Compliance Process Automation
We call it Compliance Manager because it helps you manage the entire compliance process from beginning to end. When you combine your IT knowledge with the workflow engine built-in to Compliance Manager, you have everything you need to begin offering a wide array of compliance services.
Compliance Manager is a “turn-key” compliance server that automates the production of mandatory compliance reports, provides ongoing remediation documentation, and manages the manual collection of required information from key stakeholders.
Because much of the network and system data you need is collected automatically, Compliance Manager is hands-down, the fastest and easiest way to perform a Compliance Risk Assessment and stay compliant.
What is GDPR?
GDPR or the General Data Protection Regulation is a law passed by the European Union that all country states and the UK have agreed to adhere to. Any company that processes or retains European citizen data is subject to enforcement.
What is HIPAA?
HIPAA or the Health Insurance Portability and Accountability Act was passed by Congress in 1996. Since then the impact of the legislation has been keenly felt by doctors offices and hospitals who are ill prepared to deal with data and network security. Sadly, many HIPAA violators face fines and business repercussions (such as loss of customers) so large that they are forced to close their business in six months or less.
HIPAA MODULE KEY FEATURES:
|Basic Security Rule Assessment||✓|
|HIPAA Evidence of Compliance reports||✓|
|Local data collectors for computers that cannot be scanned remotely||✓|
|Shows results of ePHI scan||✓|
|Role-based designations and assignment of tasks||✓|
|Enhanced Security Rule Assessment||✓|
|HIPAA Auditor Checklist report||✓|
|HIPAA Policy and Procedure Validation||✓|
|Internal Auditor support and view||✓|
|Subject Matter Expert (SME) invitation to collaborate||✓|
|Designed for on-going Assessments||✓|
|Spreadsheet-based input for rapid data entry||✓|
|Guidance on answering HIPAA compliance questions||✓|
|Automated Data Collection at Client Site||✓|
|Includes ePHI Validation||✓|
|Enterprise Version available for resale||✓|
|Built-in Automated Report Generation||✓|
|Audit Log tracks assessment activities for auditor review||✓|
|Administrative alerts for scan issues||✓|
If Your Customers Need Cyber Risk Insurance, You Need Compliance Manager.
With an alarming uptick in data breaches and ransomware in recent years, an increasing number of businesses have opted to add Cyber Risk Insurance to protect themselves from catastrophic loss.
But as the threat landscape continues to expand, many insurance companies are restricting payouts by creating more claim exceptions and exclusions. Some of these are clearly stated, while others are hidden within confusing policy applications. This leaves many policy-holders vulnerable to holding the short-end of the stick when the insurer looks to disqualify a claim.
Cyber Insurance Manager ensures that companies with Cyber Risk Insurance actually get paid in the event of a claim by automatically verifying the accuracy of information submitted on the original insurance application and then documenting on an ongoing basis, that the business has used “due care” to reasonably secure their computer network against a breach.
Unlike other types of compliance, there is no official “standard” when it comes to Cyber Insurance Policies. Each underwriter creates its own unique definition of coverage and set of exclusions. These requirements are governed by application questions submitted by your customers when they apply for Cyber Insurance coverage along with the terms & conditions stated in the carrier’s insurance policy.
We have compiled the application forms from all the top cyber insurance carriers, extracted the technical requirements and built them into the Cyber Insurance Manager. You can optionally select one or more insurance carriers to create the specific “standard” to which your customer must comply. The Compliance Manager platform does the rest.
Using Cyber Insurance Manager dramatically improves your customer’s insurance claim by providing hard evidence and documentation of the Due Care you performed to secure the environment, a requirement under all cyber insurance policies.
More Than Just A Pay-out Safety Net.
Let’s face it. If your customer is paying good money to cover its losses in the event of a breach, the last thing he or she wants is a battle with the insurance company to collect in the event of a claim. But the truth is, paying a little bit more to run Cyber Insurance Manager regularly also reduces the likelihood that your client will ever need to file a claim in the first place since it proactively discovers and exposes vulnerabilities that you can mitigate to harden your customer’s environment from cyber security risks.
What is the NIST CSF?
The NIST Cyber Security Framework (CSF) provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber-attacks.
On February 12, 2013, President Barack Obama issued an Executive Order calling for the development of a voluntary risk-based Cyber Security Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.
As a result, the National Institute for Standards and Technology in collaboration with the private sector, created the NIST Cyber Security Framework (NIST CSF) that uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.
“Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
- Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
- Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
- Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks.
“Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
- Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
- Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
- Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
“Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
- Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
- Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
“Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
- Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
- Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
- Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
- Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
- Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
“Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”
- Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
- Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
The results of the scans and monitoring will help justify selling in additional security measures, including 2FA or employee security training.