Category Archives: soc 1

aicpa soc 2, CMMC, iso, iso27001, iso27017, iso27018, security compliance, soc 1, Supply Chain Security

A CISO’s VDP Security Roadmap, Step-by-Step

Posted on by Yogev Kimor
Findings-VDP Roadmap
05
Sep

When it comes to cybersecurity, discovering vulnerabilities is often the easy part. What tends to be challenging is figuring out where to disclose vulnerabilities once you’ve discovered them.

If someone inside your business or supply chain discovers a vulnerability but fails to report it to the people who need to know about it, the vulnerability may as well not have been discovered at all. It’s only by disclosing and reporting vulnerabilities that stakeholders can remediate them, while also taking steps to avoid falling victim to them until their root cause is addressed.

That’s why establishing vulnerability disclosure programs and policies is critical to cybersecurity success – not to mention the overall health of your business. Setting up a VDP places you ahead of competitors who lack one. It also sends a clear message to vendors, customers, partners, employees and other stakeholders that you take cybersecurity seriously and operate with transparency when you discover vulnerabilities. And it establishes clear policies, robust communication channels and backend processes that help you resolve vulnerabilities and risks quickly.

 

 

But how do you actually create a security VDP initiative? What goes into a VDP, and how do you ensure your VDP application covers all security requirements? Keep reading for answers to those questions as we walk through the five major components of a VDP “roadmap” that can support teams and project managers when it comes to disclosing and reporting on vulnerabilities and ensuring they get back to the Cybersecurity Infrastructure and Security Agency (CISA). CISA which plays a leading role in managing vulnerabilities (and which has also, incidentally, developed a new VDP platform because it recognizes how crucial – and challenging – effective VDP security can be).

 

VDP security step 1: Outline your goals

Creating a VDP to reinforce your security strategy starts with determining exactly what you hope to get out of your VDP.

Ask questions such as:

  • What is the driving factor for your VDP? Having a clear VDP program is essential if you want to work with US officials. Do you want to promote increased security, improve coordination between teams, increase vulnerability visibility or something else? While VDP security operations can do all of these things, you may choose to prioritize one of them in particular.
  • What are your main VDP pain points? What’s currently getting in the way of vulnerability disclosure? Is it a lack of employee education or lack of communication channels, for instance?
  • What role does your VDP play in your overall business? VDPs don’t just serve security purposes. They can also help you achieve business goals by developing a unique selling proposition..

Once you know your main VDP security goals, you can build and use a VDP application tailored to them.

 

VDP security step 2: Assign responsibilities, develop policies

To start building your program, you need to map responsibilities to stakeholders, then establish policies that define who does what within the context of vulnerability disclosure. CISA offers a template that may be helpful for this purpose.

Identify, for starters, who needs to be aware of the program and who needs to participate in it. Then go deeper by defining specific responsibilities for collecting, analyzing and reporting on vulnerabilities.

Outline as well which security policies your vendors need to adhere to, and how you’ll keep those policies up-to-date. And determine whether vulnerability disclosers will be allowed to remain anonymous. An anonymous disclosure does not make the disclosure any less important. A researcher may simply not want their name on any of the disclosure notes.

Ultimately, your goal during this step should be to lay the groundwork for a community that helps itself with vulnerability disclosure and management. 

 

VDP security step 3: Integrate VDP into your processes

Vulnerability disclosure processes shouldn’t exist in a silo. Instead, they should be integrated into your routine business operations, and your VDP policies map should reflect this.

For example, your VDP should outline how software development, testing and deployment operations interface with VDP reporting requirements. It should also define exactly which tests should be run in an effort to discover vulnerabilities.

By establishing these processes, you not only gain efficiency when it comes to managing vulnerabilities. You also set clear guidelines that employees, researchers and vendors should follow to ensure that all vulnerabilities are discovered and disclosed effectively. You should give CISOs and researchers enough scope so that they can provide valuable feedback, but not so much scope that your team can’t keep up with the incoming reports. 

These policies may also help to drive VDP automation by making it possible to automate VDP discovery and reporting within the context of routine business operations. Education is key across the organization and a security culture needs to be embedded into the fabric of your business. 

 

VDP security step 4: Evaluate vendors

Once you’ve determined which VDP policies your business needs to meet, it’s time to evaluate your vendors and perform due diligence to confirm that they align with your requirements.

Rank your vendors according to their overall security postures. You can sort them into three categories: High security, medium security or low security.

From there, choose which vendors require more monitoring, and which pose such security risks that you can’t work with them. You should also highlight vendors with excellent security records, since you may want to target them for long-term partnerships.

To validate your vendor assessments, collect documentation, including the frameworks and security rules that the vendors adhere to internally. Keep these documents secure and update them periodically because they may change.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

VDP security step 5: Continuously monitor and audit VDP compliance

After rolling out your VDP policies and vetting vendors, you need to monitor, measure and audit continuously to ensure that stakeholders continue to follow the guidelines. Your goal here is to ensure that everyone – including internal users like your employees, as well as vendors and other external parties – remain in compliance with VDP policies you establish.

To make this process efficient, you’ll want to automate it as much as possible. Automation also ensures that you can scale your business as VDP requirements grow continuously more complex, and as you integrate more vendors and other stakeholders into your operations.

 

With VDP, everyone wins (except the bad folks)

Establishing clear, transparent and actionable VDP rules is a win-win for everyone (except, of course, the threat actors who want to exploit vulnerabilities). It lays the foundation for effective collaboration while also strengthening relationships with both internal and external stakeholders. And it facilitates the fast resolution of vulnerabilities and breaches by getting vulnerability data to organizations like CISA as rapidly as possible.

Findings bakes VDP into  their platform, making VDP security an effortless operation. With Findings, you can both discover and report on vulnerabilities across your business’s supply chain. Findings bakes the “switch” for vulnerability disclosure directly into your business operations, making your VDP processes efficient, scalable and all-encompassing.

 

Learn more by signing up for a Findings demo.

aicpa soc 2, CMMC, iso, iso27001, iso27017, iso27018, security compliance, soc 1, Supply Chain Security

Our Take on Gartner’s Latest Supply Chain Compliance Advice

Posted on by Yogev Kimor
our take on supply chain compliance
01
Sep

Going forward, businesses need a new strategy for vetting and monitoring the compliance of their suppliers. But don’t just take our word for it. These are among the takeaways from Gartner’s latest guidance on supply chain compliance and management

 

Gartner highlights why conventional supplier onboarding methods no longer work as businesses need to onboard suppliers quickly, while also ensuring that suppliers meet their compliance requirements.

 

The global supply chain compliance crisis

You probably already know that supply chains are under stress, to put mildly. Gartner points to a couple of main reasons why:

 

  • Businesses are increasingly working with suppliers from new geographic regions, where compliance norms may be different. This complicates onboarding and requires a deeper level of compliance inspection.
  • Organizations often need to add vendors quickly in order to keep their supply chains moving. Yet, without a fast onboarding process, integrating suppliers is time-consuming, which increases the stress placed on supply chains.
  • We’d also add, that issues like global sanctions, which have become especially pronounced as a result of the ongoing Ukraine-Russia war, add even more complexity to vendor onboarding. 

 

We agree wholeheartedly that these are among the key reasons why supply chain compliance and management have become so challenging for the typical business today.

Today, you have to worry not only about whether your vendors meet standard compliance rules, but also about potential sanctions that are subject to constant change. This adds yet more unpredictability and complexity to the onboarding process.

Add to that the surge in supply chain cyber security risks, and it’s no exaggeration to say that operating efficient, compliant supply chains has never been tougher than it is at present.

 

How to streamline supply chain compliance

Gartner suggests three main strategies for addressing the supply chain compliance challenges that businesses currently face.

 

1. Create a playbook for vetting vendors

First, Gartner recommends creating a “playbook that grades each third party’s threat level to determine who gets more attention from the business and compliance.”

 

The idea here is that you can develop preset policies to analyze vendors rapidly during and after the onboarding process. Your policies should reflect information like which risks have impacted your business in the past and how closely a given vendor matches the risk profile of other vendors who have posed challenges.

 

We love this idea not only because it helps businesses to be proactive in their approach to vendor compliance, but also because it lays the groundwork for compliance automation. Playbooks make it possible to implement vendor compliance validation automatically within a security platform, which could sort vendors into high-risk, medium-risk and low-risk categories

This may be of interest to you:

 A CISO’s VDP security roadmap based on criteria defined in the playbooks

2. Automate supply chain compliance

The piece quotes Chris Audet, Senior Director of Research at Gartner, who says, “Compliance leaders must move quickly to onboard third parties and effectively monitor for risks, but many of their traditional methods won’t cut it.”

 

The way to move quickly and monitor for risks comprehensively is to automate risk detection. Automation can help you collect the information you need to make good decisions about vendor risks. It can also automatically flag risks with the help of advanced analytics, and it can help you keep up-to-date as vendor profiles change. In all of these ways, automation helps businesses to complete vendor onboarding quickly, even if they have an increasing number of vendors to vet and face increasing complexity due to new compliance mandates, new sanctions rules or diverse vendor geographies.

 

3. Streamline upfront due diligence

As another way to speed up onboarding, Gartner advises businesses to “streamline due diligence to focus on critical risks.” It suggests doing this by reducing the number of questions you ask vendors to answer manually. Focus validation around critical risk areas, Gartner suggests, rather than asking a large number of questions that may not be relevant for every vendor.

 

We agree. We’d add, though, that it’s important to leverage automation wherever possible to collect as much data as you can about supplier insurance, safety, environment and sustainability initiatives, legal and financial data and any other information that can be helpful for gaining a 360-degree view of your suppliers and sub-suppliers. With automation, it’s possible to onboard rapidly without compromising on your visibility into supply chain compliance.

 

Bonus advice: Establish a compliance-focused company culture

We think Gartner did a great job of capturing much of what it takes to achieve supply chain compliance. But we’d suggest another strategy that Gartner hasn’t mentioned: Building a compliance-centric culture.

 

A compliance-centric culture is one that maximizes collaboration and communication related to compliance. It aligns compliance with vendor expectations, and it allows all stakeholders – both internal and external ones – to share information rapidly in order to manage compliance and supply chain cyber security risks.


Findings helps you to build this culture by providing a platform that anyone can use to raise compliance flags automatically. With Findings, you get holistic compliance that protects your entire supply chain, while also benefiting from automations that allow you to onboard vendors rapidly.

 

Learn more about how Findings can help you to streamline your compliance.

 

aicpa soc 2, CMMC, iso, iso27001, iso27017, iso27018, security compliance, soc 1, Supply Chain Security

Top 5 Reasons Why CMMC Security Will Be Good For Your Business

Posted on by Yogev Kimor
Top 5 Reasons why CMMC Security will be good
13
Jun

Keeping up to date on the changing CMMC security requirements may seem like a hassle that’s only worth undertaking if you do business with the Department of Defense. But in reality, meeting the new CMMC compliance mandates is a great way to make your business more secure and agile.

That’s why, even if you aren’t a DoD contractor, the CMMC security updates can be beneficial to your business. Keep reading for an overview of what to know about the new CMMC Framework and how to meet it in a way that benefits your business.

Read here how to meet the CMMC compliance challenge head on 

How CMMC is changing

By May 2023, the DoD expects to implement CMMC 2.0, at least in interim form.

Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three. This is a major benefit to businesses that need to meet CMMC security mandates because it simplifies the process of choosing which compliance path to follow and adhering to its associated rules. The 3 levels are:

  • Level 1 (Foundational)

This level must match the 15 controls of FAR52.204-21 “basic” controls to protect

Federal Contract Information. Certification is required annually. It is possible for your

organization to self-assess. This is similar to the previous model in CMMC 1.0.

  • Level 2 (Advanced): 

This level is comparable to CMMC 1.0 level 3. Its requirements mirror NIST SP 800-71, which includes 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect sensitive information. The 20 requirements of CMMC 1.0 level 3 compliance have been dropped.

  • Level 3 (Expert)

Under this CMMC 2.0 assessment level, which is comparable to CMMC 1.0 level 5, businesses will require government-led assessments. The focus is on reducing Advanced Persistent Threats (APTs) that could lead to data exfiltration or compromised applications. Besides the 110 controls that are required for the new Level 2 certification, the NIST’s SP 800-172 is required for Level 3 certification.

5 great reasons to choose CMMC compliance

Some businesses will need to meet CMMC compliance requirements because they sell to the DoD, and CMMC 2.0 is a mandate. But even if that is not the case, there are great reasons to become CMMC-compliant.

1. Overall CMMC security protection

Implementing security controls using CMMC 2.0 levels is a great way to maximize your overall security posture. It will help to protect sensitive information within your organization and increase the security of your supply chain.

2. Tailor cyber hygiene to your business

CMMC uses maturity processes and cybersecurity best practices from multiple frameworks as its foundation. And, because CMMC security offers different compliance levels, it’s an excellent framework to follow if you want a cybersecurity plan tailored to your business. Not every organization faces the same level of threats or the same level of data sensitivity. With CMMC, you can establish cyber hygiene policies, such as vulnerability disclosure programs, that reflect your organization’s particular needs. 

3. Prepare for upcoming regulatory changes

As we’ve noted, there is a lot of overlap between the CMMC security requirements and other compliance standards, like those developed by NIST. Thus, by becoming CMMC-complaint, you prepare your business to meet similar compliance mandates that may be rolled out in the future.

4. Validate your cybersecurity from the outside

CMMC assessment is a great way to determine how well your business meets security mandates. This can be done not only by internal stakeholders, who are not objective observers, but by outsiders who understand how risks can flow through supply chains and what it takes to build a strong cybersecurity culture within an organization.

5. Winning additional contracts

The higher your level of cyber security, the more competitive you’ll be. Supply chain security is increasingly viewed as a necessity rather than a nice-to-have. Businesses that fail to prioritize security risk losing contracts and relationships with key enterprises.  Additionally, coordinated vulnerability disclosure programs that are apart of the CMMC security framework, help to build trust and positive cooperation across the supply chain.

Here’s Why Your CISO Wants To Implement A CMMC Framework

The future of supply chain security

As you assess what the CMMC security changes mean for your business, don’t think merely in terms of whether you are specifically required to undergo CMMC assessments. Instead, think about how increasing awareness of cybersecurity and building a stronger cyber culture within your organization will pay dividends now and in the future, regardless of your specific CMMC compliance requirements.

After all, security is always changing, and compliance frameworks like the CMMC change with it. Keeping pace with changing requirements is a good way to encourage accountability across your supply chain and enforce strong cyber hygiene standards.

Indeed, it’s a safe bet that, going forward, cyber security requirements will become tighter, not looser. Embrace the trend now by using frameworks like the CMMC to supercharge your cyber hygiene and disclosure programs, rather than waiting until a specific mandates is handed down that affects you.

Schedule a call to learn more

aicpa soc 2, soc 1, Supply Chain Security

How Supply Chain Cyber Security Threats Impact Stock Value

Posted on by Yogev Kimor
How supply chain cyber security Threats Impact Stock Value
07
Jun

The most obvious types of fallout from supply chain cyber security threats are the impact on regulatory compliance or the damage to a business’s reputation. 

 

But here’s another major consequence of supply chain security attacks that keep occurring despite dogged efforts to stop them: Losses on the stock market. When businesses are affected by supply chain cyber security threats – even if the threats originate from an external vendor, rather than the business’s own systems – their stock price usually takes a major hit.

 

Here’s why supply chain cyber security threats can wreak such havoc on stocks, and what to do to protect your business from watching its market value plummet due to supply chain vulnerabilities. Your goals should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.

 

More resources  below to keep your supply chain secure:

Take a look at how Vulnerability disclosure programs can help secure your business

&

Watch here to understand how to give your supply chain monitoring the advantage it needs.

How supply chain security threats impact stock value

When a supply chain breach occurs, you’re at risk of losing share price for a variety of reasons.

 

Probably the most obvious is the hit you’ll take to your company’s reputation. Again, even if the breach originated in a third-party product, investors may still question your commitment to security, given that you were unable to detect and mitigate the breach quickly enough to prevent it from harming the organization.

 

Regulatory fines, too, could follow supply chain breaches if the breach leads to loss of regulated data. Those fines will impact quarterly earnings reports,that investors use to decide whether to buy or sell stock in your company.

 

In more extreme cases, supply chain security threats may become vectors that allow threat actors to take control of your systems. In turn, attackers could take actions like publishing fake news through your media channels or inject false price quotes into data feeds. Such activity may breed a sense among investors that you’ve totally lost control of your business operations, leading to a dramatic fall in market value.

 

Types of supply chain cyber security threats against stock markets

As the following image shows, supply chain breaches can target both suppliers and customers.

Proposed taxonomy for supply chain attacks

Either way, the fallout from a stock market perspective is likely to be negative for the companies involved. Any type of supply chain attack – from malware infection, to brute-force attacks, to vulnerability exploits and beyond – can undercut a business’s reputation among investors and lead to swift sell-off – which brings down stock prices.

Stock losses resulting from supply chain attacks

 

The risk we’re describing here is not just theoretical. Here are some of the most recent major supply chain cyber threat exploits. You’ll notice that they led to significant loss of company value on the stock market.

Nvidia cyber attack

When Nvidia was attacked by a ransomware group called Lapsus$, Reuters reported that Nvidia’s schematics, drivers, firmware and other sensitive intellectual property may have been compromised. The credentials of 71 000 employees were leaked, after which Lapsus$ made this information available to other hacking communities. The result was an immediate drop in Nvidia’s stock price by 7%. Although the drop was modest, and the stock quickly recovered, it was still a clear example of how supply chain cyber security threats can hamper stock value.

Mimecast  breach

Mimecast is an email security and cyber resiliance platform. When the news was released in January 2021 that they had been hit by supply chain cyber security threats, this upset shareholders trust in the stock.  

 

Mimecast stock lost more than 12 percent of its value following the disclosure of a compromised certificate. Moreover, because about 10 percent of the company’s customers were using the compromised certificate, this supply chain attack likely also impacted other businesses.

 

The Chief Information Security Officer, Terence Jackson at Thycotic, a Washington, D.C. based provider of privileged access management (PAM) solutions said,”The certificates that were compromised were used by Mimecast email security products.  These products access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”

SolarWinds attack

The SolarWinds supply chain breach, in which attackers injected malware into SolarWinds’s source code, was associated with a huge selloff that took place just days before the breach was publicly disclosed. 

 

While it has not yet been proven that the 35 investors who sold their stock right before public disclosure had insider knowledge of the breach, the timing of the selloff doesn’t seem to be coincidental.

 

Assuming it wasn’t, this is also an example of how a supply chain attack can trigger a major loss of stock value.

Staying on top of supply chain cyber security threats

 

Once a supply chain attack takes place, the damage to market value is done. The best way to contain supply chain cyber security threats, then, is to be proactive, so you can address risks before they turn into active breaches.

 

Start by gaining full visibility into your supply chain. This is the only way to know which vulnerabilities may impact you.

 

Then, take preventative measures – like application controls and network segmentation – that reduce the likelihood or mitigate the impact of cyber security incidents.

 

You should also educate your employees and partners about cyber security, and make it clear that finding and containing supply chain cyber security threats is a top priority.

 

Finally, have a crisis management plan for your supply chain security in place so that you can react swiftly if an attack does occur. Although managing your response won’t prevent all financial harm, it can reduce the total damage.

Supply chain cyber security threats aren’t bad just for your users or your IT team. They also pose a serious risk to your business’s market value. To prevent major financial losses, it’s critical to have a supply chain threat detection and mitigation solution in place.

 

Learn how Findings can help your business stay ahead of supply chain cyber security threats

 

aicpa soc 2, CMMC, iso, iso27001, iso27017, iso27018, soc 1

The 7-Step Guide To CMMC Assessment

Posted on by Yogev Kimor
7 Step Guide to CMMC Assessment
24
May

Just when you thought you were on top of CMMC compliance, CMMC 2.0 has come along, upping the stakes for identifying and managing cybersecurity within your business. On top of that, the new National Initiative for Improving Cybersecurity in Supply Chains (NIICS) adds yet another layer of compliance complication for businesses that want to do business with the government. All of this means that having a streamlined process in place for meeting updated compliance mandates is more important than ever.

 

Fortunately, you don’t have to rebuild all of your compliance and assessment processes from the ground up to meet CMMC 2.0 and other new compliance needs. If you already have compliance procedures in place that address NIST standards or similar U.S. government mandates, there’s a good chance that you can expand upon them to address CMMC 2.0 compliance, too.

The challenge of CMMC assessment

Let’s be clear: CMMC assessments are challenging, no matter how streamlined your compliance program is or how much cybersecurity expertise you have in-house. Beyond the complex technical rules you have to meet, you have challenges such as:

 

  • Meeting deadlines: You can’t perform assessments according to timelines you create. You need to meet externally imposed deadlines.
  • Shareholder buy-in: Assessments cost time and money. You need to convince shareholders that the assessment is worth the investment.
  • Cost of certification: Becoming certified, too, comes with a cost, which makes it even harder in some respects to get buy-in.

In the long run, achieving CMMC compliance is well worth it because it allows your business to do business with the DoD. But that doesn’t mean that CMMC assessment is simple or straightforward.

 

Here’s 4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Key differences between NIST and CMMC assessment

As we noted, companies that already have compliance programs designed to meet NIST cybersecurity standards are in a good position to extend upon those programs to address CMMC assessment requirements, too. Both frameworks allow for self-assessments, at least in some cases, and the assessment processes are similar.

But NIST and CMMC are not identical, of course. You must understand the differences before you devise a CMMC assessment strategy based on NIST.

 

One obvious difference is that NIST requirements are developed by the National Institute of Standards and Technology, whereas the Department of Defense oversees CMMC compliance requirements. This means that NIST and CMMC rules could evolve in different directions in the future, even though there is some overlap today.

 

On top of this, under the CMMC framework, not everyone can self-assess. Third-party assessments are required for businesses that manage data that the DoD considers critical to national defense. So, before building a CMMC 2.0 compliance strategy based on self-assessment, be sure you’re actually eligible to self-assess.

7 essential steps for CMMC assessments

If you determine that you can self-assess, then you can build a CMMC assessment process based on the assessment operations you already have in place for NIST or similar standards. Here’s how to do that, step-by-step.

Step 1: Set goals

Start by determining why you are performing a CMMC assessment. Is it because you are specifically required to do so as a contractor for the DoD? Or are you doing it voluntarily, as a means of assessing your cyber health? In the latter case, you have more control over the assessment process and its outcomes, because you won’t have to report to the DoD.

Step 2: Determine assessments you have completed

Identify which assessments your business has already performed, and compare those assessments to CMMC assessment requirements. Again, there is a lot of overlap between requirements like NIST’s and CMMC’s, so you may be able to duplicate large parts of your existing assessments.

Step 3: Perform gap analysis

Of course, there is not likely to be complete overlap between existing assessments and CMMC. You’ll need to perform a gap analysis (or hire an outside auditor for this purpose) to determine which additional data you’ll need to collect or processes you’ll have to undertake to perform CMMC assessment.

Step 4: Create or update the SSP

NIST defines the System Security Plan, or SSP, as a “formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.” You’ll want to have an SSP in place because it serves as the basis for authorization decisions, while also providing detailed information to support processes and activities in the system development lifecycle. Thus, the SSP serves as the information foundation for your CMMC assessment operation.

Step 5: Build a plan of action and milestones

Next, form a plan of action and milestones (POA&M), which is the roadmap you plan to follow after creating your SSP. The POA&M defines a clear course of action to take and goals you plan to meet to ensure that employees and stakeholders know their roles in keeping and advancing compliance goals. Your POA&M should identify the tasks that need to be completed to secure your systems, proposed remediations for risks and which employees will perform which tasks.

Step 6: Form a remediation plan

The results of your gap analysis should form the basis for a remediation plan. The purpose of this plan is to allow you to pinpoint compliance risks to remediate, prioritize activities to fix vulnerabilities and determine the associated costs you’ll pay to become CMMC-certified. You can formulate the remediation plan yourself, or outsource it to a Managed Security Service Provider (MSSP).

Step 7: Maintain compliance and reporting

Treat CMMC assessment as an ongoing process, not a one-and-done affair. You’ll need to update your plans continuously as your risks change. Changes to your vendors or supply chains may necessitate compliance changes, too. And you’ll want to monitor for risks on an ongoing basis so that you can remediate them immediately, rather than waiting till your next assessment to discover and address problems.

Achieving a well-implemented CMMC assessment framework

When you follow the steps described above, you get a well-maintained cybersecurity program that enables CMMC certification, while also enhancing supply chain security and keeping sensitive data and intellectual property more secure. And you can do it all without having to overhaul your compliance tools or processes from scratch.

 
 

Learn more about becoming CMMC compliant

aicpa soc 2, ESG, findings tech, soc 1

ESG companies are outperforming their peers in recent years – why?

Posted on by Ilan Lavan
Findings.co | supply chain | security | ESG
19
May

Higher ESG rating, higher return

Indeed the ultimate goal of any investment is to earn a maximum return. But as the focus has increased on sustainability, investors worldwide are resorting to smart investing strategies. In the current investment scenario—where environmental sustainability and corporate social responsibility are driving business decisions—investors place a great deal of emphasis on the environmental, social, and governance (ESG) rating of a company they wish to invest in.

Take a look how to easily automate, monitor and assess your ESG posture:

ESG criteria are becoming increasingly popular amongst investors to evaluate the ability of companies to be stewards of nature, managers of social relationships, and trailblazers of excellent leadership. Now, ESG companies that uphold the principles of smart investing while catering to the needs of socially conscious investors are seen outperforming their peers in a big way, especially after the COVID-19 pandemic.

In 2020, the year of extreme and dramatic changes trigged by the pandemic, the median total return on equity funds of ESG companies focused on sustainability exceeded that of their peer funds by 4.3 percentage points. Funds of such companies provided better returns almost every month of the year. Their focus on sustainability is essentially indicative of the quality of their board and management.

Low beta, high quality 

The companies with higher ESC ratings fell and rose less dramatically as the markets collapsed and recovered sharply in April 2020 than those with lower ESG ratings. The pattern suggests that stocks of such companies also have a low-beta-high-quality factor. Such funds are also less affected by volatility in the larger market.

There’s been a significant rise in the popularity of ESG investing. It is mainly triggered by fears of the global community over climate change. As such, socially conscious investors, especially millennials, now consider the impact of their funds as they have started investing. It’s crucial to note and understand that ESG risk is an investment risk; those firms that meet ESG standards are more unlikely likely to be sustainable enterprises.

Similar trends were observed when fixed income ESG stocks were analyzed from January to September 2020. The bonds of ESG companies with high ratings performed better on average than their lower-rated peers. The stocks of companies with an A-rated ESG score lost around 0.5 percent on average during the period compared to low-rated stocks, which lost 4.6 and 4.4 percent.

A peek into the future.

ESG and smart investing with a focus on sustainability are expected to grow. The attitude of retail investors towards sustainable investment has also been shifting. In the U.S., close to half of individual investors adopt sustainable investing. Also, 80 percent of asset-owner institutions are seen incorporating sustainability factors in their investment processes.

It’s also worth noting that the Institute for Sustainable Investing, in 2019, found that sustainable funds had larger market capitalizations on average and hold more stocks in companies that are considered growth stocks. Let’s not forget. Evolving regulations also lead companies to disclose their sustainability practices, providing investors with more data to understand ESG-related risks and growth opportunities. We can hope that the future of sustainability investing delivers on its promises and make a positive global impact in the times to come.

Get started with your ESG journey easily with Findings ESG.

aicpa soc 2, ESG, findings tech, soc 1

ESG Investing is popular but confusing – here’s how it works

Posted on by Ilan Lavan
ESG-Investing-is-popular-but-confusing-here’s-how-it-works
11
May

ESG investing is becoming popular as awareness grows about the impact of corporate actions on the environment, society, and governance. This article will look at how ESG Investing works and some of the benefits and drawbacks of this growing movement. What should you consider when including this type of investment in your portfolio?

What are the essential characteristics of an ESG investment strategy?

Many factors make up an ESG investment strategy. For a company to be an ESG investment, there must be exposed to environmental and social aspects. Exposure to these factors can be defined by three characteristics: alignment, integration, and recognition. All three of these characteristics must be present to exhibit an entire ESG investment strategy. By adopting one or more of these strategies, they can better prepare themselves in times of need.  It is much easier to come back from challenging situations when you are ready. It takes careful planning, diligence, and perseverance to fully adopt an ESG investment strategy. However, if done correctly, these practices will strengthen your company and increase its value over time and preserve its reputation within its community.

How do I make sure my fund managers follow an ethical approach?

The first and most basic way to make sure your fund managers take ESG into account is to ask them. As with any other question, you should call them up and ask if they use sustainability metrics in their investment process. They’ll tell you, Of course, we do (which might or might not be true), and that will give you a sense of how serious they are about ESG investing. If you like what you hear and want to invest, you can trust that your money isn’t funding unethical companies. But if they seem mysterious, or worse—dismissive—then it could mean that there aren’t good incentives in place to keep fund managers accountable for their actions. That would indicate an unethical culture at your mutual fund management firm.

Why is this different from other kinds of socially responsible investing?

The social responsibility aspect of ESG investing isn’t just about environmental or social impact but may include these factors. It also aims to be financially responsible and considers an investment’s impact on other financial indicators such as price volatility, liquidity, earnings growth, operating efficiency, and capital preservation. These features are often not found in socially responsible investments as they tend to focus on issues surrounding environmental or social effects. As a result, many consider ESG to be more than just socially accountable investing — because it includes financial indicators and increased engagement with companies — while others think it is just another kind of SRI.

When did this become popular? And why should I care now?

After decades of playing second fiddle to shareholder-value investing, ESG has emerged as a star in its own right. Even though sustainability and corporate ethics are still relatively new concepts in business management, concerns about social issues have been around for thousands of years—and they show no signs of fading away. That’s why more and more investors are looking at companies through an ESG lens.

Some examples of funds in this space and their returns over time.

Newfield ESG Long/Short Fund (EQLIX), Calvert Social Investment Strategy Fund (CSLFX), Vanguard FTSE Social Index Fund ETF (VFTSX). After a rocky start, there are signs that environmentally conscious investing has been growing in popularity—more than 150 socially responsible mutual funds with $200 billion in assets under management. Still, concerns remain about what kinds of businesses these investment funds hold and their role in helping companies change their behavior to protect employees and the environment better. 

Want to save time and automate your ESG processes? Use best-practices? Findings ESG is at your service.



aicpa soc 2, CMMC, findings tech, security compliance, soc 1, Vendor Risk Management

The Insider Guide To Coordinated Vulnerability Disclosure Programs

Posted on by Yogev Kimor
The-Insider-Guide-To-Coordinated-Vulnerability-Disclosure-Programs
11
May

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

 

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

 

 

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

 

Did you know that your supply chain security can affect your stock value?

 

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

Schedule a call to learn more

aicpa soc 2, ESG, findings tech, soc 1

ESG Investing – What Green Bonds are, and why do they matter?

Posted on by Ilan Lavan
ESG-Investing-–-What-Green-Bonds-are,-and-why-do-they-matter-
06
Apr

Sustainability has become an integral part of how we do business and live our lives, and the concept of ESG investing has taken hold with investors and financiers alike. What are green bonds, and why do they matter? Read on to find out!

3 key ways green bonds improve corporate sustainability

green bonds increase access to capital for sustainable projects; green bonds help decrease reliance on fossil fuels, and green bonds help finance critical social programs. We’ll examine each of these ways in detail below.

An introduction to green bonds

Undertaking a green business venture or a project is by no means cheap. The costs of starting up an alternative energy project could run into millions of dollars. And even if you secure funding for such projects through loans or grants, those payments will add to your operating costs over time. However, governments worldwide have been easing financing concerns through what’s known as green bonds — debt securities that raise funds to support environmental-friendly endeavors. More recently, private organizations have been taking up their initiatives in making it easier for entities engaged in green initiatives to raise funds from investors. These so-called green bonds have several advantages over conventional debt offerings. You need to know about them: 1) What are Green Bonds? 2) How Do They Work? 3) Where Can You Buy Them?

The history of green bonds

The idea of a bond linked to environmental, social, or governance criteria – known as ‘green bonds’ – originated in 2003 when HSBC issued its first ecological bond in response to investor demand. This was followed by BNP Paribas with its first Corporate Sustainability Bond in 2005. Today there is greater recognition of ESG issues from governments, investors, and issuers than ever before. Green bonds have increased over recent years. In 2010, only three green bonds were issued globally; today, it is not uncommon for international financial centers like London to see two or three different green issuance rounds each week.

How is a green bond different from any other bond?

A green bond is no different from any other bond in that it is debt security – a loan – given by an organization to raise money for any purpose. However, green bonds typically have specific criteria which make them eligible for being classified as green or environmentally friendly. They tend to be used exclusively for projects with positive environmental or social impacts, whether that means energy efficiency retrofits or renewable energy generation. These bonds are commonly referred to as ESG bonds (Environmental Social Governance). An investor who wants to include more green investments in their portfolio can purchase ESGs because these securities contain safeguards against non-environmentally friendly use of proceeds. In short, if your company has borrowed money through a green bond, you must use that money only on activities with positive effects on people and the planet. This way, investors can feel good about making such investments while knowing they’re getting solid returns.

Challenges in the market for Green Bonds

The market for green bonds remains relatively small, but both public and private sector actors recognize a need to increase access to capital for climate-friendly projects. In October 2017, Sustainable Finance Lab, in conjunction with The Rockefeller Foundation, released its second Climate Finance Survey. The survey results reveal that limited capital and coordination are among the most significant barriers to scaling up investments in clean energy. One of those critical challenges has been high transaction costs, or what is often referred to as the pipeline problem. Green bond issuance data from Bloomberg New Energy Finance (BNEF) shows that transaction costs for green bonds have been more than double those of comparable rated corporate bonds since 2008. This means that investors looking to invest in low-carbon infrastructure through green bonds were paying too much due to inefficient issuance processes. As a result, some financiers had said that there was limited interest amongst potential institutional investors when investing in them.

 

Eager to learn more about ESG? Start your ESG journey with Findings ESG today.

aicpa soc 2, ESG, findings tech, iso, iso27001, iso27017, iso27018, soc 1

A retired asset owner reveals – These 3 things will attract investors like flies

Posted on by Ilan Lavan
A-retired-asset-owner-reveals-–-These-3-things-will-attract-investors-like-flies
23
Mar

3 things you should be doing to attract ESG investors

ESG (environmental, social, and governance) investors are becoming more popular as millennials enter the workforce. Around 60% of ESG-focused funds show growth in assets under management over the past year. But what can companies do to attract more ESG money? This article will look at three things to consider when working with ESG investors to attract sustainable investment dollars.

1) Allocation matters

An ESG-friendly portfolio is an integral part of a sustainable investment strategy, but it’s just as crucial for investors that manage other people’s money (OPM). These days, many clients expect their financial advisors to invest sustainably and request environmental, social, and governance (ESG) information when reviewing or choosing an advisor. Advisers need to demonstrate how they manage sustainability in their portfolios to earn new business from clients seeking out these investments. And for those who don’t offer such solutions today, it will likely become increasingly necessary to compete and keep up with shifting investor preferences over time. In either case, OPM advisers need to do two things: identify relevant ESG factors within their client’s portfolios and then make informed investment decisions in line with client expectations.

2) Education is important

When searching for potential investments, Environmental, Social, and Governance (ESG) investors perform a thorough due diligence process. While your business might not be eligible for an asset from a fund, these types of investors can still help by providing feedback and advice. Remember, there is no shame in being honest about how much work your business needs. The more willing you are to self-critique, the easier it will be for others to trust that you’re working towards those changes. It’s important to remain honest about yourself and realistic about your goals. Remember that potential investors want to see transparency and honesty.

3) Be transparent

A growing number of institutional investors are pressuring organizations they invest in to disclose more about their environmental, social, and governance (ESG) performance. They’re asking companies many questions – some that might even seem uncomfortable at first. The purpose of these questions is transparency and improving performance, though it can feel like an interrogation at times. Transparency doesn’t come easily, but there are three things organizations can do to make sure they’re ready for such conversations with ESG-minded investors. First, have all your numbers together. This means having clear information on everything from greenhouse gas emissions levels to community involvement efforts available when you sit down with ESG investors. It takes work to get those numbers put together, but it’s worth it. Second, build relationships. One of the most important parts of successfully navigating any conversation is knowing your partners inside and out. Take time to research each ESG investor beforehand to know what kinds of topics they want to be addressed and how they usually approach them. Also, take care not to assume things based on past experiences with other investors or one-off interactions. Every organization and every investor will be different. Third, keep records of your progress. Keeping track of your progress sends a clear message to ESG investors that you’re committed to being transparent in both action and communication with them going forward. Although it may sound tedious, documented progress shows that you’re serious about maintaining transparency in your ESG practices and giving your investors peace of mind.

Did you know Findings ESG offers the first-ever comprehensive supply-chain platform for all of your ESG reporting / best practices needs? 

Don’t settle for less – Try it now.

Findings.co
Company
Products
Solutions
Media Room
Guides
Company
About
Privacy Policy
Terms of Use
Contact Us
FAQs
Sitemap
Products
Vendors
Enterprise
Partners
Vendors index
Solutions
Cyber security
ESG
Cloud Monitoring
Continuous Monitoring
Media Room
Blogs
Press Room
Guides
What is vendor risk management?
The Findings CMMC compliance checklist
4 ESG Best Practices for Energy Efficiency
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Claim your free account Trial
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
less
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Claim your free account trail
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!