As a greater number of individuals and companies have begun using cloud-based technology, it has become important to ensure that the data stored in these processors and storage systems are properly protected and secured.

The American Institute of CPAs (AICPA) created the System and Organizational Control 2 (SOC 2), which is an audit that analyzes detailed requirements regarding the security of customer data.

SOC 2 is not limited to cloud-based providers, but it is one of the ways one can ensure that a provider is committed to secure data storage.

SOC 2 Criteria

Acting in a similar manner to frameworks like ISO 27001, SOC 2 has a flexible model that allows a business to follow only certain SOC 2 criteria and meet only those applicable compliance standards. Therefore, SOC 2 audits will look different for each entity.

There are five SOC 2 criteria an entity can comply with, and they are referred to as the trust service criteria or principles: security, availability, processing integrity, confidentiality, and privacy.

Busy SRE teams save time by partnering with trusted third parties

You may have been relying on your already strained SRE teams to automatically embed security into the SDLC. This is why security is usually pushed right. By partnering with a third party like CDG, you are able to free your SRE teams to ensure your main business is functioning, while leaning on us to shift your security left.

  • For the security principle, the audit examines the organization’s safeguards against unauthorized access of data and the security policies/tools in place.

  • The availability principle deals with the accessibility of the organization’s system. Per any contracts or obligations in place, can parties to the previous access the system or service as stipulated? Availability requires a positive answer.

  • When a system promises a certain speed and quality of data storage and delivery, they must comply with that promise. The processing integrity principle addresses just that – the entity has to ensure the system is processing data according to the guidelines it has set.

  • In specific situations or industries, certain data can be restricted to only a few people, deeming the data confidential. Confidential data includes protected health information, personal information, and financial information – among many others. The organization should have proper mechanisms in place to ensure confidentiality of said data.

  • The privacy principle deals with the use, collection, and removal of data. The organization should be following best practices as delineated in its privacy notice. The privacy controls in place should protect the data according to privacy principles.

Meeting SOC 2 Compliance

SOC 2 Report
Following an independent audit, a company or organization will receive an SOC 2 report with the results of their security mechanisms in place. Organizations looking to meet SOC 2 compliance prior to an audit are encouraged to contact CDG for personalized and expert guidance on the creation and maintenance of security procedures and frameworks.

CMMC Compliance

What is the CMMC?​

The US Department of Defense (DoD) handles classified and unclassified information, but the DoD also deals with contractors outside of the government apparatus who are permitted access to certain information. Given the sensitivity of the information being used, it is imperative that contractors have cybersecurity mechanisms in place. The DoD created the Cybersecurity Maturity Model Certification (CMMC) in order to create a federal standard for data controls.

How Does the CMMC Work?

As before, contractors remain responsible for protecting and securing the information they use, but now with the introduction of the CMMC, there is a standard to which these contractors can adhere to, and, once compliant, can achieve a certification. The CMMC sets and clarifies the technical regulations contractors should be following so that their information systems do not remain vulnerable to cyber threats and attacks.

CMMC Framework

The CMMC framework has five levels that a company can meet in order to demonstrate its system’s cybersecurity protocols. The first level concerns “basic” measures such as those prescribed by the NIST 800-171 requirements, which include measures like limiting unsuccessful login attempts. The second level has additional NIST 800-171 requirements so that controlled unclassified information (CUI) remains secure. The third level stipulates having a company-wide management plan for cybersecurity practices relating to CUI. The fourth level requires the company to routinely test and review its cybersecurity practices to ensure its procedures and protocols are sufficient to defend against threats. Finally, the fifth level is the highest level and requires the company to have in place a tested and appropriate cybersecurity management system.

CMMC Compliance

With the new system in place, contractors and others involved in the supply chain will have to meet the CMMC level required for the work. Contractors should already have a system in place for cybersecurity and other data security systems, but it is important that the existing (or new) system complies with the required CMMC level. This is where we come in. CDG will ensure your systems and protocols are meeting the necessary CMMC standards. Our team can help establish the cybersecurity system you need.

NIST 800-53 Compliance

What is the NIST Special Publication 800-53?

The National Institute of Standards and Technology (NIST) – a non-regulatory part of the US Department of Commerce – constructed a set of standards for all federal agencies to follow.  NIST Special Publication 800-53 is the standard which covers security and privacy controls.

The controls set in place by NIST 800-53 are applicable to all federal data, excluding data that concerns national security and is considered sensitive information. All federal agencies have a legal duty to follow the guidelines set out by NIST 800-53, but the controls can be applied to any environment to ensure a proper level of data protection.

NIST 800-53 Controls

While the controls can be divided into different categories, the overarching goal of the standard is to ensure information systems are secure and not vulnerable to cyber attacks.

The controls are separated into three main groups: low, medium, and high impact, and are further broken down into families:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical and Environmental
  • Protection
  • Planning
  • Program Management
  • Risk Assessment
  • Security Assessment and Authorization
  • System and Communications Protection
  • System and Information Integrity
  • System and Services Acquisition

Advantages of Complying with NIST 800-53

Complying with the NIST 800-53 guidelines is beneficial, especially for those who must maintain FISMA compliance, but also legally required for all federal agencies. External contractors and organizations who have access to federal data may not be legally required to maintain NIST 800-53 compliance, but they are highly encouraged to do so. The NIST 800-53 controls are recommendations that, in fact, can help agencies and teams ensure the security of their information systems.

These guidelines only serve to protect and safeguard data against attacks, which is an outcome all parties should be actively preventing. However, everyone should ensure that the NIST 800-53 controls are not the only security mechanisms in place. Additional controls are required in almost all cases as each organization or agency has its own unique vulnerabilities and security requirements.

HIPAA Privacy and Security Compliance

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) has been in place since 1996 and, under Title II, presents the standard for securing protected health information (PHI) and other security measures.

While other Titles in HIPAA deal with issues such as insurance coverage, taxes, and group and company plans, Title II concerns the security of PHI and the nation-wide requirement of meeting compliance standards, such as those under the Privacy and Security Rules.

According to the Department of Health & Human Services, those who are legally required to meet HIPAA compliance include covered entities and their business associates. The aforementioned include, but are not limited to, health insurance companies, doctors, hospitals, and health data processors.

HIPAA Privacy and Security Compliance

As health records became digitized and providers used online systems or applications to increase efficiency, almost all PHI required (in almost all cases) brand-new privacy and security mechanisms. First, the Privacy Rule created the standards which all applicable entities have to follow.

The main goal of the Privacy Rule is to protect PHI and all patient data at the national level. In order to protect said data, the Security Rule outlines the mechanisms, technical and physical safeguards, and administrative regulations that must be in place for compliance.

HIPAA Compliance

Meeting HIPAA compliance standards can look different for each entity, but, in general, the regulations focus on maintaining the confidentiality and integrity of PHI, protecting against threats to said maintenance, ensuring compliance by all involved, and working to pre-empt compliance violations.

HIPAA Violations

Failing to Meet HIPAA Compliance
HIPAA violations and failure to comply can result in complaints and potential penalties – civil and/or criminal. The repercussions are severe. If a complaint results in an investigation, the fines can range from hundreds to millions of dollars. A violation that results in criminal penalties will require not only fines, but also prison time. Therefore, it is imperative that covered entities and business associates are aware of all HIPAA regulations and take all the steps necessary to meet compliance.

Meeting Every Client’s Needs
As HIPAA regulations can change and each entity has a different structure, it is important that the entity adopts procedures and policies that are best suited to its context. At CDG, we provide our clients with expert, tailored advice and ensure each client remains HIPAA compliant at all times. The above is a summary of HIPAA compliance and is not legal counsel and, therefore, we encourage you to reach out to us at CDG for more information.

GDPR Compliance

GDPR Compliance for US Companies

As the world moves towards a more encompassing digital age, an increasing number of companies collect and use customer data. Such data is protected by various regulatory requirements, which set guidelines (and, most often, strict rules) for how the data can be collected, processed, and protected. One of the most stringent legal frameworks dealing with data protection and security is the General Data Protection Regulation (GDPR).

Passed by the European Union (EU) in 2016 and in effect since 2018, the GDPR requires compliance not only by companies based in the EU, but any entity that handles the data of EU persons. Many US companies can be required to comply with the GDPR. Failing to meet the compliance requirements can have serious repercussions, which is why our team at CDG is ready to help with GDPR standards.

Data Protected by the GDPR

A US business or company will have to meet compliance requirements per the GDPR even if the entity’s operations are not solely based in the EU. For example, the provision of goods and services to customers in an EU member state will trigger compliance requirements. Furthermore, if a business can access or processes any personal data of EU customers, it will be required to comply with the GDPR.

GDPR Regulatory Framework

The GDPR regulatory framework deals with the protection of personal data. Said data can include, but is not limited to, names, gender identification, physical and online location data, email addresses, home addresses, political opinions, and cookie information. Essentially, personal data is any sort of information that can identify a person. The GDPR compliance requirements are in place to ensure businesses process and store personal data in such a way that meets data protection principles of accountability, transparency, and confidentiality, among others.

Complying with the Requirements

For a US company, the first step should be to analyze whether its operations include the processing of personal data for persons in the EU. Certain companies may be required to appoint a data protection officer as well, whose duties have been delineated by the GDPR. Other aspects of compliance pertain to consent, data processing agreements and standards, and the use of appropriate tools and applications.

The GDPR has enforcement mechanisms in place that meet non-compliance with strict fines. To prevent that outcome, our experienced team at CDG will help with the creation of standards and programs that meet all compliance and regulatory needs.

CCPA Compliance

The New California Privacy Law​

California has taken substantive action to protect consumer data within the state. Passed in 2018, the California Consumer Privacy Act (CCPA) came into force on January 1, 2020 and its chief objective is the regulation of standards surrounding consumer data, privacy guidelines, and new data rights.

Many businesses must be CCPA compliant, but the regulations do not apply to all. Given the comprehensive and complex nature of the CCPA, it is vital that businesses ensure they are knowledgeable on the compliance standards and take proactive steps to be compliant. Moreover, the CCPA can be changed by lawmakers in the future, making it an evolving set of standards. Contact us at CDG for more information on the CCPA and to receive expert security guidance.

Businesses That Must Be CCPA Compliant

A business does not need to be located in California for it to have a legal duty to be CCPA compliant. The CCPA deals with a legal entity who provides goods or services to California residents and, thereby, uses California consumer data. If a business meets one of the following criteria, it will be required to meet CCPA compliance; has an annual revenue of at least $25 million, gathers or accesses personal data of at least 50,000 California consumers, or earns half of its revenue from California consumer data.

However, a business need not be CCPA compliant if every aspect of its business transaction occurs outside of California, while the Californian is not located in the state, and the resident’s data is not collected.

What is Compliance?

Consumer Data
Consumer data as described by the CCPA concerns personal information that could be used to identify a California resident. Such personal information includes names, addresses, products purchased, consuming history, and internet activity. In order to protect consumer data, businesses must meet the compliance standards. Some of the standards include latest consumer rights, such as persons having the ability to view and delete the consumer data a business may have collected.

Detailed compliance regulations
Detailed compliance regulations include, but are not limited to, updating company privacy policies, training employees on the proper use, procedures and handling of data, using secure data inventories that are frequently updated, accounting for new user rights and preparing for consumer data requests, and ensuring database administrators have the tools necessary for the secure tracking and storing of personal information.

CCPA Violations

Violating CCPA Regulations
Currently, the California Attorney General deals with CCPA enforcement, with enforcement mechanisms coming into effect on July 1, 2020. Consumers can sue a business if they believe the business violated CCPA regulations. A lawsuit can result in a business facing high penalties and civil damages. Furthermore, the Attorney General also has the authority to prosecute a business for a CCPA violation.

CIS Top 20 Controls

What is the CIS Top 20?

Most organizations that handle consumer data or are vulnerable to cyberattacks are legally required to meet the appropriate security compliance standards. However, this does not apply to every single organization and IT department. In order to set a standard and provide a guide, the Center for Internet Security Critical Security Controls (henceforth referred to as the CIS Top 20) was published.

The CIS Top 20 is a list of 20 actions and practices an organization’s security team can take on such that cyberattacks, or threats, are minimized and prevented. No organization is legally bound to follow the CIS Top 20; however, the controls consist of fundamental steps that all security teams are highly encouraged to implement, in addition to or regardless of regulatory compliance.

The CIS Top 20 Controls

The following are the actions, as presented by the Center for Internet Security:

  • Inventory of All Hardware
  • Inventory of All Software
  • Continuous Analysis of Vulnerability
  • Controlled Use of Administrative Privileges
  • Secure Configuration for Hardware and Software
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections
  • Malware Defenses
  • Data Recovery Capabilities
  • Secure Configuration for Network Devices
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management
  • Penetration Tests and Red Team Exercises

The Importance of Following the CIS 20

The Center for Internet Security classifies the first six actions as basic, actions 7-16 as foundational, and 17-20 as organizational. For organizations, these 20 principles and actions should not be the only cybersecurity measures taken and they should also be adopted in keeping with legal regulations. Nonetheless, all of these measures are vital for an organization’s security framework.

For example, if a cyberattack were to occur then the personal data of thousands, if not millions, of customers can be stolen. That massive breach does not have to occur in such a devastating manner, especially if the organization has followed some of the guiding principles such as data protection (by encrypting everything), controlling access to assets, and incident response and management (a robust and well executed response plan can help secure an organization during an attack).