May 2022

aicpa soc 2, CMMC, iso, iso27001, iso27017, iso27018, soc 1

The 7-Step Guide To CMMC Assessment

Posted on May 24, 2022September 14, 2022 by Yogev Kimor

24
May

Just when you thought you were on top of CMMC compliance, CMMC 2.0 has come along, upping the stakes for identifying and managing cybersecurity within your business. On top of that, the new National Initiative for Improving Cybersecurity in Supply Chains (NIICS) adds yet another layer of compliance complication for businesses that want to do business with the government. All of this means that having a streamlined process in place for meeting updated compliance mandates is more important than ever.

Fortunately, you don’t have to rebuild all of your compliance and assessment processes from the ground up to meet CMMC 2.0 and other new compliance needs. If you already have compliance procedures in place that address NIST standards or similar U.S. government mandates, there’s a good chance that you can expand upon them to address CMMC 2.0 compliance, too.

The challenge of CMMC assessment

Let’s be clear: CMMC assessments are challenging, no matter how streamlined your compliance program is or how much cybersecurity expertise you have in-house. Beyond the complex technical rules you have to meet, you have challenges such as:

Meeting deadlines: You can’t perform assessments according to timelines you create. You need to meet externally imposed deadlines.
Shareholder buy-in: Assessments cost time and money. You need to convince shareholders that the assessment is worth the investment.
Cost of certification: Becoming certified, too, comes with a cost, which makes it even harder in some respects to get buy-in.

In the long run, achieving CMMC compliance is well worth it because it allows your business to do business with the DoD. But that doesn’t mean that CMMC assessment is simple or straightforward.

Here’s 4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Key differences between NIST and CMMC assessment

As we noted, companies that already have compliance programs designed to meet NIST cybersecurity standards are in a good position to extend upon those programs to address CMMC assessment requirements, too. Both frameworks allow for self-assessments, at least in some cases, and the assessment processes are similar.

But NIST and CMMC are not identical, of course. You must understand the differences before you devise a CMMC assessment strategy based on NIST.

One obvious difference is that NIST requirements are developed by the National Institute of Standards and Technology, whereas the Department of Defense oversees CMMC compliance requirements. This means that NIST and CMMC rules could evolve in different directions in the future, even though there is some overlap today.

On top of this, under the CMMC framework, not everyone can self-assess. Third-party assessments are required for businesses that manage data that the DoD considers critical to national defense. So, before building a CMMC 2.0 compliance strategy based on self-assessment, be sure you’re actually eligible to self-assess.

7 essential steps for CMMC assessments

If you determine that you can self-assess, then you can build a CMMC assessment process based on the assessment operations you already have in place for NIST or similar standards. Here’s how to do that, step-by-step.

Step 1: Set goals

Start by determining why you are performing a CMMC assessment. Is it because you are specifically required to do so as a contractor for the DoD? Or are you doing it voluntarily, as a means of assessing your cyber health? In the latter case, you have more control over the assessment process and its outcomes, because you won’t have to report to the DoD.

Step 2: Determine assessments you have completed

Identify which assessments your business has already performed, and compare those assessments to CMMC assessment requirements. Again, there is a lot of overlap between requirements like NIST’s and CMMC’s, so you may be able to duplicate large parts of your existing assessments.

Step 3: Perform gap analysis

Of course, there is not likely to be complete overlap between existing assessments and CMMC. You’ll need to perform a gap analysis (or hire an outside auditor for this purpose) to determine which additional data you’ll need to collect or processes you’ll have to undertake to perform CMMC assessment.

Step 4: Create or update the SSP

NIST defines the System Security Plan, or SSP, as a “formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.” You’ll want to have an SSP in place because it serves as the basis for authorization decisions, while also providing detailed information to support processes and activities in the system development lifecycle. Thus, the SSP serves as the information foundation for your CMMC assessment operation.

Step 5: Build a plan of action and milestones

Next, form a plan of action and milestones (POA&M), which is the roadmap you plan to follow after creating your SSP. The POA&M defines a clear course of action to take and goals you plan to meet to ensure that employees and stakeholders know their roles in keeping and advancing compliance goals. Your POA&M should identify the tasks that need to be completed to secure your systems, proposed remediations for risks and which employees will perform which tasks.

Step 6: Form a remediation plan

The results of your gap analysis should form the basis for a remediation plan. The purpose of this plan is to allow you to pinpoint compliance risks to remediate, prioritize activities to fix vulnerabilities and determine the associated costs you’ll pay to become CMMC-certified. You can formulate the remediation plan yourself, or outsource it to a Managed Security Service Provider (MSSP).

Step 7: Maintain compliance and reporting

Treat CMMC assessment as an ongoing process, not a one-and-done affair. You’ll need to update your plans continuously as your risks change. Changes to your vendors or supply chains may necessitate compliance changes, too. And you’ll want to monitor for risks on an ongoing basis so that you can remediate them immediately, rather than waiting till your next assessment to discover and address problems.

Achieving a well-implemented CMMC assessment framework

When you follow the steps described above, you get a well-maintained cybersecurity program that enables CMMC certification, while also enhancing supply chain security and keeping sensitive data and intellectual property more secure. And you can do it all without having to overhaul your compliance tools or processes from scratch.

aicpa soc 2, ESG, findings tech, soc 1

ESG companies are outperforming their peers in recent years – why?

Posted on May 19, 2022August 31, 2022 by Ilan Lavan

Findings.co | supply chain | security | ESG

19
May

Higher ESG rating, higher return

Indeed the ultimate goal of any investment is to earn a maximum return. But as the focus has increased on sustainability, investors worldwide are resorting to smart investing strategies. In the current investment scenario—where environmental sustainability and corporate social responsibility are driving business decisions—investors place a great deal of emphasis on the environmental, social, and governance (ESG) rating of a company they wish to invest in.

Take a look how to easily automate, monitor and assess your ESG posture:

ESG criteria are becoming increasingly popular amongst investors to evaluate the ability of companies to be stewards of nature, managers of social relationships, and trailblazers of excellent leadership. Now, ESG companies that uphold the principles of smart investing while catering to the needs of socially conscious investors are seen outperforming their peers in a big way, especially after the COVID-19 pandemic.

In 2020, the year of extreme and dramatic changes trigged by the pandemic, the median total return on equity funds of ESG companies focused on sustainability exceeded that of their peer funds by 4.3 percentage points. Funds of such companies provided better returns almost every month of the year. Their focus on sustainability is essentially indicative of the quality of their board and management.

Low beta, high quality

The companies with higher ESC ratings fell and rose less dramatically as the markets collapsed and recovered sharply in April 2020 than those with lower ESG ratings. The pattern suggests that stocks of such companies also have a low-beta-high-quality factor. Such funds are also less affected by volatility in the larger market.

There’s been a significant rise in the popularity of ESG investing. It is mainly triggered by fears of the global community over climate change. As such, socially conscious investors, especially millennials, now consider the impact of their funds as they have started investing. It’s crucial to note and understand that ESG risk is an investment risk; those firms that meet ESG standards are more unlikely likely to be sustainable enterprises.

Similar trends were observed when fixed income ESG stocks were analyzed from January to September 2020. The bonds of ESG companies with high ratings performed better on average than their lower-rated peers. The stocks of companies with an A-rated ESG score lost around 0.5 percent on average during the period compared to low-rated stocks, which lost 4.6 and 4.4 percent.

A peek into the future.

ESG and smart investing with a focus on sustainability are expected to grow. The attitude of retail investors towards sustainable investment has also been shifting. In the U.S., close to half of individual investors adopt sustainable investing. Also, 80 percent of asset-owner institutions are seen incorporating sustainability factors in their investment processes.

It’s also worth noting that the Institute for Sustainable Investing, in 2019, found that sustainable funds had larger market capitalizations on average and hold more stocks in companies that are considered growth stocks. Let’s not forget. Evolving regulations also lead companies to disclose their sustainability practices, providing investors with more data to understand ESG-related risks and growth opportunities. We can hope that the future of sustainability investing delivers on its promises and make a positive global impact in the times to come.

Get started with your ESG journey easily with Findings ESG.

aicpa soc 2, ESG, findings tech, soc 1

ESG Investing is popular but confusing – here’s how it works

Posted on May 11, 2022September 20, 2022 by Ilan Lavan

11
May

ESG investing is becoming popular as awareness grows about the impact of corporate actions on the environment, society, and governance. This article will look at how ESG Investing works and some of the benefits and drawbacks of this growing movement. What should you consider when including this type of investment in your portfolio?

What are the essential characteristics of an ESG investment strategy?

Many factors make up an ESG investment strategy. For a company to be an ESG investment, there must be exposed to environmental and social aspects. Exposure to these factors can be defined by three characteristics: alignment, integration, and recognition. All three of these characteristics must be present to exhibit an entire ESG investment strategy. By adopting one or more of these strategies, they can better prepare themselves in times of need. It is much easier to come back from challenging situations when you are ready. It takes careful planning, diligence, and perseverance to fully adopt an ESG investment strategy. However, if done correctly, these practices will strengthen your company and increase its value over time and preserve its reputation within its community.

How do I make sure my fund managers follow an ethical approach?

The first and most basic way to make sure your fund managers take ESG into account is to ask them. As with any other question, you should call them up and ask if they use sustainability metrics in their investment process. They’ll tell you, Of course, we do (which might or might not be true), and that will give you a sense of how serious they are about ESG investing. If you like what you hear and want to invest, you can trust that your money isn’t funding unethical companies. But if they seem mysterious, or worse—dismissive—then it could mean that there aren’t good incentives in place to keep fund managers accountable for their actions. That would indicate an unethical culture at your mutual fund management firm.

Why is this different from other kinds of socially responsible investing?

The social responsibility aspect of ESG investing isn’t just about environmental or social impact but may include these factors. It also aims to be financially responsible and considers an investment’s impact on other financial indicators such as price volatility, liquidity, earnings growth, operating efficiency, and capital preservation. These features are often not found in socially responsible investments as they tend to focus on issues surrounding environmental or social effects. As a result, many consider ESG to be more than just socially accountable investing — because it includes financial indicators and increased engagement with companies — while others think it is just another kind of SRI.

When did this become popular? And why should I care now?

After decades of playing second fiddle to shareholder-value investing, ESG has emerged as a star in its own right. Even though sustainability and corporate ethics are still relatively new concepts in business management, concerns about social issues have been around for thousands of years—and they show no signs of fading away. That’s why more and more investors are looking at companies through an ESG lens.

Some examples of funds in this space and their returns over time.

Newfield ESG Long/Short Fund (EQLIX), Calvert Social Investment Strategy Fund (CSLFX), Vanguard FTSE Social Index Fund ETF (VFTSX). After a rocky start, there are signs that environmentally conscious investing has been growing in popularity—more than 150 socially responsible mutual funds with $200 billion in assets under management. Still, concerns remain about what kinds of businesses these investment funds hold and their role in helping companies change their behavior to protect employees and the environment better.

Want to save time and automate your ESG processes? Use best-practices? Findings ESG is at your service.

aicpa soc 2, CMMC, findings tech, security compliance, soc 1, Vendor Risk Management

The Insider Guide To Coordinated Vulnerability Disclosure Programs

Posted on May 11, 2022September 20, 2022 by Yogev Kimor

11
May

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited.

Consider CVDP as a “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

Did you know that your supply chain security can affect your stock value?

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like “security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

iso, iso27001, iso27017, iso27018, security compliance, Supply Chain Security

Crisis Management: The Missing Link In Supply Chain Security

Posted on May 2, 2022September 20, 2022 by Yogev Kimor

02
May

It’s easy to treat crisis management as an afterthought within the context of supply chain security. Businesses may assume that attacks are unlikely to happen, especially if they’ve invested in risk assessment and mitigation. Just ask some of the major vendors that have been at the root of cybersecurity crisis in the recent past, despite having taken breach prevention quite seriously.

What is a cybersecurity crisis management strategy?

A crisis management strategy provides a protocol for organizations to identify, eliminate and recover from cybersecurity attacks as swiftly as possible; its purpose is to position the organization for minimal impact of a cybersecurity incident. The protocol will unquestionably reduce the stress on your executive and IT teams in a crisis situation and everyone else involved in mitigating an attack.

The protocol typically includes, who does what in the event of a cyber incident, who is in charge of managing the crisis, aka Cybersecurity Crisis Response Team (“Response Team” or “CCRT”). It also covers which systems need to be checked for impact and where the backups are located; which partners, vendors and customers need to be notified and at what stage does the Board of Directors and media need to be addressed and how.

For many organizations, this strategy is not only the responsible thing to do, but may also be a compliance mandate.

Two policies we suggest you look at:

Your Vulnerability Disclosure Policy Can be Easier Than You Think

Meeting The CMMC Compliance challenge Head On

But where do you start? In contrast to many other security protocols – like privacy disclosure requirements, which are usually straightforward enough – there is no predefined playbook you can follow or set of boxes you can check off, to plan for crisis management.

It is therefore up to each organization to research and create their own set of protocols. We’ve highlighted what should be in yours below.

Supply chain security: Your crisis management plan

Step 1: Risk assessment

The first step is to identify your supply chain security risks.

Do this by assessing which regulations and legal requirements your business is bound to when it comes to cybersecurity. You should also evaluate your contractual obligations. Next, identify vulnerabilities that exist within your supply chain security and risk management report. Do these vulnerabilities need to be reported to other vendors within your supply chain? Or can they be easily patched? Finally, examine how a breach may impact your business’s operations.

The easiest way to check your metal here is to take risk assessments test surveys and run some gap analysis – doing so will give you a complete score on where your current efforts stand compared to where you should be and industry standards.

If you find any “show-stoppers,” you must stop your process and fix it before moving forward to avoid failure at a later stage.

With this insight, you can develop a plan for managing the impact.

Step 2: Formalize your security and risk management plan

Once you’ve identified the risks, document them and put them in writing, along with a plan that spells out which steps various stakeholders need to take during an incident to mitigate the risks.

Specifically, your plan should detail:

Whom – such as vendors, partners, customers, regulatory authorities – you need to notify about a supply chain breach. And, your head of cyber security should also be formalized.
Which processes various stakeholders – such as executive, IT and public relations teams will follow to do their part in handling the incident.
How you’ll maintain the necessary level of transparency (which should be defined within your Vulnerability Disclosure Program).
What information to disclose to the media, and how to disclose it. Not every part of every incident needs to be publicized, but you should think strategically ahead of time about how to engage with the media.

Step 3: Practice cyber drills

In order to ensure your crisis management plan actually works as you intend it to, you should run through cyber drills, which mean engaging stakeholders in responding to simulated incidents.

If you have the resources, you can hire a professional penetration testing team to create a mock incident, then test your business’s response. Alternatively, you may use your own teams to create a simulated supply chain attack, using a red team/green team model.

The more drills you practice, the better, but you should perform one drill annually at a minimum.

Step 4: Make crisis management a collective business responsibility

Next, work to ensure that everyone in the business – not just the IT team and security experts, but everyone from PR and customer relations to sales and marketing, to the C-suite and beyond – understands your supply chain crisis management plan and knows how to play their role within it.

Do this by publishing the process in a place where all stakeholders can view it. You can also ask stakeholders to explain their role in crisis management, based on the published plan.

Be sure, too, that the plan nominates someone to take the lead in crisis management unless your business already has an obvious person (such as a CISO) to take on this role.

Step 5: Leverage crisis management

Finally, to get even more buy-in for the plan and generate business value from it, educate your sales and marketing teams in particular about the investments you’ve made in crisis management.

This is important because sales and marketing teams can tout your crisis management investments when selling your products to other companies that require a high level of supply chain security and risk management. The more commitment you can demonstrate to managing supply chain risks effectively, the better positioned you’ll be to win customers who need strong supply chain security guarantees.

Winning such business is certainly not the only reason to invest in crisis management planning, but landing more customers this way can’t hurt.