National Institute of Standards and Technology (NIST) Secure Password Guidelines

The National Institute of Standards and Technology, otherwise known as NIST, is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. NIST was created to promote innovation and industrial competitiveness in certain industries such as information technology, nanoscale science and technology, and engineering. NIST has been named to lead the development of appropriate technical standards for reliable, robust, trustworthy, secure, portable, and interoperable AI systems by the American AI Initiative. In June of 2017, NIST published guidelines for ideal requirements for protecting one’s digital identity.

Characteristics of Secure and Strong Passwords

According to NIST’s secure password guidelines, there are certain password factors that are recommended for better security. Some of these guidelines are:

• Minimum eight characters with a suggested maximum of 64 characters
• Ability to use special characters (e.g.?&!@)
• Restriction of repetitive or sequential characters (e.g. abcde or 1111)
• Restriction of context specific phrases (e.g. email or username)
• Restriction of commonly used passwords or passwords obtained from previous breach corpuses

The restriction of various password phrases is important since predictable passwords are likely to be guessed by hackers. Such passwords and phrases are compared against a black list of unacceptable passwords and denied if they match up to those predefined conditions. A black list usually consists of simple dictionary words, previous passwords, and specific words and phrases that tie to the organization or service.

Random Characters Do Not Equal Strong Passwords

NIST suggests strong passwords are something unique that one will remember but someone else cannot guess. Contrary to past popular belief, passwords with mixed upper and lower case letters, number and special characters are not suggested anymore but rather having complex, memorable phrases such as “house kangaroo 28 card ticket” where the phrase itself does not make sense as a sentence but can be pictured in your mind.

In addition to strong passwords, controls surrounding passwords are equally important. Even though the new guidelines rely less on length and complexity, lockout after repeated failed attempts should be set in order to prevent numerous efforts that could be signs of a hacking attempt. Another control should be password history restriction that do not let personnel use the same password as any of their previous passwords because those passwords may have been compromised.

For more information about secure password guidelines, check out the NIST website focused on information technology publications. To learn more about our risk consulting services, contact Katelyn.Crowley@freedmaxick.com, connect with me here, or call 716.362.6281.

More Insights and Guidance on Cybersecurity Issues - Click here.

Why Settle for an Un-actionable Cybersecurity Report?

Here’s the scenario….your organization’s leaders read or hear about recent cybersecurity breach in the news.  Sometimes, the breach involves a competitor or a similar business line, where the result was a damaged brand, possible fines, or even lawsuits. 

Many leaders fear that they could be the next victims of cybertheft and want to know if their business or organization is safe.  Typically, after a rigorous proposal and bid process, they’ll engage a third party to perform an independent assessment of the organization’s cybersecurity posture. The consultant conducts interviews and meetings, collects info, runs scans, and issues a report.

The Fallacies of Typical Cybersecurity Risk Assessments

A typical report includes a discussion about the background, organization’s use of technology, and the amazing assessment process they used to detect the organization’s vulnerabilities. 

And typically, the report will identify an abundance of vulnerabilities presented vis a listing of an enormous glut of data organized by server or IP address.  Sometimes the list is prioritized by a risk rating; other times the list is prioritized by IP addresses. 

After the organization’s leaders sift through the background, risk assessment procedures and 50 plus pages of findings, they’ll meet with their IT department for the “real explanation”.  At this point, IT presents their defense for why a server has so many vulnerabilities, or to confirm the expert’s risk assessment.

Most importantly, the organization’s leaders ask for an explanation of what the data in the report really means.

Read our post from our team: Cybersecurity Risk Assessment is More Than Just a Scan

What Results Leaders Want from a Cybersecurity Assessment

It is our belief that organizational leaders want to know five things:

1. “What do we do well?”

2. “What needs to be fixed?

3. “How do we measure up?”

4. “What are the recommendations to fix this?”

5. “How do we plan this year for fixing this?”

This must be conveyed to three separate audiences – executives, managers, IT staff - who will be looking for insights relevant to their responsibilities within the organization. Consequently, an Assessment Report should contain three sections:

• An Executive Summary, which is a “30 second elevator talk” explaining why the organization needs to dedicate resources to cybersecurity. The best summaries communicate this information on one “bulleted” page.

• Management Findings, that summarize detailed findings so management can create and execute an action plan, make changes and improvements, and drive results. A significant portion of the report will be dedicated to this objective.

• Detailed Findings, containing supporting information and documentation captured during the assessment that will be used by IT team members to address specific findings.

The report should include clear, understandable descriptions of the challenges and opportunities for improvements requiring attention. Each recommended improvement should be weighted and prioritized so the organization can set a path for their teams to begin work. Recommendations in the report should right sized for the organization and its capabilities.

A strategic roadmap should be included in the Assessment Report that helps the organization prioritize work over time. 

Connect with Freed Maxick’s Cybersecurity Risk Assessment Experts

Ultimately, leaders want and deserve a clear and actionable Cybersecurity Assessment Report from the consultant they hire. The Cybersecurity Team at Freed Maxick will constructively listen to your wants, needs and concerns. We’ll bring our years of experience to understanding your capabilities, and provide clear guidance and a strategic plan to prioritize and address areas of opportunity.

Our assessments are presented in the right language, using graphical representation, color and an amount of detail relevant for each type of stakeholder. We believe that this is a best practice for preparing an actionable report and plan, especially for executives.

For more information about our cybersecurity assessments and other related programs and services, please connect with us here or call us at 716.847.2651.

More Insights and Guidance on Cybersecurity Issues - Click here.

Continuing Care Retirement Communities (CCRC) Must Submit a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations

Regulation 23 NYCRR Part 500 (cybersecurity regulation) was issued by the New York State Department of Financial Services (DFS) in March of 2017. DFS stated in writing on February 28, 2018 that Continuing Care Retirement Communities (CCRC) are covered by the requirement. An effort in the Senate, proposed to amend the insurance law, in relation to authorizing CCRCs to adopt a written cybersecurity policy rather than complete the required full attestation.

The purpose of the bill was to permit CCRCs to attest to the DFS that the CCRC’s cybersecurity policies are not inconsistent with cybersecurity regulations promulgated by the superintendent. The bill was approved, unanimously, by the Insurance Committee and the Rule Committee. On December 7, 2018 the Governor vetoed the bill.

DFS’s position regarding compliance has remained constant:

All CCRCs that failed to submit the Certification but are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible. “…The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously. The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.”

We interpret this to mean that any entity that has not complied with the regulation should take the necessary steps to become compliant as soon as possible.

23 NYCRR 500 Compliance: What Does the Regulation Require?

The regulation stipulates that covered entities meet the following requirements:

• Assess whether the risk assessment program adequately addresses cybersecurity risks and that the outputs from such assessments are used in the cybersecurity program
• Assess the cybersecurity policy to determine whether it adequately addresses the regulation’s
• Assess whether the cybersecurity program, based on a risk assessment, sufficiently addresses the regulation’s requirements related confidentiality, integrity and availability
• Assess the approach to addressing the regulation’s requirement for a Chief Information Security
• Assess the current business continuity and recovery plan and its ability to maintain security audit trails to determine compliance with the regulation’s
• Assess the user access provisioning and access maintenance policies, procedures and
• Assess the software acquisition, development and change management policies, procedures and controls to determine whether cybersecurity requirements are adequately
• Assess whether the organization utilizes qualified and competent personnel to develop, implement, maintain and enforce its cybersecurity program and
• Assess the third-party risk management program to determine whether it adequately addresses cybersecurity
• Determine whether the organization adequately addresses the multifactor authentication
• Assess the data retention and disposal policy, procedures and
• Assess the approach to cybersecurity training and
• Assess the approach to encrypting non-public
• Assess the quality of the incident response

When Do I Need to Comply with 23 NYCRR Part 500?

The recent actions by the Governor do not change the fact that covered entities are required to comply with the timeline as originally prescribed in the regulation. DFS has stated that attestations should be submitted “as soon as possible”.  It should also be noted that the two-year transition period ends on March 1, 2019 so all elements of Regulation 23 NYCRR part 500 will be required to be complied with under the regulation as currently written by that date. In our opinion non-compliant organizations should take these regulations seriously and ensure compliance as quickly as is reasonably possible.

What are the 23 NYCRR 500 Penalties for Non-Compliance?

The regulation does not specifically detail penalties for non-compliance. The regulation states “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. Absent any specific guidance it is reasonable to assume that enforcement actions could arise pursuant to the general authority of DFS under the NY Banking law, which allows the superintendent of DFS to require a regulated entity to pay a penalty “for any violation of any regulation promulgated. NY Banking law authorizes up to (1) $2,500 per day during which a violation continues (b) $15,000 per day in the event of any reckless or unsound practice or pattern of miscount, or (c) $75,000 per day in the event of a knowing and willful violation.

How Can Freed Maxick Help with 23 NYCRR 500 Compliance?

At Freed Maxick we understand that some CCRCs may be challenged to implement the full complement of security policies and procedures required by the regulation.

A Cybersecurity Assessment completed by our certified security analysts can provide an evaluation of which areas of the DFS regulations an organization currently complies with, and which areas it could improve upon and doesn’t meet. This assessment can examine the organization’s current security posture in alignment with the NIST Cybersecurity Framework (CSF), as well as the controls examined in the DFS 23 NYCRR Part 500 document.

For more information about our cybersecurity assessments and other related programs and services, please contact Sam DeLucia at 585.360.1405.

More Insights and Guidance on Cybersecurity Issues - Click here.

How to approach your company’s cybersecurity posture more holistically

The topic of cybersecurity will be top of mind for many executives in 2019 as they will have a keen interest in understanding their organization’s cybersecurity posture.  One of the first steps for securing this understanding should involve engaging in a conversation with an outside vendor who will offer an engagement to measure the organization with the intention of identifying and preventing any outside (or inside) influences from launching an attack. 

Usually, this conversation involves a discussion around the fantastic tools and team the third party has on hand, complemented by a “show and tell” presentation of scanning tools, reporting processes and deliverables, dire threats faced by the company, and for good measure, an update on “must know” buzz words that are necessary for making a sound purchase decision. Often, the reputation, name, or relationship with the third-party weighs in as well. 

If all this cybersecurity exploitation makes you confused and numb, then we suggest stepping back and approaching your organization’s cybersecurity posture more holistically.

A Cybersecurity Risk Assessment is More Than Scanning and Making Fixes

Cybersecurity involves much more than conducting scans and fixing some configurations on a network and servers.  It is the intersection of People, Processes and Technology that enables an organization to design, deploy, monitor and maintain a sound cybersecurity program.

We believe that the interaction between People, Processes and Technology within your company’s IT environment is  key to the development and overall success of a mature cybersecurity program. 

Cybersecurity Assessment: People

People represent one of the most vulnerable areas of your cybersecurity program. A well-balanced assessment should include examination of areas such as organizational structure, policy, procedures, security training and awareness, communication, tone at the top and culture.  People represent one of the most vulnerable areas of your cybersecurity program, and any complete Cybersecurity Assessment should include assessing an organization’s people and culture.

Cybersecurity Assessment: Process

The processes your organization implements to operate daily should include basic security measures and practices such as: asset management, access management, third–party IT management, patching & system maintenance, backup & restore processes, disaster recovery, physical protection of infrastructure, “acceptable use” practices, incident response, business continuity and disaster recovery plans. All of these play significant roles in a strong cybersecurity program. During the cybersecurity assessment, specific measurements should be obtained regarding the maturity of your processes, including any recommendations for process improvement.

Cybersecurity Assessment: Technology

For most cybersecurity practitioners, technology generates the most excitement.  It’s what most third party firms will offer as the mainstay of their Cybersecurity Assessment, and  usually involves a only a vulnerability assessment scan with a report listing findings..  To a seasoned cybersecurity team, this is only one small necessary area of an overall assessment, as a comprehensive analysis should also include access and network controls, wireless network controls, endpoint management, penetration testing, and web application assessments and other technical areas.

Connect with Cybersecurity Risk Assessment Experts

Too often, organizations seek out third parties to assess cybersecurity and receive a scan and a report that showcases the vendor’s lack of understanding of the organization and its business.  Most approaches don’t include information gathering, interviews, analysis, specific prioritized recommendations that are actionable for your organization’s resources.

Be wary of cybersecurity firms that lack the ability to assess your complete cybersecurity posture.

At Freed Maxick, our cybersecurity team works closely with your team to learn what you do, how you do it, understanding the entire picture, not just one area.  This is the experience that comes with 60 years of working with organizations.

For more information about our cybersecurity assessments and other related programs and services, please contact Sam DeLucia at 585.360.1405.

More Insights and Guidance on Cybersecurity Issues - Click here.

Make sure you are using the right cybersecurity test for the right purpose.

Many companies (and sometimes their cybersecurity consultants) refer to a vulnerability assessment and a penetration test as the same thing, and while they both serve to protect a networked environment, they are not. Unfortunately, the interchangeable use of these two terms blurs the lines between these two very distinct activities and can result in missed opportunities to find, repair and defend an organization against cyberattacks.

A simple way to understand the differences is that a vulnerability scan, which can be automated, searches for network issues like missing patches and outdated protocols, certificates, and services. A penetration test is a proactive attempt to actively exploit a weakness once found.

Though both a vulnerability assessment and a penetration test are individually important elements of a well-rounded cybersecurity program, they are designed with different goals.

What is a Vulnerability Assessment?

A vulnerability assessment is a scan intentionally designed to identify configurations on your systems that could possibly be exploited by an attacker. A good vulnerability assessment scan will identify all system vulnerabilities, assign a level of risk or score to each and prescribe a fix.

Many companies look to third parties to perform this assessment, and their report of findings should provide a clear understanding of what vulnerabilities exist and what needs to be fixed first. This type of assessment needs to be executed regularly to maintain network security, with attention paid when network changes like new equipment installation occurs or when new network functionality or services are added.

What is a Penetration Test?

A penetration test is a fundamental part of most required cybersecurity regulatory or compliance program requirements, like PCI compliance.

A penetration test is more complex than a vulnerability assessment, with multiple steps involved. It’s designed to identify system or network vulnerabilities that can be exploited by a hacker; and attempts to exploit those vulnerabilities and illustrate the level of risk involved by simulating a hypothetical attacker’s attempts to gain unauthorized access to critical systems or networks.

Penetration testing is a form of “ethical testing” that gives qualified and trusted cybersecurity consultants a green light to break into their client’s computers or devices to test their network’s defenses. If successful, the client gets the opportunity to shore up their network’s defenses, and even an unsuccessful attempt at a break-in holds a positive outcome, as it is an indication – although not an absolute certainty – that the organization’s defenses are secure.

Freed Maxick Cybersecurity Services

Today, companies need both vulnerability assessments and penetration testing to protect their company’s assets (and reputation), their employees, and the data they hold about their clients. In either case, having the knowledge to decide which is truly needed for your organization now and in the future, and most importantly, which service you are receiving from a vendor, is vital information for you and your company.

We can help.

Freed Maxick’s dedicated team of cybersecurity risk experts performs vulnerability assessments, penetration tests and designs comprehensive cybersecurity risk management programs. We work closely with your team through each step in our proven process to reduce any concerns or impacts and provide our industry recognized consultation.

To discuss your situation or learn more about our cybersecurity services, connect with us here, or call 716.847.2651.

More Insights and Guidance on Cybersecurity Issues - Click here.

Employee Benefit Plan data is an attractive target for cybercriminals

Today’s businesses learn more about cybersecurity every day, but it’s still a challenge to stay ahead of those who could hack their systems for fun or profit. With stories of cyber breaches reported in almost every news cycle, executives have come to appreciate the importance of protecting customer data from outside attacks. But customers aren’t the only people who share private data with businesses.

Employees submit sensitive personal information to their employers and the benefit plan managers that employers choose. The data shared can range from the same type of financial information that businesses get from customers to much more sensitive health and personal information than most companies would ever request from clients or customers. Cybersecurity efforts generally offer some benefit to every type of information a business needs to guard, but employee benefit plan (EBP) data deserves some extra attention.

EBP data is a prime target for cyber-attacks because:

• It’s almost entirely electronic,
• It’s typically maintained on multiple systems (e.g. the employer’s, the third party administrator’s, the payroll provider’s), and
• Updates are transmitted regularly among the parties.

Protecting Sensitive Employee Benefit Plan Data From a Cybersecurity Attack

Hackers can approach from a variety of directions. They can phish in the employer’s environment, attack firewalls at a plan administrator, or intercept transmissions of data passing between the parties. It’s not hard to figure out when your paydays are, or when you transmit W-2s to your employees.

With so many potential vulnerabilities, what steps can employers take to protect sensitive employee benefit plan data? Here are five strategies your organization can deploy:

1. Internal Cybersecurity Strategy – Prepare a Cybersecurity Risk Management Plan

The first step every employer needs to take to protect EBP data is to account for it in a  . Everybody lives in fear of hearing that their customers’ credit card info has been stolen and posted to the web, so they focus efforts on protecting customer transactions. Employers need to treat EBP data with the same sense of urgency and make sure that internal cybersecurity plans address specific needs in this area.  

• Point out that phishing scams can target benefit information just as easily as they target customer databases.
• Coordinate with benefit providers to train employees on how they initiate contacts. If your 401(k) provider says, “We never initiate a contact via e-mail,” your people need to be suspicious if they get an unexpected e-mail from them.
• Cybersecurity penetration tests need to include EBP systems.

2. External Cybersecurity Strategy – Have an Expert Prepare a System and Organization Control Report (SOC Report)

EBP service providers typically place a high premium on cybersecurity. They understand how attractive their systems are to hackers and how much their reputation depends on protecting client data. But how can you evaluate the effectiveness of a provider’s data security precautions?

These external service providers can hire CPAs to prepare “System and Organization Control” (SOC) reports that communicate relevant information about the effectiveness of their cybersecurity risk management programs. Employers who outsource employee benefit functions can review these reports to learn more about how a provider protects the sensitive information it receives.

3. Transmissions - Evaluate the Security of Your Communication Channels    

Don’t overlook the fact that employee benefit plan data needs to get from your protected environment to your provider’s protected environment without being hijacked along the way. Be sure to evaluate the security of your communication channels and consider options for encryption and securing shared servers.

In the event two providers share data directly (such as a payroll service transmitting data to a 401(k) provider), take time to verify that their handoffs meet your requirements.

4. Mitigation of Cybersecurity Damages – Basic Alerts

As much as businesses plan to manage cybersecurity risks, no system is invincible. For this reason, your EBP cybersecurity plan must provide for the mitigation of damages in the event of a breach. You should have some basic alerts drafted to notify affected individuals as quickly as possible, and you should consider providing benefits like credit monitoring so that employees can protect themselves before their data is used fraudulently.

5. Connect with Freed Maxick Cybersecurity Experts

In a competitive employment market, businesses need to take every step possible to make themselves attractive to potential employees and to avoid the kind of damage that an EBP breach can cause to a reputation.

If you’re wondering whether your cybersecurity risk management plan adequately covers your EBP needs, Freed Maxick can help. We have the experience to evaluate all facets of your EBP security and to help you remediate any issues that may exist.

For more information, please contact us here or call 716.847.2651.

More Insights and Guidance on Cybersecurity Issues - Click here.

Authored by: Mohan Areti and Danny Walker

As more organizations harness the power of big data and data analytics, the collection and storage of data puts organizations at great risk of cyber-attacks. Any collection of sensitive data and PII (Personally Identifiable Information) by you or your company could make you prime targets for cybersecurity attacks. Attackers are looking to steal sensitive information (SSNs, Bank Account Numbers, or Credit Card Details) or any other non-public information.

One of the most common and effective attacks, being deployed against organizations of all sizes across all industries is phishing.  Phishing is an attempt to access non-public or sensitive information through a disguised communication that appears to be from a known or reputable source (e.g. your organization’s IT department, commonly used services such as Amazon, Netflix, or FedEx.). Sophisticated attacks will even mimic your business associates or coworkers, often times requesting you to do a simple task such as review a document or check your password security. Phishing attacks generally ask the user to click on a link or attachment, at which point malware (or other software) is installed on the computer, giving the attackers a pathway to access non-public data or obtain browser information.

Types of Phishing Attacks

There are several types of phishing attacks that are currently being used to gain unauthorized access to non-public data and/or systems. Being aware of these different types can help you and your organization best protect assets and identify an attack before it harms your company:

• Deceptive phishing: Impostors mimic a legitimate internal contacts (IT departments or coworkers) or other legitimate companies (Amazon, Visa, FedEx) to make the user open a file or attachment without thinking twice about it.
• Malware-Based phishing: Distributing malwares as attachments using phishing emails. Usually malicious programs baked into pdf and word documents. You won’t know this Malware exists when you open the document.
• Key loggers and screen loggers: Records all user activity by tracking keystrokes and screenshots of the user.
• Session hijacking: Exploits compromised internet browser security, allowing the attacker able to steal cookies and active session information.
• DNS-Based phishing: By hijacking the DNS (Domain Name System), web requests are redirected to phishing websites, which seems to be identical to the actual website.
• Spear phishing: Phishing attacks designed to target specific groups of users (products, employees of company, or users groups).
• Whaling: Phishing attacks specifically targeting senior executives and board members to attain special access or sensitive information.

Phishing Prevention: How Can Your Company or Organization Avoid Becoming a Victim?

Employees are the biggest cybersecurity risk to your organization, and frankly, all of the investments made by your IT department cannot stop an attack initiated when an employee clicks on the wrong link.

Ways to avoid becoming a victim of a phishing attack include:

• Educate your team: conduct security training for all employees as vigilant employees are the best weapon against a phishing attack.  
• Deploy Social engineering services: social engineering is a “fake” phishing campaign conducted by a third party that mirrors what a real phishing campaign would look like without compromising your data or system security. You can target certain employees or groups and customize how sophisticated you want the phishing campaign to be.  
• Think twice, before you click: Train employees that when they get an email from suspicious sources with web links and downloadable attachments, they should to scan those web links before they click.
• Update your browser, antivirus and firewall: Periodically make updates and maintain latest version of all software and browsers being used.
• Implement security controls: your IT department should install and maintain the most current email filtering software and email encryption.
• Report phishing activity: employees need to be trained to report possible phishing emails to the IT department. We also recommend reporting phishing activities to an outside party, such as the Anti-Phishing Working Group (reportphishing@antiphishing.org), which consists of a group of ISPs, security vendors, financial institutions, public and private organizations and law enforcement agencies. They use these reported emails to analyze the attacks and to design preventive controls.

There is Little to No Doubt that Your Company Will be Phished

You and your organization will be attacked. There is no way to avoid it. However, there are ways to avoid becoming the victim of a successful attack to be successful. Educating yourself and your employees is the best way to stop a phishing attack in its tracks. Social Engineering services, vulnerability and penetration testing, and overall IT risk assessments can help prepare your organization to successfully handle an attack.

If your company is concerned about phishing prevention or cybersecurity, call Dave Hansen (585) 360-1481 or Danny Walker (716) 362-6274.

More Insights and Guidance on Cybersecurity Issues - Click here.

As organizations across all industries continue to increase their investment in Information Technology (IT), they’re relying more and more on IT to perform day to day operations. IT is vastly integrated into the backbone of almost every organization by assisting with, or even performing critical processes in an automated fashion. Due to the inherent dependence on information assets, funding related to IT Disaster Recovery and Business Continuity Planning has also increased.

An IT Disaster Recovery Plan (DRP) documents the procedures and processes that an organization will follow in the event that critical technologies experience an outage. The DRP enables the organization to continue performing regular operations without the technology, while getting the technology up and running as quickly as possible. By conducting a Business Impact Analysis (BIA), an organization can improve their current IT Disaster Recovery Plan or efficiently create a new one from scratch.

The 3 Steps of a Business Impact Analysis 

A Business Impact Analysis is a fundamental piece of an effective and comprehensive Disaster Recovery Plan. My recommended approach for developing a BIA is built upon the following three steps:

• Develop a Comprehensive Understanding of the IT Environment

In order for an organization to implement a holistic IT Disaster Recovery Plan, it is essential that the organization have a comprehensive understanding of the various information assets utilized to achieve the organization’s mission.

As part of the BIA, an organization is required to obtain a thorough understanding of the IT environment. This is accomplished by meeting with each individual business unit and determining which technologies are essential for them to perform their day to day responsibilities. By cataloging the entire IT environment, organizations are then able to ensure that their IT Disaster Recovery Plan properly includes every system necessary to maintain operations and achieve its goals.

As an ancillary benefit, during this portion of the exercise, an organization may discover potential cost savings by identifying unnecessary or duplicate technologies. 

• Identify the Critical Technologies and Processes

Once the organization has cataloged the technologies that make up the IT environment, they must then rank the technologies based upon criticality for achieving the organization’s mission and performing day to day operations. There are various ways to assess criticality, but it is important to ensure that the assessment is completed in manner that allows the users of the analysis to consistently compare technologies across the organization.

An organization can achieve this goal by establishing uniform criteria by which a technology is assessed. For example, an organization should determine how technologies affect day to day operations (i.e. operationally, financially, legally, etc.) and then use a qualitative means for measuring how critical the technology is to that part of operations. An example of this would be a simple scale of 1 to 5, with 1 being no effect at all, and 5 being absolutely necessary.

After all of the data from this portion of this exercise has been aggregated, the organization can qualitatively determine which technologies are the most and least critical for sustaining operations and achieving its mission. This allows them to confidently assign which technologies have a recovery priority in the event of a system outage.

• Establish Clear Recovery Time Objectives and Recovery Point Objectives

With critical technologies identified, in conjunction with business unit leads, users of the BIA will be able to easily identify appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs):

• Recovery Time Objective (RTO) – The targeted duration of time a system can be unavailable and must be restored before unacceptable impact to operations occurs.
• Recovery Point Objective (RPO) – The maximum targeted period in which data might be lost or unrecoverable due to system unavailability.

This can be easily done using the qualitative results of the BIA. The information assets that have a higher criticality score will inherently have smaller RTOs and RPOs and will need to be recovered as soon as possible. Technologies that score low and have larger RTOs and RPOs will not have to be recovered as quickly. Once these have been established, the plan can be updated to clearly establish the order for system recovery and identify how long they have for recovery before a system has negative, drastic impact on operations.

The BIA should also identify technologies and processes that have robust downtime procedures. Downtime procedures are established procedures an organization develops and executes when a technology or system experiences an outage. This allows the underlying process the technology was supporting to continue operating while the organization works to get the system back online (i.e. a fall back paper-based model). Even if a technology is identified as critical, if the organization has already implemented strong downtime procedures, it will allow the system to have a larger RTO and RPO than a similarly ranked system that does not.

Organizations of all sizes and from all industries, can benefit greatly from conducting a Business Impact Analysis. The analysis will ultimately allow the organization to identify all of the critical technologies in use, and determine the priority in which they are recovered. Having these two invaluable pieces of information could ultimately save an organization from going under in the event of an IT disaster.

Our experienced team of Risk consulting and IT consulting professionals can help.

For a complementary review of your situation and an assessment of how to bring a Business Impact Analysis into your IT Disaster Recovery Plan, contact me at Peter.Schnorr@freedmaxick.com or connect with me on LinkedIn.

More Insights and Guidance on Cybersecurity Issues - Click here.

A New Form of Assurance for the Ever Increasing Cyber Threats

Cybersecurity breaches across the country and around the world have heightened the awareness and attention of business executives, financial investors, boards of directors and the general public. With the number of breaches on the rise many experts are saying it’s a matter of when, not if, a breach will occur at any organization.

Although no one form of control can guarantee 100 percent security, a well-defined and implemented cybersecurity risk management framework will substantially reduce the likelihood of a breach.  

With the implementation of the System and Organization Control (SOC) Report for Cybersecurity, the AICPA recognized the need to help organizations report on the effectiveness of their internal controls designed to prevent, detect, and respond to cybersecurity threats. Their objective is to provide a mechanism for providing corporate directors, senior management, and other constituents of organizations information on an organization’s cybersecurity program through the use of a common reporting framework of criteria designed specifically for evaluating cybersecurity risk.  

The new SOC for Cybersecurity is designed to be a reporting mechanism for any organization, not just service organizations (i.e. organization that provide services to other organizations), which is how all other SOC reporting options are currently designed by the AICPA (SOC 1, 2, and 3 examinations). This reporting option was constructed with the mindset to provide a consistent reporting mechanism for any company looking for assurance over its cybersecurity controls.

Differences Between the SOC for Cybersecurity and the AICPA’s SOC 2 Examination Option - A Supplement, Not a Replacement

This new SOC report supplements the AIPCA’s SOC 2 reports on an organization’s controls designed to meet the Trust Services Framework, which currently does not include criteria for an organization to report on its controls specifically designed for cybersecurity risk.  

With the increased scrutiny and evaluation of third and fourth-party service provider risk as part of comprehensive vendor management programs mandated by various regulators, the SOC 2 was considered inadequate in many ways with respect to addressing cybersecurity controls. The new SOC for Cybersecurity will help organizations bridge that gap.

Other noteworthy differences  between the SOC for Cybersecurity and SOC 2 reports:

• The SOC for Cybersecurity is not restricted to service organizations and can be a reporting mechanism for any company’s cybersecurity framework. The SOC 2 is designed to report on controls over a service organization’s security, availability, processing integrity, confidentiality 
• SOC 2 reports can be issued under two types, one of which includes an evaluation of the design and operation of controls over a period of time, thus providing greater assurance to users of the report that the controls are in place and operating within a service organization’s control environment. The SOC for Cybersecurity report does not include information on control design and operating effectiveness over a period of time, potentially providing less assurance that the controls for the entity’s cybersecurity program are indeed in place and operational on a continuing basis.  
• Many organizations use third-party service providers to operate various aspects of their business, commonly resulting in reliance on those subservice providers to have controls of their own. SOC 2 reports enable a service organization to identify the controls they expect their third-party providers to have implemented and allows them to carve-out those control responsibilities from their control environment. However, the SOC for Cybersecurity does not offer an option to delegate any related control responsibilities to third-parties. Instead organizations are responsible for having all controls required to meet the cybersecurity framework requirements outlined by the AICPA.

What SOC Report Should You Consider?

Regardless if you are a user of reports or a service provider with the objective of providing your customers with some degree of assurance, chances are no single SOC report will meet all the needs of your organization.  

There are several considerations that may make one report more applicable than another, however increasing demands for greater clarity and reassurance may mean more than one report is required.

The broader needs of most user entities will largely be covered by a SOC 2 examination, including the relevant scope of services and trust service principles that relate to its commitments and requirements to customers. That said, the increased attention and focus on cybersecurity may still require completion of a separate SOC for Cybersecurity.  

As seen within the new regulation over cybersecurity issued by New York State’s Department of Financial Regulators, regulators are putting increased pressure on their constituents and adding requirements for vendor management programs to be more comprehensive, specifically to include due diligence measures that cover cybersecurity.  

And to provide the necessary assurance being sought by an organization’s leadership and investors, the SOC for Cybersecurity provides an opportunity to answer the questions being asked by so many.

If in doubt, or to learn more about SOC reporting options for your company, contact our dedicated team of professionals that focus and provide SOC services on a national basis. Click here or call Dave Hansen, Principal, at 585.360.1481 to connect.

More Insights and Guidance on Cybersecurity Issues - Click here.

If you are a third-party provider of cyber services to a “covered entity” in New York State, the Department of Financial Services just made your life harder.

The New York cybersecurity legislation that went into effect on March 1, 2017 (23 NYCRR Part 500) imposes new cyber security requirements on financial institutions, insurance agencies, and other covered entities which pass down and through to you.