Security and Compliance in 2018
May 28, 2018 at 8:00 AM
rs=w_1280 (5).jpeg

We launched It’s Just Results in an era of accelerating technological advancement where all the rules are changing.

Technology is pervasive in our businesses. The Internet of Things is embedding itself across the enterprise. Artificial intelligence is being applied to solve problems in health and complex systems like weather. There is much good in all of this. It is exciting.

Each day we continue to hear of a breach here or there (Sears, Delta, Location Smart). A hack here or there that has reached out from the dark web again and again. It is becoming harder and harder to keep up and devise approaches to security that will ensure that the positive gains that are just at our finger tips are not lost.

We joined the fight in September 2017. We want a better world where organizations of all types each focus on improved security and collaborate to solve problems so that the digital future is secure. Risk Management and Compliance are important mechanisms and paths towards improved security.

Our zone is business and the mid-size and emerging small businesses. We work across industries including government, finance, health, technology, and manufacturing. We work across frameworks including NIST Standard Publication (SP) 800–171, NIST SP 800–53, NIST CSF, 23 NYCRR 500, ISO 27001, Federal Financial Institutions Examination Council (FFIEC), and the General Data Protection Regulation (GPDR) and wait for the next iterations. We work across supply chains.

Our job is made easier by the great companies that share this vision and are ready to implement and embrace better approaches towards security. It is also made much easier by the technology partners in the trenches creating innovations in the ability to deliver on the promise of increased security.

Now What?

We all recognize that the work continues. We can’t rest. We are on a mission.

We are also faced with several recent deadlines that have been crossed and industry members continue in their gap closure initiatives:

NIST 800–171 — The Department of Commerce’s National Institute of Standards & Technology (NIST) has developed standards for government information systems. NIST SP 800–171 provides guidance for federal agencies and their contractors to ensure that Controlled Unclassified Information (CUI) is protected. Defense Department Businesses required to attest to their compliance by December 31, 2017. No ifs or buts. If you are found in violation of compliance or attested inaccurately you are under a penalty to lose your contracts. In 2018 System Security Plans (SSPs) and Plans of Actions and Milestones (POA&Ms) may be reviewed by the Government Acquisition Authorities. Other agencies are expected to follow suit. 

More can be found here:

· https://csrc.nist.gov/

GDPR — Over in Europe privacy concerns abound. The EU General Data Protection Regulation was put into law by the EU Parliament on 14 April 2016. It established an enforcement date of 25 May 2018. If you are not compliant you will face heavy fines as Europe seeks to protect the privacy of all EU citizens by extending to all organizations who process or store personal data — regardless of where the organization is located.

More can be found here:

· European Commission's Data Protection Rules

23 NYCRR 500 — The New York State Department of Financial Services (DFS) that establishes cyber security requirements for financial services companies. The regulation draws from the NIST CSF. The regulation has been in effect since March 31st, 2017. It applies to financial services companies and their vendors. The “Covered entities” are expected to submit their first annual attestation of compliance was due on February 15, 2018.

More can be found here:

· http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

· http://www.dfs.ny.gov/about/cybersecurity_faqs.htm

These efforts and deadlines are the tip of the iceberg. Risk Management and Compliance are not the end game. Improved security and improved privacy will ensure that innovations continues and is not brought down by nefarious actors who steal assets or seek fame.

We have developed solutions and processes and tools to help companies improve security faster, at lower cost, and with greater sustainability, regardless of the compliance framework they are working to address.

2018 brings more changes in security and compliance. Our launch timing was just right so that we can play our role in helping improve security so that you can go about doing your business and solving the problems that need to be solved.