After watching this webinar, you will be able to:
Emily Di Nardo, CPA, CITP, HITRUST CHQP
Partner, Baker Tilly
Matt Gilbert, CISA, CRISC
Principal, Baker Tilly
Ryan Patrick, MBA, CISSP
Vice President of Adoption, HITRUST
In today’s world, the threat of cyberattacks are a growing reality for most organizations. Even if your organization is not as large a target as those that are bigger and more recognizable, your data has value and that means someone else wants it. This is true for organizations in any industry.
Organizations must tackle an ever-expanding list of regulations to prove they have a robust cybersecurity program in place for the types of data they are protecting. But how do organizations know what is enough? How do they create a cyber strategy that will withstand current and future challenges from data thieves?
Recently, Baker Tilly and HITRUST presented a webinar, “Strategy check: Evaluating your cyber program to strengthen assurance,” to help organizations better understand their programs as well as their journey to having a mature cybersecurity portfolio. Emily Di Nardo, a partner in Baker Tilly’s risk advisory practice who specializes in HITRUST, discussed these issues with Matt Gilbert, a Baker Tilly principal who focuses on Cybersecurity Maturity Model Certification (CMMC), and Ryan Patrick, HITRUST’s vice president of adoption.
Data governance is no longer just the concern of an organization’s senior management and audit committees and its regulators; now, customers and business partners are interested in what an organization is doing, Gilbert said. They are even starting to include cybersecurity behaviors and practices when making purchasing, teaming and other business decisions, and they aren’t solely looking at what’s there but also the maturity of it.
Interested parties are seeing how much the risk has risen as we share more data and are more interconnected with each other. Whether they know it or not, organizations are constantly bombarded by threats from ransomware, phishing, botnets and other ways criminals are trying to take advantage of weaknesses in their cybersecurity.
If not taken seriously, organizations face a number of risks, including reputationally, competitively, operationally and financially. That is not to mention the regulatory consequences of fines and/or sanctions. Any of these risks could cause an organization irreparable harm. In some instances, businesses haven’t been able to survive after a cyberattack.
To counter those risks, organizations should create a robust cybersecurity posture, which refers to the aspects around identification, protection, response, detection and mitigation, Di Nardo said, with the goal of protecting information and assets from unauthorized use and disclosure.
Organizations can do that by establishing a strong risk culture where every employee from the board and senior management down to staff is clear on what the organization stands for and the boundaries within which it operates. Di Nardo said an organization can start with a consistent tone from the top coupled with ongoing, targeted communications about ethics and risk management — much like a code of conduct — that emphasizes that inappropriate behavior will not be tolerated.
By setting this precedent, organizations will have an easier time when they are being audited or tested, Patrick said. Having a culture focused on risk and thinking about what could be done on a daily basis to avoid these types of problems will make going through those processes and providing assurances seamless and efficient, ultimately providing more visibility, which is what stakeholders are seeking.
That may be the first step in a cyber strategy, but often an organization’s clients and business partners want proof of its cybersecurity maturity. To communicate that maturity, an organization needs three elements: rigor, assessment confidence and transparency. The lack of any one of those elements creates uncertainty, Gilbert said.
For example, an organization’s board hires independent cyber experts (assessment confidence), who use a robust framework that has a good balance of people, process and technology elements in it, and they conduct detailed testing — not simply inquiry or cursory review — over a period of time (rigor). Management provides the cyber experts full access with nothing to hide, which means the resulting report includes sufficient detail and examples so the board can understand the organization’s exact status (transparency).
To further define the elements, Gilbert started with rigor. He said a rigorous framework or set of controls should contain an appropriate mix of cybersecurity capabilities, including people (right number in place with appropriate knowledge and skills), process (repeatable processes that produce cybersecurity outcomes), technology (adequate tools properly configured and deployed to assist in automation of cybersecurity controls) and strategy (correct funding and approach to adequately protect data and systems in place).
For assessment confidence, Gilbert said organizations should consider if those doing the assessment have the necessary credentials and independence, and whether they are covering the appropriate scope for their needs (some certifications are inadequate for the data being shared). Also, the level of detail is an important consideration, especially point-in-time concept versus period of performance (organizations shouldn’t place too much confidence in the results of one test performed at one point in time; they need to have a process in place). Other contributors to assessment confidence are the nature of the testing (design versus operating effectiveness) and the frequency in which it is being done.
Finally, transparency requires a bit of a balancing act, particularly if the organization is sharing information with a customer or a vendor is sharing it with the organization. From an operational security perspective, the organization will want to prove it has what is needed in place to protect its customer’s data without giving away proprietary information like network diagrams or IP addresses. On the other hand, the organization may not feel as confident if the company it is sharing data with provides less-than-detailed surveys, credentials or certifications.
Regardless, an organization needs to exercise some judgment. Most likely, if the organization is sharing sensitive information more often with a certain vendor than another, the level of rigor, assessment confidence and transparency is going to be different from that vendor (third party) versus one with which it isn’t sharing as much data.
In other words, all of these elements need to be calibrated according to the risk associated with the circumstances the organization is evaluating.
Organizations have a variety of options when it comes to cybersecurity maturity solutions, including self-assessments, third-party assessments, penetration testing and questionnaires, but there really is no single answer for an organization’s cybersecurity problems, Gilbert said. A combination of these can be employed, though they rarely reach the “sweet spot” without also having a full balance of rigor, transparency and assessment confidence for the risk that an organization’s situation demands.
Organizations should know what data they have and where and with whom it is being shared. They then need to be comfortable with the idea that a third party may also have access to their data, so understanding who has it and what they are doing with it becomes critically important. Furthermore, how does an organization get assurances associated with that third party and how is it conveyed that shared responsibilities are understood?
Statistically, organizations are more likely to experience a breach as a result of a third-party incident, and it doesn’t mean that instituting some kind of due diligence program or process will stop that from happening. Rather, organizations must understand what access third parties or business partners have to their data or access to their environment. Historically, that may have meant having those organizations complete questionnaires or submit self-assessments, but those are no longer enough.
Organizations should be asking for third-party attestation along with their due diligence. There has to be a clear understanding of what each party is responsible for and proof that they have the capabilities to fulfill those responsibilities.
From a standpoint of customer data being in the cloud, it is said that the customer is responsible for the security of the data in the cloud and the cloud service provider is responsible for the security of the cloud. To a point, that is accurate, Di Nardo said, adding if we look at detailed internal controls implemented to protect the customer, those controls may in fact be shared. It could be the customer owns a certain percentage and the service provider another percentage, resulting in confusion over who is responsible if an incident occurs or a system is compromised.
Organizations often encounter challenges in working with a shared responsibility model, including lack of education, misunderstandings over division of responsibilities and assumption and perception issues.
HITRUST developed a detailed shared responsibility matrix by control requirement per multiple vendors to provide high-level assurances between the parties. Cloud service providers use the framework and controls within that framework to mutually divide responsibilities with their customers. Once the responsibility is agreed upon, HITRUST has an approval process that doesn’t ask for evidence or testing. Users can request an amount of inheritance or shared responsibility from their providers, and the tool brings it into their assessment.
Using this framework, an organization’s business partners are given a comprehensive look at its environment, inclusive of where its data resides in its systems and are functioning. The “inheritance” features is provided at the control requirement level, i.e., the level of shared responsibility available with that provider. Patrick said it’s prescriptive in telling an organization what it will inherit, what it will get partial credit for or what is fully inheritable, making the assessment process more efficient because everything it needs is in the tool that HITRUST provides.
CMMC is another framework or model organizations use. Similarly, it requires organizations use a shared responsibilities matrix and, though the format is not specified, it should cover each CMMC requirement, identifying the responsibilities of the organization, the vendors and what's split between the two of them. Similarly, it gets down to a granular level, looking at how specific controls or requirements may be divvied up between a company and its vendor.
Note: HITRUST and CMMC are overlays of the NIST control families. See below for additional information on these assurance frameworks.
Many threats and risks exist is this ever-evolving cyber environment. Understanding and implementing a cybersecurity posture that fits your organization’s size and needs will be essential in helping you build a mature program. Leveraging assurance frameworks in building out the program will help guide in addressing key risks, such as third-party vendor risk.
National Institute of Standards and Technologies (NIST) published its framework after recognizing that our economy and society are being more broadly affected by cybersecurity. Its framework is voluntary, published to help businesses of all sizes better understand, manage and reduce their cyber risk, and protect their networks and data. It has published a number of frameworks, with 800-53 and 800-171 among its more common ones. Recently, NIST published 800-218, the Secure Software Development Framework, proposed as a means to assess software providers and the security of the products they're providing.
CMMC is still in development by the Department of Defense. With 80,000 government contractors serving the Defense Department, it could quickly go from not well known to widely implemented once it is finally required.
At the simplest level, HITRUST is a standards development organization that built a methodology which is now certifiable. HITRUST's mission is “assess once, report many,” meaning an organization should only have to conduct one assessment and report that out against other framework standards, regulations, etc. The goal is to ease the burden of assessments and in providing assurances by building out a framework and keeping it relevant, updating it and HITRUST’s control sets on at least an annual basis. The organization is also looking at the latest cyber threats on a quarterly basis to make requisite changes to assessment control sets if necessary to ensure assessments are protecting against the latest threats as recently as 90 days ago.