• Does Your Business Need to Comply with GDPR?

    The requirements of the European Union´s General Data Protection Regulation (GDPR) for US companies who collect, maintain or process EU Citizen personal data will be significant and compliance is not an option. When GDPR takes effect on May 25, 2018, the European Commission will enforce the regulation around the world through administration of major fines. ... Read More →

    read more »
  • Your Vendor, Your Responsibility: 10 Key Elements for Vendor Selection Criteria

    Supplier and Vendor Vetting is a critical security activity that is sometimes treated lightly by even the most secure organizations.  If you share client data with your vendors, it is imperative that they have at least the same level of security as your organization. Vetting activity can be performed in house or can be outsourced ... Read More →

    read more »
  • The Deadline for SP 800-171 Has Come and Gone: What to Know and Do If You Missed It

    For government contractors who deal with Controlled Unclassified Information (CUI), the deadline for compliance with DFARS 252.204.7012/NIST SP 800-171 came and went on December 31, 2017.  Did you make it? The purpose of 800-171 is basically two-fold: To ensure that those who handle CUI have in place standardized security procedures, allowing the government to assess ... Read More →

    read more »
  • NIST 800-53 Rev 5 Update

    Winter is Coming Reminder:  The planned winter release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations now has a date and it is December 27, 2018. The draft version is available at https://csrc.nist.gov/News/2017/NIST-Release-First-Draft-SP-800-53-Rev-5 and the last public draft for final review is out on September 14, 2018. We recommended that you start reviewing ... Read More →

    read more »
  • Compliance for Small Businesses

    Compliance for Small Businesses The security compliance burden is increasing for all businesses. This is driven by continuing and high-publicized security incidents such as the recent Equifax disclosure. The cost of compliance is especially onerous for small businesses that do not have the resources to meet these increasing security controls, not to mention the maintenance ... Read More →

    read more »

Compliance for Small Businesses

The security compliance burden is increasing for all businesses. This is driven by continuing and high-publicized security incidents such as the recent Equifax disclosure. The cost of compliance is especially onerous for small businesses that do not have the resources to meet these increasing security controls, not to mention the maintenance involved with ever changing standards and regulatory requirements. But if you wait too long, you may find yourself unable to compete in the government and commercial sector. The following approaches are key to small businesses attaining FISMA compliance and an Authority To Operate (ATO) from their clients at an affordable cost.

Technology

Know the technologies in which to invest and which ones to avoid.  Do your research and know what tools are used by other small businesses.  There are lots of excellent SIEM tools out there but when a tool is 100K it is designed for the big boys and the cost of the tool and effort to implement are far more than a small business can handle.  Find out what other small businesses are using and talk to the vendors of those tools. Many of these tools were shareware at one time and for that reason are cheaper, but now they provide the required support and infrastructure to ensure they will be around for a while.  Only select tools that are seasoned as the investment in tools is more than the initial cost and you don’t want to have to reinvest in a new tool  because the one you picked is no longer supported.  This is why freeware and shareware are not recommended until they become proven tools that can generate enough revenue to survive.

The Assessment

Obtain security assessments by vendors that specialize in the audits you need.  The  more they do the more efficient they are and the less impact they have on your operations.  Look for references on their web sites and look for an organization that will do their homework and have predefined checklists and requests for documentation that indicate they are coming in prepared.   The on-site portion of a FISMA or HIPAA assessment does not require more than a couple of days if the company does their homework.  The longer they are on site the more they will charge and the more impact it will have on your resources.

Documentation

Start out with well-constructed and proven templates for the required security documents (policies, procedures, plans, and reports) you need.  See if your assessment firm can provide these templates.  Also look on government agency web sites to gather templates.  Don’t go on line and buy any kind of policy “kits” as they are so generic they do not add much value.

Findings

Don’t just look to your assessor for a list of findings and then try to resolve them all yourself.  While your assessor needs to maintain their independence, they can still provide well-informed guidance for judicious acceptance of risks that are cost prohibitive based on their knowledge of what other organizations are doing.  Lessons learned can save you lots of money.

Ask for Help

We can’t stress enough that if you are just putting a FISMA, HIPAA or other compliance security program in place, you need assistance climbing that steep compliance curve swiftly and efficiently.  You will also need assistance in establishing a cost-effective continuous monitoring program that balances risk with cost and takes advantage of new technologies. This is why getting help with the initial security program implementation makes sense.  Don’t reinvent the wheel and instead reap the benefits from all of the experiences and lessons learned of other small businesses that have already been through the process by hiring a security vendor that specializes in the needs of small businesses.