Contact us at info@uzado.com

The Worst Advice We've Ever Heard About Compliance

Alix Postan

Common sense graphic.jpg

Ask anyone in the industry, and they’ll tell you they’ve heard some really bad advice when it comes to compliance.

But the absolute worst advice we’ve heard, is that “Once an auditor declares that you have met with compliance standards, there’s nothing more to do”. Unfortunately, cybersecurity is an ever-changing industry, and with that comes new, daily threats. It’s important to make sure that your company’s systems are staying current with these standards as they change. An auditor can only declare compliance at one point in time (like a snapshot), but these standards are continuously evolving – potentially rendering policies/procedures insufficient after that snapshot.                                

The Quick Fix – Compliance Management

Compliance management is simply, regular management of your company’s policies and procedures to ensure that these standards are being met. If a company is short staffed, or is overwhelmed by monitoring each standard and their ongoing changes, Compliance Management Software is the best solution. The software will be able to generate reports on these changes, highlighting most recent updates and changes. The software will also measure to what degree your company is compliant, so that you are able to make changes before being fined for non-compliance.

Uzado’s Compliance Management Software will not only show the gaps between current policies and required standards, but also provides your company with solutions to minimize these gaps.

At the end of the day, these standards are not put in place to punish companies, but rather to protect their assets and their information. The most successful companies ensure compliance to these standards, in order to protect themselves and their stakeholders.

For more information on compliance and compliance management software, download our free white paper.Why Compliance Does NOT Equal Security

Read More
Topics: Compliance Management, Operations & Compliance Management Software, Compliance

Trump Administration’s Cyber Security Strategy

Alix Postan

Donald-trump-pc-hacking-warning-emails-750618.jpg

On May 11th, President Trump finally signed an executive order for cybersecurity protocols. This new executive order updates the existing cyber security protocols and outlines the framework that will be enforced. The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, has always been preached by the Department of Homeland Security (DHS), and is now mandated that the DHS follow it as well.

Some highlights from the executive order:

  • Vulnerabilities that are not remediated, are considered to be the highest threat to the country’s cyber security;
  • Programs will have to be maintained with the most current software patches available and can only be used if the software provider continues to offer remediation tactics for that version.
  • Heads of executive departments and agencies (agency heads) will be held accountable for any and all risk management decisions. The agency heads are required to submit a risk management report to the DHS within 90 days of the order being published. In the report, the agency heads are required to explicitly outline: which risks they will be prioritizing for remediation, the necessary budget required, the remediation tactics they will use, and an explanation as to why they chose to prioritize those specific risks over others. The DHS and the Office of Management and Budget (OMB) will be reviewing each of these reports.
  • There will be a greater emphasis on cybersecurity education through specific curricula, training and apprenticeship programs from primary through higher education. This order recognizes the changing cyber environment and the United States’ need to maintain a long-term cybersecurity advantage

What does this mean for you?

As stated in Section 3(a) of the executive order, the purpose is to:

“ensure that the internet remains valuable for future generations, … to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.”

This means that the government of the United States is finally taking the same action that is required for commercial businesses; since commercial businesses are required to follow specific frameworks and compliance standard, the government is now holding its agencies to the same level of accountability.

Moreover, the education section of the executive order shows the country’s investment in cyber security, and the prioritization of this field in the economy. Also, it demonstrates the country’s progressive laws and the need to stay current in this industry.

For more information about Remediation Management, download
our free guide on A Risk-Based Approach to Vulnerability RemediationA Risk-Based Approach  to Vulnerability Remediation

If you’re a commercial business owner and are looking for Remediation Management tools, click here.

Read More
Topics: Vulnerability Management, Compliance Management, Compliance, Remediating Risks

What is HIPAA Compliance?

David Millier

HIPAA Compliance Healthcare Survey.jpgWith revisions to federal legislation around the security and storage of health information in the US, many businesses are aware that they need to ensure compliance with standards mandated in the Health Insurance Portability and Accountability Act (HIPAA). But that's left many with a big question: how do you become HIPAA compliant?

What Is HIPAA?

HIPAA is a federal legislation from 1996 that governs the security and storage of medical information in the United States. Health information is important, in some cases doctors need to share information with hospitals or other practitioners. This kind of information is also very sensitive, and the act is designed to keep patients and their medical records safe in the digital age.

What Does It Take to Be Compliant?

Businesses become HIPAA compliant when they follow the standards of practice set out in the law. With the passage of the Patient Protection and Affordable Care Act of 2010 and the subsequent rollout of changes to the US medical care program, there has been a renewed focus on HIPAA and its standards.

Any company that deals with protected health information must comply with HIPAA. To do so, the business must ensure that all required physical, network, and process security measures are in place and being followed.

Physical Security Measures

Perhaps the simplest part of being HIPAA compliant is ensuring that physical security measures are in place and followed. These requirements focus on physical access to information and the workstations they're accessible from. To be compliant, you'll need to implement workstation security. This includes policies and procedures for workstation use that identify the work to be done and how it is to be done at that station, as well as protocols around the disposal of media and equipment that may have stored health information on it. Procedures addressing how to remove information from reusable media are also required.

Network Security Measures

There are 5 requirements in HIPAA that address network and network access in order to provide more security for sensitive health information. To be HIPAA compliant, you must implement unique user identification to facilitate tracking, create an emergency access procedure, and implement audit controls to record and monitor systems and workstations that collect and store electronic health information. You must also have authentication processes in place to ensure that someone requesting access to health information is the person they claim to be.

Process Security Measures

These administrative measures are probably the most difficult to implement—and the most important. To be compliant with HIPAA, your organization must perform risk analysis and risk management to ensure it has the proper procedures in place. You must also designate HIPAA officers to monitor compliance. You must regularly audit and review use of workstations. Sanctions also need to be in place to discipline employees in breach of policy. If multiple organizations will have access to files or workstations, you need to ensure that only those who are authorized will have access to health information. You are also required to develop a contingency plan to protect sensitive health information in an emergency. You are required to evaluate your compliance and update it when necessary, and when you enter into an agreement with another business, you are responsible for ensuring that they will operate in compliance with HIPAA.

Addressable Measures

In addition to the required measures, there are also a number of items that HIPAA considers "addressable." While businesses aren't required to implement these measures to be HIPAA compliant, these additional measures provide added security for sensitive health information. These measures range from having a facility security plan to protecting your systems against malware. These items should be addressed by businesses dealing with health information—not just to be compliant with the law—but to provide more security for patients and clients.

Want to know how Uzado can help with HIPAA Compliance? Click below to request a demo:

 Request A Demo

Read More
Topics: Compliance Management, HIPAA Compliance, Security, Remediating Risks

How to Be PCI Compliant

David Millier

Everything_You_Need_to_Know_about_PCI_Compliance.jpgIf your organization is in the business of accepting credit card payments, you know you need to be compliant with the standards set out by the Payment Card Industry Security Standards Council, and you should know what’s required of you. Now it’s time for the nitty-gritty: what do you actually need to do to make sure your company is PCI compliant?

Get on the Level

PCI compliance is required by the major credit card brands, including Visa, MasterCard, and American Express. The requirements for PCI compliance depend a bit on which cards your business is accepting and how many transactions you process annually. For example, if your company processes up to 1 million Visa transactions in a year, you’d be considered a Level 4 merchant. MasterCard, on the other hand, considers organizations with the same volume of transactions as Level 3 merchants. Your level helps determine what paperwork you’ll need to submit to show compliance.

The SAQ

The next step is to determine which Self-Assessment Questionnaire (SAQ) you need to submit. The SAQs vary based on where you’re accepting payments; vendors selling in a physical store will submit a different SAQ than those selling through an online one. Different types of online stores have different SAQs. The questionnaires are labelled A through D.

Assessing Your Compliance

Once you’ve determined which SAQ you need to use, you fill out the questionnaire to assess your compliance. The SAQs contain anywhere from 14 to 347 questions, depending on the version. Some vendors also need to submit quarterly external scans and will have to select an outside organization known as an Approved Scanning Vendor (ASV) to complete the scans. Organizations are required to submit “clean” scans, which means the scans are free of failing vulnerabilities. Once this is all finished, you submit the paperwork to verify that your business is PCI compliant. Many organizations will choose to perform scans earlier than the end of the quarter so that they have time to fix any vulnerabilities and perform necessary rescans.

What It Takes

Any merchant who wants to accept payment by MasterCard, Visa, American Express, or another major credit card will need to be PCI compliant. There are 12 core components in the latest version of the Data Security Standard, which include maintaining a secure network, monitoring and testing systems, implementing strong access controls, maintaining information security policies and vulnerability management systems, and protecting cardholder data. Each of the objectives can be broken down into smaller steps that make it easier for businesses to see what they need to do to ensure PCI compliance.

How Compliance Can Be Made Easier

Many of the businesses that need to be PCI compliant are small merchants—local shops and independent retailers—not just the big chains. Many e-tailers, especially smaller businesses that have their store set up through third parties, will need to submit quarterly scans and engage an ASV. Even large retailers may find the demands of compliance enormous, especially as they’re required to submit scans and answer lengthy questionnaires. Small retailers will find it difficult to meet the demands of compliance, either due to labour constraints or the costs associated with it. 

One way businesses can ease the compliance burden is by using compliance management software. These programs are designed to monitor not only changes in legislation and standards, but also your systems and processes to ensure your organization is always compliant. Small businesses especially will find this useful, as the program can help monitor systems. Adding a vulnerability management system, as well can identify ways that processes can be improved.

Want help to be PCI Compliant? 

 Request A Demo

Read More
Topics: Compliance Management, Compliance