April 2022

CMMC, findings tech, iso, iso27001, iso27017, iso27018, security compliance, Vendor Risk Management

4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Posted on April 12, 2022September 20, 2022 by Yogev Kimor

12
Apr

“Let’s pursue a new compliance framework just because we feel like it!” is not a phrase that you tend to hear business leaders utter excitedly. After all, making the changes necessary to comply with new compliance rules is a significant undertaking. Unless a specific legal requirement is at stake, businesses tend to embrace them slowly.

However, the Cybersecurity Maturity Model Certification (CMMC) is an exception. Although CMMC is not strictly required for most businesses, implementing it should be a priority for many CISOs today.

Indeed, a CISO’s main job is to harden cybersecurity wherever possible. Doing so requires identifying security risks, developing practices and policies to mitigate those risks, and creating regular reports that track the effectiveness of cybersecurity investments. Because the CMMC encourages these practices, pursuing CMMC compliance is an excellent way for CISOs to achieve their primary goals.

“All DoD contractors will eventually be required to obtain a CMMC certification,” as CSO Online notes, which may be another reason CISOs implement CMMC compliance. But it shouldn’t be the only one: Whether or not you need to do business with the U.S. Department of Defense, pursuing CMMC compliance is a great idea.

Four reasons to implement CMMC

You achieve several critical benefits when you invest the time and effort required to implement CMMC compliance.

1. Independent cybersecurity validation

Among the recent changes to CMMC is a new independent validation requirement for businesses with CMMC level 3 compliance. Independent validation provides a more thorough security check and vulnerability reporting than you can get from following other security guidelines, like those from NIST (which closely resembled the original version of CMMC).

Thus, CMMC is a more rigorous cybersecurity framework in many respects than anything else you can find.

2. Holistic cybersecurity best practices

CMMC is designed to encourage solid cyber hygiene for businesses of all types and industries.

It encourages a proactive cybersecurity culture (ESG benefits because it demonstrates a commitment to privacy). It facilitates education for all employees – including non-technical stakeholders – about security best practices. And it underlines the importance of managing supply chain security risks, one of the most severe categories of threats that businesses face today.

3. Increased revenue

From a purely business perspective, the additional sales opportunities that CMMC compliance opens up can lead to revenue growth.

When you achieve CMMC compliance, you can do business with U.S. government agencies that might otherwise be off-limits. This means more clients, but it often means more significant client contracts because government agencies tend to be high-value, long-term accounts.

4. Enhanced security maturity

Even in cases where clients aren’t government agencies and don’t require CMMC compliance, being CMMC compliant can nonetheless be a significant boon to business. It helps you demonstrate a commitment to cybersecurity and serves as a stamp of quality/security on the security front, which can help you close more deals and retain more clients.

The enhanced security maturity that comes with CMMC compliance can help you stay ahead of the competition, which may comply with less rigorous mandates but not with CMMC.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Granted, CMMC implementation is not a simple task: It’s essential for CISOs to understand the challenges before undertaking a CMMC compliance initiative:

Process: You have to apply for CMMC compliance. That’s another task for CISOs to manage on their already full plates.
Buy-in: CISOs need to get buy-in from shareholders and management for the CMMC process. That’s important not just culturally but also because business leaders will need to play a valuable role in the CMMC application process by filing forms, tracking progress and reporting, etc.
Multiple steps: Applying for CMMC compliance is not a one-and-done affair. It usually involves multiple steps, with changes or additional information required as you progress through the process.
Maintenance: You need to keep your compliance strategy continuously updated to meet CMMC compliance requirements. That increases your time and effort even further.
Cost: For most businesses, CMMC compliance will require new tools and processes, which come at a cost. And depending on what level of CMMC compliance you need, an outside advisor may also be required.

None of these challenges should prevent businesses from pursuing a comprehensive CMMC framework to protect against cyberattacks compliance. But it’s essential to be aware of the potential objections and barriers before starting the process.

Even if CMMC compliance is technically optional for your business, there’s a good reason not to treat it as an option. Instead, CISOs should embrace CMMC implementation as an intelligent way to strengthen their business’s cybersecurity – and, in turn, open up new business opportunities.

Learn more by scheduling a demo.

aicpa soc 2, ESG, findings tech, soc 1

ESG Investing – What Green Bonds are, and why do they matter?

Posted on April 6, 2022September 20, 2022 by Ilan Lavan

06
Apr

Sustainability has become an integral part of how we do business and live our lives, and the concept of ESG investing has taken hold with investors and financiers alike. What are green bonds, and why do they matter? Read on to find out!

3 key ways green bonds improve corporate sustainability

green bonds increase access to capital for sustainable projects; green bonds help decrease reliance on fossil fuels, and green bonds help finance critical social programs. We’ll examine each of these ways in detail below.

An introduction to green bonds

Undertaking a green business venture or a project is by no means cheap. The costs of starting up an alternative energy project could run into millions of dollars. And even if you secure funding for such projects through loans or grants, those payments will add to your operating costs over time. However, governments worldwide have been easing financing concerns through what’s known as green bonds — debt securities that raise funds to support environmental-friendly endeavors. More recently, private organizations have been taking up their initiatives in making it easier for entities engaged in green initiatives to raise funds from investors. These so-called green bonds have several advantages over conventional debt offerings. You need to know about them: 1) What are Green Bonds? 2) How Do They Work? 3) Where Can You Buy Them?

The history of green bonds

The idea of a bond linked to environmental, social, or governance criteria – known as ‘green bonds’ – originated in 2003 when HSBC issued its first ecological bond in response to investor demand. This was followed by BNP Paribas with its first Corporate Sustainability Bond in 2005. Today there is greater recognition of ESG issues from governments, investors, and issuers than ever before. Green bonds have increased over recent years. In 2010, only three green bonds were issued globally; today, it is not uncommon for international financial centers like London to see two or three different green issuance rounds each week.

How is a green bond different from any other bond?

A green bond is no different from any other bond in that it is debt security – a loan – given by an organization to raise money for any purpose. However, green bonds typically have specific criteria which make them eligible for being classified as green or environmentally friendly. They tend to be used exclusively for projects with positive environmental or social impacts, whether that means energy efficiency retrofits or renewable energy generation. These bonds are commonly referred to as ESG bonds (Environmental Social Governance). An investor who wants to include more green investments in their portfolio can purchase ESGs because these securities contain safeguards against non-environmentally friendly use of proceeds. In short, if your company has borrowed money through a green bond, you must use that money only on activities with positive effects on people and the planet. This way, investors can feel good about making such investments while knowing they’re getting solid returns.

Challenges in the market for Green Bonds

The market for green bonds remains relatively small, but both public and private sector actors recognize a need to increase access to capital for climate-friendly projects. In October 2017, Sustainable Finance Lab, in conjunction with The Rockefeller Foundation, released its second Climate Finance Survey. The survey results reveal that limited capital and coordination are among the most significant barriers to scaling up investments in clean energy. One of those critical challenges has been high transaction costs, or what is often referred to as the pipeline problem. Green bond issuance data from Bloomberg New Energy Finance (BNEF) shows that transaction costs for green bonds have been more than double those of comparable rated corporate bonds since 2008. This means that investors looking to invest in low-carbon infrastructure through green bonds were paying too much due to inefficient issuance processes. As a result, some financiers had said that there was limited interest amongst potential institutional investors when investing in them.

Eager to learn more about ESG? Start your ESG journey with Findings ESG today.

findings tech, iso, iso27001, iso27017, iso27018, security compliance, Vendor Risk Management

Your Vulnerability Disclosure Policy Can Be Easier Than You Think

Posted on April 4, 2022September 20, 2022 by Yogev Kimor

04
Apr

It’s easy to recognize the importance of creating a vulnerability disclosure policy. Vulnerability disclosure policies, or VDPs, are important because they help you track vulnerabilities within your supply chain and determine how to disclose security risks that arise within the supply chain. That’s a best practice for any business, not to mention a formal requirement for companies wishing to do business with the DOD and U.S. government agencies.

It can be pretty hard, however, to figure out how to define and enforce such a policy. If you’re like many businesses, you may struggle to determine which types of vulnerabilities to disclose, how to report them, and how to integrate these rules into a policy document that your business uses as a systematic guide whenever supply chain vulnerabilities arise.

Fortunately, it’s easy enough to work past these challenges. By taking a step-by-step approach to creating a vulnerability disclosure policy, you can define and enforce disclosure rules tailored to your business’s needs with much less effort than you may imagine.

More information below on managing and building relationships with your vendors:

The insider’s guide to coordinated vulnerability disclosure

Watch below: How you can interact with vendors and suppliers – headache free

The main purpose of vulnerability disclosure

Establishing an effective vulnerability disclosure policy starts with understanding what such a policy is supposed to do.

Vendor disclosure programs have two main benefits:

Streamlined vulnerability reporting: A VDP defines who in your organization handles vulnerability reporting. This is important because many companies don’t know who the right person is to generate and distribute reports. Without a predefined reporting policy, you’re likely to end up with delays, or reports that never happen at all because no one knew who was supposed to create them.

Real-time reporting: Just as important, VDPs make it possible to react in real-time to vulnerabilities and breaches. As soon as you detect a security issue, you can report it to stakeholders or CISA, as required based on factors like which systems the incident impacts and how severe it is. The ability to disclose issues immediately and be fully transparent demonstrates a strong commitment to security on the part of your organization, which in turn helps your brand weather security events. Rapid disclosure may also be a compliance requirement for some businesses, as we’ve noted. But rapid disclosure means you need a complete view over your whole supply chain, not an easy task unless you have an automation tool to help with checking and reporting vulnerabilities.

Every VDP should be designed with these benefits in mind.

The six components of a vulnerability disclosure policy

To enable efficient, real-time vulnerability reporting, you should create a VDP in the form of a document that details six key facets of vulnerability disclosure.

1. Compliance policies

Your VDP should specify which compliance rules your business needs to meet, and which vulnerability disclosures those rules require.

The details in this section of the VDP will vary depending on your business and its compliance context. Not only do compliance requirements vary between geographies and industries, but businesses may also be exposed to different mandatory disclosure rules based on factors like the size of the business and the nature of a given breach. These are a few of the important policies you may come across ISO27001, NIST, ENISA, CMMC ISO, GDPR, HIPPA, CPPA (to name a few), and these need to be kept up-to-date with compliance rules changing every so often.

Whatever your specific requirements are, the goal of this section of your VDP should be to spell out the business’s disclosure responsibilities relative to its compliance mandates.

2. Contractual obligations

In addition to compliance mandates, your business may be required by the contracts it signs with vendors, customers or partners to disclose vulnerabilities. Thus, one section of your VDP should address contractual vulnerability disclosure obligations.

Be sure to detail in this section not just when and to whom you have to disclose security issues, but also how the disclosures should be communicated. Typically, your agreements with other businesses will specify how communication is to be maintained in this context. By including this detail in your VDP, you ensure that you can find it easily, without having to piece through contracts.

3. Supply chain obligations

If vulnerabilities arise somewhere in your supply chain as opposed to your own systems, you may need to disclose those, too. Your VDP should include a section that spells out your obligations in this regard. It should also include information about how you maintain visibility into your supply chain and determine that a vulnerability has affected it.

4. Risk management and assessment

Every vulnerability is unique, and the ability to contextualize it based on its seriousness is critical for effective disclosure. Toward this end, define within your VDP how to calculate the overall security severity of each vulnerability, as well as how this security score impacts your disclosure procedures.

If you use risk assessment tools to automate the scoring process (as you should if you want it to take place in real-time and with minimal effort on the part of your team), include that information in the VDP, too.

5. Insurance coverage

In many cases, insurance can cover at least some losses incurred due to a security issue within your supply chain. For this reason, be sure that your VDP details which security insurance you have and how it applies to disclosures.

6. Incident response plans

Disclosing vulnerabilities is one thing, mitigating is another.. Your VDP should include an overview of how your business responds to security incidents in order to ensure that they are remediated. In addition, if you’re required to keep stakeholders aware of progress toward remediation while an incident response is underway, spell out how you’ll do that within your VDP.

Take a look at how Log4j, Kaseya and other recent supply chain attacks have caused damage

How vulnerability disclosure statements optimize security

With a comprehensive VDP statement, you ensure that you are prepared to react in a way that minimizes the incident’s impact on your business, your vendors, your partners, your customers, and your supply chain in general.

In turn, you can make informed decisions about the following:

When to keep doing business with vendors who introduced a vulnerability into your supply chain
How to work with vendors to keep their risk levels low – and, by extension, keep your supply chain secure
When to switch to different vendors to lower your risk
Communicate effectively both “upstream” (meaning with your vendors and suppliers) and “downstream” (with customers and partners) when a vulnerability arises, as the image below from FIRST.org, a global organization focused on security improvements, illustrates

You can’t prevent every vulnerability or security incident. But you can prepare ahead of time to react quickly and effectively in meeting your obligations to disclose security issues when they happen – whether they stem from a vulnerability within your own IT estate or a problem that originated with another business in your supply chain.

You can make the vulnerability disclosure process even more efficient, which automates supply chain security detection and reporting.

Findings – Optimizing Supply Chain Compliance