CHOOSING THE RIGHT FIRM FOR YOUR PENETRATION TESTING SERVICES

Written by Premal Parikh

Numerous security firms perform penetration testing and red teaming. However, determining the security firm suitable for your organization is difficult. So how do you select the right firm for your Pentesting services? One must consider factors such as the firm’s experience, methodology, and cost-effectiveness while making the right choice.

Security threats are increasing at an alarming rate in today’s dynamic digital world. The year 2022 saw nearly 236.7 million ransomware attacks worldwide. With organizations being more vulnerable to cyberattacks, businesses of all sizes should conduct penetration testing and regularly improve their security.

Furthermore, it is critical to recognize that lack of vulnerabilities discovered during penetration testing can indicate one of two things:

  • Either there are no vulnerabilities in the application/network being tested; or
  • Your testing team has failed to identify existing vulnerabilities.

Unfortunately, if it’s the latter, you’ll usually find out when the vulnerability is exposed in a breach or when your client conducts their testing and discovers the problem.

Key Factors to Consider When Hiring a Security Testing Firm

1. Certifications

When choosing a penetration testing firm, it is critical to consider the testing team’s certifications, such as CEH (Certified Ethical hacker), OSCP (Offensive Security Certified Professional), and other relevant qualifications. However, evaluating the company’s credentials to ensure competence is equally important.

Surprisingly, only a few companies have obtained the two important credentials, PCI ASV & CREST, which necessitate rigorous assessments and process reviews to demonstrate their competence to the councils. These credentials demonstrate that the company meets the established high standards, and it ensures that only the best of firms are chosen.

  • PCI ASV

PCI (Payment Card Industry) has a credit card connotation, but to become an ASV (Approved Scanning Vendor), a company must undergo an intensive test in which an environment is set up. The company must find and report vulnerabilities in that environment to the PCI council. The environment is designed to mimic a real-world production environment, and the report generated could easily be several hundred pages long. Many significant investment and financial services firms have mandated that their vendors be tested by a PCI ASV, even if there are no credit cards in the environment, to differentiate the firm’s quality.

  • CREST

CREST is a European-based certification that verifies that the testing team follows consistent processes and tools (among other things) across their team and that it is not up to the individual tester to ‘figure it out.’ It seeks to transform testing from an art to a science wherever possible.

2. Scalability

Is your security company available when you need them? Do they have a large enough team to respond quickly if you need something tested? Do they have experience in various environments? On a multi-test contract (either testing multiple times a year or for multiple years), they can also frequently change the person performing the test. Although this is slightly less efficient than having the same person do it for years, it allows a different perspective on the application or network, as well as attack scenarios. As much as we try to make testing a science, there is also an element of art to it.

3. Delivery Process and Platform

The delivery process and platform are crucial when hiring a security testing firm. It is essential to understand how the testing results will be delivered, how the report will be accessed and secured, and whether there will be a platform for analyzing the results over time and collaborating on vulnerability fixes. Furthermore, clear communication and regular updates on the test status can aid in the delivery process.

4. FAQs to Ask Yourself When Choosing the Right Security

Penetration Testing Services FAQ

Maximizing Your Investment

When looking for a security testing firm to partner with, it’s important to compare similar factors rather than focusing solely on cost. While cost is unquestionably important, neglecting essential qualities like experience, expertise, and reliability can have long-term consequences. Choosing an unreliable or inexperienced firm to save costs could result in much higher costs later, making it imperative to carefully consider all factors before making a decision.

Accorian’s Pentesting Procedure

1. Data Collection

Accorian utilizes various data collection techniques, including web page source code analysis and unrestricted tools and services, to gather comprehensive information from a target system. This includes data such as databases, table names, system software, and hardware used by third-party plugins. By using these techniques, Accorian enables users to make informed decisions based on accurate and comprehensive data.

2. Vulnerability Evaluation

We evaluate security flaws in the target network by readily recognizing the data acquired in the first stage. This allows our penetration testers to perform attacks utilizing the system’s recognized entry points.

3. Practical Exploitation

Starting an assault on the target system is the most crucial phase, requiring specialized expertise and procedures. Our expert penetration testers start an attack on a system using their skills.

4. Analysis of Results and Production of Reports

After conducting penetration testing, we compile comprehensive reports for remedial measures. In these reports, all detected vulnerabilities and proposed remediation procedures are detailed. The format of vulnerability reports is modified (XML, HTML, Microsoft Word, PDF) to meet the demands of your company.

In addition to penetration testing, Accorian can also recommend solutions or compensatory controls for identified vulnerabilities. Moreover, we can conduct penetration testing and map vulnerabilities to various compliance criteria to aid in prioritizing solutions. By doing so, we help customers understand the overall security posture of the environment.

HIPAA UPDATES 2023

The Latest on HIPAA Compliance

HIPAA Compliance will be undergoing significant changes, this year in 2023, which you need to be aware of. But, let’s look at its history before we get into the upcoming changes in the HIPAA Privacy Rule.

The United States established HIPAA in 1996.  However, there were no set rules for gaining access to medical records till then. In fact, all the local and state governments had established their own rules and fees. HIPAA established standardized rights and responsibilities for managing and safeguarding Protected Health Information (PHI).

However, changes in working practices and technological advancements over the last ten years have given rise to various issues with HIPAA. To address these concerns, the department of Health and Human Services (HHS) Office for Civil Rights (OCR) had to issue HIPAA guidelines to clarify misunderstandings about HIPAA requirements rather than make rule changes. The major HIPAA update was enacted a decade ago, and changes to HIPAA Rules are now required. The latest response was due earlier this year but has been postponed until March 2023.

Proposed HIPAA Updates to the Privacy Rule in 2023

PART 1

  • Allowing patients to examine their PHI in person and take notes or photographs.
  • Reducing the maximum time for providing PHI access from 30 days to 15 days.
  • Restricting the rights of individuals to transfer ePHI to a third party maintained in an Electronic Health Record (EHR).
  • Confirming that an individual has the authority to instruct a covered entity to transmit their electronically Protected Health Information (ePHI) to a personal health application upon the individual’s request.
  • Specifying when individuals receive ePHI free of charge.
  • Mandating that covered entities notify individuals about their entitlement to receive or authorize the transfer of their Protected Health Information (PHI) to a third party, in cases where they are provided with a summary of the PHI instead of a complete copy.
  • Extending the authorization of the armed forces to disclose or use the PHI to all uniformed services.
  • Adding a definition for electronic health records.
  • Modifying the language to enhance the ability of a covered entity to disclose PHI to prevent a potential threat to health or safety in circumstances where the harm is “reasonably and significantly predictable.”
  • Creating a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Obtaining a written acknowledgment from a person for receiving a Notice of Privacy Practices will not be required by covered entities.
  • Requiring HIPAA-covered entities to publish on their website the estimated fee schedules they charge for PHI access and disclosures.
  • Furnishing personalized cost estimates for supplying individuals with a copy of their PHI will be required of HIPAA-covered entities.
  • Broadening the scope of healthcare operations to include care coordination and case management.
  • Requiring HIPAA-covered healthcare providers and health plans to respond to records requests from other covered entities when individuals exercise their HIPAA right of access.
  • Granting authorization to covered entities to utilize and disclose certain Protected Health Information (PHI) if they genuinely believe it is in the individual’s best interest.
  • Introducing an exemption to the minimum necessary standard for individual-level care coordination and case management purposes, irrespective of whether these actions are classified as treatment or healthcare operations.

PART 2

In November 2022, Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to align these regulations better.

Part 2 protects patient privacy and treatment records for substance use disorder (SUD), with HIPAA governing protected health information. Since SUD records are highly sensitive, they require more safeguards and restrictions than other types of health information covered by the HIPAA Privacy Rule. While these extra safeguards are necessary, they can impede care coordination by creating barriers to information sharing.

The proposed changes intend to simplify HIPAA and Part 2 compliance, eliminate obstacles to information sharing, enhance care coordination, and safeguard patients. The amendments give patients more freedom in using and disclosing their SUD records.

The following are the key HIPAA updates that have been proposed:

  • Implementing a single patient consent for all future treatment, payment, healthcare operations related uses, and disclosures of their SUD records.
  • Permitting the disclosure of SUD records in accordance with the HIPAA Privacy Rule.
  • Allowing patients to request an accounting of their SUD records, disclosures, and restrictions on certain disclosures.
  • Extending restrictions on using and disclosing Part 2 records in civil, criminal, administrative, and legislative proceedings.
  • Requiring Part 2 programs to create a procedure for addressing complaints related to violations of Part 2 regulations, and prohibiting compelling patients from waiving their right to file a complaint as a prerequisite for receiving treatment, enrolment, payment, or eligibility for services.
  • Applying the HIPAA breach notification rule to Part 2 records, implying that breach notification requirements would apply to affected patients and the Department of Health and Human Services (HHS).
  • Updating the HIPAA Privacy Rule Notice of Privacy Practices requirements to address the uses and disclosures of Part 2 records and individual rights concerning those records.
  • Authorizing the HHS to impose civil monetary penalties for violations of Part 2 in accordance with HIPAA and the HITECH Act.

Estimated Compliance Efforts for New Regulations: A High-Level Overview

  • Developing policies centrally that can then be implemented locally.
  • Interpreting HIPAA regulations for the organization.
  • Creating a Notice of Privacy Practices (NPP).
  • Updating rules of the HIPAA Program for business processes.
  • Developing standards (policies, contract language, etc.)
  • Creating education and training on the HIPAA regulation update.
  • Managing the legal services process in accordance with the new HIPAA regulations.
  • Updating the audit, certification, testing, and ongoing compliance monitoring process.
  • Creating a procedure to allow disclosures to Telecommunications Relay Services (TRS) communications assistants.

HIPAA 2023: Get Ready for the New Privacy Health Regulation

Once the final rule is issued, you will have a grace period to make the necessary changes. Although you are expected to have a 180 day window, this may be subject to change.

Click on the ‘Contact Us’ tab to submit your information and we’ll notify you when the new Privacy Regulation goes into effect.

THE vCISO SUPERPOWER: A Virtual Chief Information Security Officer for your Cybersecurity Goals

Introduction

There is a famous adage by Spiderman in Marvel comics, With great power, comes great responsibility,” and that’s how important a vCISO (Virtual Chief Information Security Officer) is in an organization. Today’s digital transformation goes beyond automation and embraces technology for a broader range of tasks. The cybercrime epidemic is threatening, with a 15% annual growth rate. With the increased use of technological platforms, the threat of cybercrime costs organizations millions of dollars.

In response to this growing threat, the global cybersecurity market is expected to grow at a compound annual growth rate of 13.4%, reaching USD 376.32 billion by 2029. (From USD 155.83 billion in 2022).

With the rise of sophisticated threats and the growth of cybercrime, a Chief Information Security Officer (CISO) in senior management is required for organizations. The CISO can provide a comprehensive cybersecurity framework and requirements tailored to their business needs. However, employing a full-time CISO can be costly. Instead, a virtual CISO can be used to meet the exact needs of multiple companies. The vCISO can effectively address the organization’s cybersecurity needs and collaborate with senior management to provide a cost-effective strategic cybersecurity plan.

Who is a vCISO?

A vCISO (Virtual Chief Information Security Officer) is an external security advisor and expert whose responsibilities vary depending on an organization’s business requirements. They are responsible for keeping critical systems and sensitive data protected from cybercriminals.

They provide organizations with on-demand access to experienced security expertise, eliminating the need for a full-time employee. This provides organizations with the resources and knowledge they require to protect themselves from cyber threats without incurring the high costs associated with a full-time employee.

How Can A vCISO Accelerate Your Business?

1. Making security a growth lever

By bringing on a vCISO, you can ensure that your security is up to date, in compliance with regulations, and capable of enabling growth opportunities. With the vCISO in charge of security, the organization can concentrate on activities that directly contribute to business growth.

2. Assisting in ensuring that your internal security posture is excellent

A vCISO can assist you in establishing a secure internal security posture and conducting security audits to identify existing vulnerabilities and potential security threats. This can aid in discovering and mitigating existing vulnerabilities, as well as the development of strategic plans for data access control, authentication, and authorization protocols. With a vCISO on board, the organization can be confident in the strength and security of its internal security posture.

3. Complying with security regulatory requirements

Having a vCISO on board can also assist in complying with applicable regulatory requirements. The vCISO is familiar with many different regulatory bodies’ security requirements and can ensure that the organization meets them. Furthermore, the vCISO can assist with periodic audits and assessments to ensure that the organization complies with all applicable regulations.

Why Should Your Organization Hire A vCISO? ​

A vCISO can help your organization with strategic advice, roadmap creation, query resolution, board consulting, and client conversations. They can also manage programs, oversee tactical and operational tasks, as well as provide a comprehensive view of the organization’s information security landscape. Furthermore, a vCISO is critical to an organization’s cyber defense, assisting in the security of systems, processes, and data while aligning security with the organization’s overall goals and objectives.

Roles & Responsibilities

  • Responsible for overseeing the implementation of security protocols and policies. Guide security-related topics, such as encryption, authentication, and risk management, to protect the organization against potential threats.
  • Provide strategic advice to an organization and ensure that the organization’s security practices are current. This includes identifying and recommending ways to close any security gaps. In addition, the vCISO may oversee the development and implementation of security protocols, policies, and training materials.
  • Advise on security issues such as encryption, authentication, and risk management. Furthermore, the vCISO oversees conducting security audits and reviews, as well as investigating security incidents within the organization. The vCISO may also be in charge of advising and training employees on security issues.

What Expertise Does the Accorian vCISO Bring to the Table?

Even the most experienced CISOs can benefit from professional advisory services, especially managing stakeholder expectations, regulatory requirements, evolving cybersecurity technologies, and various security programs. With Accorian’s vCISO services, you don’t just get a single security professional but a team of Security Advisory specialists to support your organization’s unique needs.

Whether your organization is small or large, a vCISO can be valuable At Accorian, we provide rapid access to a virtual CISO and a team of specialists to help you achieve your strategic objectives. Our vCISO offers professional guidance for tactical and strategic endeavors, and you can customize your vCISO plan based on the hours of service you require.

Accorian’s cybersecurity and compliance teams bring a wealth of experience to help navigate organizations through their information security journey. We take a hands-on, white-glove approach and use a proven methodology to provide fiscal value and expertise to each client. The facts speak for themselves.

WebSocket Vulnerabilities: Keep Your WebSocket Connection Safe

Written by Somya Agrawal

Introduction

 WebSocket is a powerful tool for sending and receiving messages over a network. It enables quick and reliable data exchange by establishing two-way communication between the server and the client. It is used in everything from online gaming to real-time data streaming.

Unfortunately, WebSocket only comes with flaws. Cross-Site WebSocket Hijacking (CSWSH) is a security threat that allows malicious actors to hijack a legitimate WebSocket connection, allowing them to intercept, modify, delete, and inject data. They are also vulnerable to Denial-of-Service attacks, which can prevent legitimate users from accessing the network. WebSocket can also perform man-in-the-middle attacks, allowing attackers to modify or inject data into the network without the user’s knowledge.

Here’s everything you need to know about WebSocket!

What is WebSocket?

WebSocket allows two-way communication between a website and its server in real-time. It is a protocol that allows the client and server to transmit messages over the channel at the same time. They’re used for things like chat apps and updating information on a website without having to refresh the page.

The WebSocket-based connection lasts as long as either party lays it off. When one party terminates the connection, the second party can no longer communicate since the link is automatically terminated.

WebSocket, like HTTP, can be either encrypted or unencrypted, as defined by the WebSocket schemes ws and wss, where ws:// is an unencrypted WebSocket, and wss:// is an encrypted WebSocket over TLS.

They act as a backdoor connection between your computer and the website. Instead of waiting for the website to send you information, you can ask for it and receive it immediately, and the website can also send you information without requiring you to refresh the page. It’s like a two-way phone call in which you and the website can converse simultaneously.

How Does WebSocket Work?

The usual WebSocket interaction between client and server consists of the following steps:

What are the Common WebSocket Vulnerabilities?

Improper WebSocket implementation can lead to serious vulnerabilities. Some of the most common security flaws are:

1. Cross-Site WebSocket Hijacking (CSRF with WebSockets)

If the WebSocket handshake relies on HTTP cookies for the session and does not include a Cross-Site Request Forgery (CSRF) token, an attacker can write a custom script on their domain to establish a cross-site WebSocket connection to the vulnerable application. Using this attack approach, an attacker might obtain sensitive information.

You can find a common script below that can be used to exploit this vulnerability:

2. Unencrypted Communications

A WebSocket, like HTTP, can be encrypted or unencrypted. It utilizes the WebSocket schemes ws and wss to differentiate between the two. In particular, ws:// represents an unencrypted WebSocket, whereas wss:// represents a WebSocket encrypted with Transport Layer Security (TLS).

3. Denial of Service

The server may receive an endless number of connections via WebSocket. This allows an attacker to perform a denial-of-service attack against the server, which significantly strains the server and consumes all its resources, thus delaying communication.

The script below frequently crashes the WebSocket server, affecting some versions of the WebSocket client:

4. Sensitive Information Disclosure

This occurs when WebSocket fails to protect confidential information adequately and may allow unauthorized access to such information. Passwords, credit card information, private communications, and intellectual property are examples of sensitive data. Additionally, this type of security flaw can be vulnerable to various services and systems, including databases, operating systems, and network devices.

5. Input-Validation Vulnerabilities

If an attacker has access to WebSocket communications and the server does not properly validate or sanitize the input, an injection attack may occur. An attacker, for example, can deliver specially crafted payloads as messages while bypassing client-side validation by utilizing a proxy tool such as BurpSuite. Furthermore, attackers can launch attacks if the server does not validate the input for special characters or malicious data.

Let’s assume we’re testing a chat application that uses WebSocket. The system will transmit a message in the following format when a user types it:

In the absence of input validation, an attacker can intercept the request using a web proxy (Burp, in this example) to trigger an XSS pop-up by replacing their payload:

How Can you Ensure Your WebSocket is Safe?

You can use the following approach to avoid WebSocket Vulnerabilities:

• Make use of the wss:/ protocol (WebSockets over TLS).
• Hard code the URL of the WebSockets endpoint, and don’t include any user-controllable data.
• Avoid cross-site WebSocket hijacking vulnerabilities by protecting the WebSocket handshake message from CSRF.
• Avoid input-based vulnerabilities like SQL injection and cross-site scripting, and handle data properly on both the server and client sides.

Conclusion

The WebSocket industry is constantly evolving, and so are its security vulnerabilities. One thing to keep in mind is that not every WebSocket is vulnerable. However, if a WebSocket vulnerability is identified, address it immediately. Furthermore, organizations dealing with WebSocket must be extremely cautious and understand the need to implement all WebSocket security controls.

Accorian’s Pentesting Procedure

1. Data Collection

There are a variety of data collecting techniques, including Google Search, for acquiring data from a target system. In addition to web page source code analysis, various unrestricted tools and services are available on the market that gives information such as databases, table names, system software, and hardware used by third-party plugins.

2. Vulnerability Evaluation

Security flaws in the target network may be readily recognized based on the data acquired in the first stage. This allows penetration testers to perform attacks utilizing the system’s recognized entry points.

3. Practical Exploitation

Starting an assault on the target system is the most crucial phase, and it requires specialized expertise and procedures. Expert penetration testers may start an attack on a system using their talents.

4. Analysis of Results and Production of Reports

After conducting penetration testing, compile comprehensive reports for remedial measures. In these reports, all detected vulnerabilities and proposed remediation procedures are detailed. You may modify the format of vulnerability reports (XML, HTML, Microsoft Word, PDF) to meet the demands of your company.

The Accorian Advantage

In addition to penetration testing, Accorian can also recommend solutions or compensatory controls for identified vulnerabilities. Moreover, we can conduct penetration testing and map vulnerabilities to various compliance criteria to aid in prioritizing solutions. By doing so, we help customers understand the overall security posture of the environment.

UNDERSTANDING AI RMF 1.0 – The Artificial Intelligence Risk Management Framework

Written by Tathagat Katiyar & Harshitha Chondamma

Introduction

Artificial Intelligence is undergoing continuous growth and development, with new technologies and applications being developed daily. As AI becomes more prevalent and integrated into various industries, it is critical to ensure that these systems are trustworthy, secure, and transparent. This is where the Artificial Intelligence Risk Management Framework 1.0 (AI RMF 1.0) from the National Institute of Standards and Technology (NIST) comes in. This framework provides organizations with guidelines and best practices to help them confidently develop, deploy, and operate AI systems.

In this blog, we will cover NIST AI RMF 1.0 in-depth, including its features, benefits, and how organizations can use it to ensure AI systems meet high security and compliance standards.

On January 26, 2023, the National Institute of Standards and Technology (NIST) under the U.S. Department of Commerce) released a Risk Management Framework for Artificial Intelligence (AI RMF). The AI RMF is designed to assist companies in managing risks and promoting responsible development while deploying or using AI systems. Although compliance with the AI RMF is voluntary, it can be helpful for companies seeking to manage their risks, particularly in light of regulators’ increased scrutiny of AI.

The Artificial Intelligence Risk Management Framework helps organizations to establish a systematic approach for information security and risk management activities focusing explicitly on Artificial Intelligence.  A robust AI risk management framework offers organizations asset protection, reputation management, and optimized data management.  It can also protect against competitive advantage, legal risks, and missed business opportunities.

What is NIST AI RMF 1.0?

The NIST AI RMF 1.0 is a set of standards and practices for evaluating, maintaining, and improving the trustworthiness of AI systems. AI RMF 1.0 provides an adaptable, structured, and quantifiable process that enables organizations to address AI risks. The aim is to assist organizations in understanding the risks associated with AI, developing strategies to manage those risks, and evaluating the trustworthiness of AI systems prior to deployment.

Organizations may voluntarily determine compliance with AI RMF 1.0. The framework is designed for organizations that operate, develop, or deploy AI systems. It also applies to government agencies, non-profit organizations, and private companies. Additionally, it can serve as a reference guide for meeting regulatory and compliance requirements and enhancing their AI systems’ performance, transparency, and trustworthiness.

Salient Features of NIST AI RMF

The AI RMF consists of two main components:

Section 1
The first section outlines how organizations can frame AI risks and the features of trustworthy AI systems.

Section 2
This forms the framework’s core and includes four specific functions to help organizations address risks associated with AI systems. These include:

1. Govern: Guides organizations on how to develop governance structures and processes for AI risk management.
2. Map: Advises organizations on identifying, assessing, and prioritizing AI risks.
3. Measure: Helps organizations evaluate and monitor AI systems to ensure they perform as intended and per the organization’s risk management objectives.
4. Manage: Assists organizations in implementing risk mitigation strategies and managing AI risks over time.

Objectives of NIST AI RMF

The framework is designed to be voluntary, preserve rights, be non-sector specific, and be agnostic to use cases. This gives organizations of all sizes, sectors, and industries the flexibility to implement the ideas in the framework. The core objectives are to:

• Provide a resource to companies creating, developing, deploying, or utilizing AI systems.
• Assist organizations in managing various risks associated with AI.
• Promote the development and usage of AI systems that are trustworthy and responsible.

Bias in AI extends beyond ensuring demographic balance and representative data. In other words, an AI system may still pose problems even if it distributes predictions evenly across different demographic groups. For example, it may be inaccessible to people with disabilities or perpetuate inequalities caused by the digital divide.

The AI RMF categorizes biases into three groups:

  • Systematic Bias

This type of bias is related to the design and operation of AI systems and can occur during the development and deployment of AI systems. It refers to the possibility of an AI system producing incorrect or unfair results due to errors or biases in the system’s design or operation.

  • Computational and Statistical Bias 

 Flaws introduce computational bias in the design or operation of an AI system, such as errors in the algorithms or computational processes. As a result, decisions may be made based on incomplete or inaccurate information. On the other hand, statistical bias is introduced by flaws in the data used to train the AI system, for example, if the training data is biased. Both computational and statistical biases can significantly impact the trustworthiness and accuracy of AI system outputs.

  • Human Cognitive Bias

This is the most prevalent type of bias which occurs due to an individual or group’s subjective interpretation of the data generated by the AI system.

AI RMF Guidelines

Organizations working with AI systems should implement the following programs, policies, procedures, and controls including:

Governance and Management
It aims to set up processes for AI systems to ensure effective decision-making, accountability, and risk management. This includes forming an AI Governance Committee, establishing a decision-making Change Advisory Board, implementing a risk assessment and management strategy, conducting regular audits, and hiring external auditors.

Technical and Operational Considerations
This encompasses crucial elements in creating, deploying, and developing AI systems, focusing on ensuring safety, security, clarity, and privacy. The approach involves implementing policies and procedures for security, software development, and operations, adopting a data governance policy, and creating a training program for proper AI system use.

Performance and Evaluation
It focuses on establishing guidelines for evaluating the reliability and performance of AI systems, including testing, monitoring, and validation. This involves monitoring key performance and risk indicators for AI systems, performing rigorous testing and periodic monitoring, and conducting periodic reviews to measure and validate the effectiveness of AI systems.

NIST AI RMF Compliance

Organizations developing and deploying AI solutions must adhere to the NIST Risk Management Framework (RMF) to ensure their AI systems’ trustworthiness. This includes companies that create AI-based products, services, and applications and organizations that utilize AI in their operations. Additionally, any company that handles sensitive data and assets must comply with the NIST RMF to secure these assets from unauthorized access or modification.

The NIST AI Risk Management Framework has global applicability and does not have specific regional compliance requirements. However, it is expected to be widely adopted as a set of guidelines and best practices for managing AI-related risks in the United States and other regions. The framework can assist organizations of all sizes in improving their AI risk management strategies.

Summary

AI RMF 1.0 helps organizations understand AI risks, create strategies for managing them, and evaluate AI systems’ trustworthiness before deployment. It helps organizations adopt responsible AI practices and ensure trustworthy AI systems. It covers governance and management, technical and operational considerations, as well as performance and evaluation.

The Accorian Advantage

Accorian’s experienced cybersecurity and compliance experts provide personalized guidance for organizations’ information security initiatives. With a results-driven methodology and exceptional client service, Accorian delivers cost-effectiveness and expertise to every client they serve. The facts speak for themselves.

ISO 27701 2019: THE KEY TO PERSONAL DATA PROTECTION

Introduction​

Personally Identifiable Information (PII) has never been more important than it is in today’s digital age. As technology advances and the internet expands, entities are collecting, storing, and processing data on a massive scale, raising growing concerns about their use and safeguarding.

ISO 27701:2019 recognizes data privacy’s importance and offers a framework for organizations to responsibly and securely manage personal data. It addresses all aspects of personal data processing. This includes implementing privacy controls, conducting privacy impact assessments, managing data breaches, and keeping privacy records.

What is ISO 27701:2019?​​

This framework specifies requirements and guidelines for establishing, implementing, maintaining, and continually improving the Privacy Information Management System (PIMS). This would expand to ISO 27001 and ISO 27002 for privacy management within the organization’s context.

The Privacy Information Management Framework applies to PPI – regulators, processors, handlers, transmitters, and guides organizations looking to implement systems to support compliance with GDPR and other data privacy requirements. It applies to all types and sizes of organizations, whether public or private companies, government entities, non-profit organizations, or any other entity that is a PII controller or PII processor operating within an ISMS.

Need for ISO 27701 Certification​​

PII is increasingly prevalent in various forms within organizations, being gathered, processed, saved, and transmitted daily in diverse formats.

Organizations that gather, process, save, or transmit PII must recognize and accept their responsibilities, and be held accountable. Seeking ISO 27701 certification helps businesses comply with GDPR and reduce customer and supplier audit costs.

It provides guidelines for organizations to manage and protect personally identifiable information (PII) through a Privacy Information Management System (PIMS). The standard improves information security management systems (ISMS) and offers practical approaches for managing PII risks. Implementing a PIMS based on ISO 27701 offers a competitive advantage, improves reputation, enhances customer satisfaction, and increases trust in the organization. Certification to the standard can enhance transparency and safeguard the integrity of processes and procedures. By managing Personally Identifiable Information (PII) appropriately, businesses can instill confidence in customers.

The Main Objectives

  • Protecting private information assets.
  • Demonstrating compliance with privacy and data protection regulations – regardless of location or industry.
  • Reducing the threat to individual and the organization’s privacy rights to confidentiality by enhancing the current Information Security Management System.
  • Demonstrating to customers and stakeholders, both internal and external, that effective systems are in place to support compliance with GDPR and other related privacy legislations.

Implementing an ISO 27701-compliant PIMS enables organizations to assess, react, and reduce risks associated with personal information. While it does not confirm GDPR compliance, ISO 27701 certification provides a valuable framework for companies to support their legislative efforts.

Structure of ISO 27701​

ISO 27701 is an extension of ISO 27001 and ISO 27002. It extends the ISO 27001:2013 requirements and ISO 27002:2013 guidelines by providing additional PIMS-specific requirements.

ISO 27701 Process​

Audit Process of ISO 27701​

The certification body has developed an efficient five-step process to support your ISO 27701 certification:

  • Readiness Review: Understanding the standard’s objectives and the information required for the audit.
  • Audit by Experts: Conducting audits by experts of your PII protection activities, assessing how you store and process customer information.
  • Non-conformance resolution: Implementing post-audit measures to correct any non-conformances identified.
  • Issuance of audit report and certificate: The certification body issues the ISO 27701 certificate, which businesses can use to demonstrate their compliance with their network and clients.
  • Annual Sustenance and Surveillance: To adhere to ISO data management standards, businesses must retain 100% sustenance of the PIMS controls, which the certification body should validate during the annual surveillance audit.

Summary

ISO 27701:2019 is essential for organizations seeking to protect personal data, foster trust, and demonstrate privacy commitment. Adopting this standard assures robust privacy information management systems and compliance with the latest regulations.

HITRUST And HIPAA Compliance Helps Organizations Create More Walls Around Their Customer Information

Cybercriminals are often attracted to the data held by healthcare companies. Patient data, banking information, and other personal identifying information (PII) are gathered by healthcare organizations, forming rich collections of data. With such comprehensive data sets, cybercriminals are more frequently targeting healthcare providers and their service providers, sometimes resulting in significant losses. Ransomware is a type of malware that encrypts files, preventing access to the data. Given the increasing risk, it is all the more necessary that healthcare entities implement safeguards to protect against the harmful impacts of a ransomware attack. Information security compliance frameworks, such as HIPAA and HITRUST, provide reliable guidance to organizations seeking to prepare for ransomware attacks proactively.

A Rise in Ransomware Attacks in Healthcare

In October 2022, Common Spirit Health – one of the largest non-profit health systems in the United States – became the target of a ransomware attack that left some of their systems inaccessible even weeks later. This attack underscores the need for healthcare organizations to exercise due care in managing critical data.

In planning a ransomware attack, cybercriminals look for opportunities to exploit the workforce and unsecured data. A vulnerable cybersecurity risk management strategy could leave:

● Prescriptions unfilled
● Surgeries delayed
● Doctors unable to access records
● Patient information publicly exposed

How Does HITRUST and HIPAA Relate To Each Other

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law of the United States of America that contains security and privacy rules to protect sensitive patient health information from use or disclosure without a patient’s consent. Healthcare providers, health plans, healthcare clearinghouses, and organizations that use or disclose healthcare information on their behalf (known as business associates) are all subject to HIPAA. The US government further strengthened the protections of HIPAA with the HITECH Act, adding requirements for enforcement and breach notification.

In drafting the CSF framework, HITRUST aligned numerous national and international regulations, standards, and frameworks, including HIPAA and the HITECH Act, to create a comprehensive and reliable set of privacy and security controls. Since its first release, the CSF has been updated numerous times, incorporating updated sources and an ever-expanding set of global privacy and security standards.

In addition to the CSF,  HITRUST provides the following resources for entities to further strengthen their cybersecurity and risk management programs:

● HITRUST CSF
● HITRUST Threat Catalogue
● MyCSF SaaS assurance and analytics platform
● Assurance assessments
● Assessment results management
● Risk management and compliance programs scaled for small businesses and startups
● Training programs for best HITRUST practices

Reinforcing Cybersecurity with HITRUST and HIPAA

These two work together most effectively by facilitating healthcare providers to prove their HIPAA adherence with HITRUST compliance.

Though Systems and Organizations Controls 2 (SOC 2) examinations exist – which CPAs administer – HITRUST is one of the key certification that prove HIPAA compliance. This is only one of the ways they work together to prevent ransomware attacks.

Because healthcare companies are looking into HITRUST and HIPAA, this prompts companies to inform staff about the risks of ransomware attacks. Aggressive ransomware attacks pressure healthcare executives to stay notified about emerging threats, requiring them to provide training and resources for staff to be aware of ransomware signals.

Abiding by HITRUST and HIPAA also creates more walls around customer information. It instructs employees but restricts access and usage of that information to prevent abuse and misuse.

It also improves aspects of risk management programs that might not have been identified if it weren’t for third-party oversight. HITRUST assessment reports not only highlight any gaps in healthcare company strategies but can also highlight inconsistencies and techniques for more effective data control and monitoring.

Unprepared healthcare entities will execute procedures reactively instead of proactively mitigating threats. Some companies rely solely on cyber insurance. However, with rising premiums and stricter qualification policies, HIPAA and HITRUST compliance are the best supplements to insurance. It provides both preventive management and proactive responses to cybercriminal attacks.

Preventing Ransomware Attacks in Healthcare

HITRUST and HIPAA provide resources for healthcare entities to advance patient peace of mind. Not only does it protect patients, but it protects employees and their assets as well.

Employing these standards reveals vulnerabilities, provides insight for system improvement, and increases operational efficiency. This helps mitigate the fear of ransomware attacks. Your healthcare business – whether a hospital, pharmacy, or non-profit group – will benefit from these regulations in many ways, not least because patients will trust your systems to keep their data secure.

Questions to Ask my SOC2 Auditor before Signing up for a SOC 2 Compliance Audit

Written By Om Hazela & Sarthak Makkar ||

  Ideally You want to find a service provider to take you from SOC 2 readiness to report. 

SOC 2 is a third-party review that attests the organization’s ability to protect the data and information they process and store. Given the current scenario where a lot of data breaches and cyberattacks are on the rise, a SOC 2 report help organizations empower with:
• Enhance one’s view into your organization’s security posture
• Identify opportunities for improvement over existing controls
• Position your company competitively in the market (Prospects want to ensure Security is considered a priority in your organization).

Many vendors offer different aspects of the SOC 2 process, from software providers who help you get audit-ready, to certified auditors from CPA firms who can assess your infrastructure and release a final SOC 2 report.

Ideally, you will want to find a service provider to take you from SOC 2 readiness to report.

Use these points to help you assess a vendor/service provider before signing a contract for your organization’s SOC 2 Assessment. These questions will provide you with clarity about your requirements for SOC 2 and how a service provider will be able to help you, from preparing your organization to getting attested for SOC.

1. Are you a licensed CPA firm? 

The American Institute of Certified Public Accountants (AICPA) regulates SOC 2 audits, which must be carried out by an external auditor from a certified CPA firm. This is the only way you, as a company, can get an official SOC 2 report. Verifying that the SOC 2 vendor you are considering working with has the required accreditation is essential.

2. Do you offer SOC 2 readiness services? 

Before you carry out a formal audit, a SOC 2 readiness assessment is a helpful way to assist you in evaluating your company’s posture. Before a SOC 2 audit, gaps in your cybersecurity procedures that need to be closed (and their severity) can be identified using a readiness assessment. Ultimately, this will help you save time, establish priorities, and position your business to perform well during the SOC 2 assessment.

 3. Evidence collection and validation

The evidence collection processes for SOC 2 Type 1 and Type 2 are very similar. The evidence is the same whether it is SOC 2 Type 1 or Type 2; they both cover a moment in time or a period of time. Thus, you could be required to submit the most recent Board of Directors meeting minutes for Type 1. However, if Type 2 applies to you, you must present those minutes for each quarter of your observation time. For a Type 2, there is more proof to gather, but the information is the same as a Type 1.

4. How long does it take to complete a SOC 2 assessment?

Many service providers claim to be able to finish a SOC 2 audit in 14 days. This clause should be clarified before a contract is signed. Although evidence collection is essentially one phase in the SOC 2 audit process and does not always lead to a full audit or final report, the two-week schedule is frequently used as an estimate for an expedited evidence collection procedure.

Demand a detailed timeline from your vendor and ask them to walk you through each phase of the SOC 2 audit. This is crucial so that you can allocate resources effectively. Additionally, it is critical to understand when you might anticipate receiving a report to effectively interact with potential customers who inquire about a SOC 2 report during the sales process.

5. Can you provide us with a final report?  

Many SOC 2 service companies can only help you assess your readiness to conduct a SOC 2 audit using a tool. However, they are often unable to perform the audit and produce the SOC 2 report.

Make sure the company you choose for your SOC 2 compliance also provides audit services that will result in a SOC 2 report without forcing you to switch vendors in the middle of the audit process. As mentioned earlier, an auditor employed by a licensed CPA firm is the only one who can produce a final report.

Make sure a service company you choose to partner with likewise employs capable auditors. If not, you must permit a second vendor to perform the audit process. This is not recommended since there is a high likelihood of information being “lost in transition” between the two entities, squandering time and resources and pushing back the deadlines for audits and reports.

6. How many SOC 2 audits have you completed to date? 

Experience cannot be substituted. The choice of an experienced SOC 2 auditor can be the difference between a quick and pleasant audit procedure that yields a trustworthy final report and receiving a piece of paper that no one will accept.
You may get a sense of a company’s experience by asking them how many audits they have already conducted by looking at the tools and information they offer about the SOC 2 process on their website. A dependable and knowledgeable partner should be able to give you enough information on the SOC 2 procedure and complete details about their products and services.

7. What industries do you have experience with?

In addition, for your SOC 2 auditor to comprehend how the SOC 2 criteria apply to your firm, you will want to ensure they are knowledgeable about the ins and outs of your industry. Additionally, many SOC 2 components overlap with those of other crucial, sector-specific assessments. For instance, the overlap between SOC 2 and HIPAA (Healthcare Insurance Portability and Accountability Act) compliance would be known to your auditor if they have experience in the healthcare industry. They might be able to provide you with a combined SOC 2 + HIPAA security evaluation. By doing this, you could finish both audits simultaneously and conserve time and resources.

8. What Other services do you provide that could help as we continue to grow as a company?

SOC 2 is one of several significant audits and assessments conducted in the compliance and cybersecurity fields. It is typical for businesses to seek additional compliance initiatives after completing a SOC 2 audit.
SOC 2 also overlaps with other audit criteria, as was previously indicated. Having completed a SOC 2 audit, you are well-positioned to pursue additional complementary certifications. Find a provider that provides additional audits, attestations, and assessments to build a long-term engagement that satisfies all of your compliance and cybersecurity requirements. To avoid duplicating fieldwork and evidence-collection activities, it is advantageous to establish a partnership with one vendor.

What is ISO 22301 Certification: The Business Continuity Management System Standard

Written by Kiran Murthy | Naga Chinmai | Eishu Richhariya

What is ISO 22301 Certification?

ISO 22301 Certification provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It is expected to help organizations protect against, prepare for, respond to, and recover when disruptive incidents arise. It provides the framework for businesses to increase their resilience and enables the organization to deal with disruptive incidents.

Need for ISO 22301 Certification

Obtaining ISO 22301 Certification should be high on the priority list of organizations that must prove to their stakeholders that they can immediately overcome operational disruptions to provide continued and effective service. Gaining ISO 22301 Certification puts the organization within an individual group of companies committed to business resilience.

  • It ensures compliance with industry standards.
  • It safeguards the brand’s interest and integrity.
  • It reduces the financial risk of an organization.
  • It gives a competitive advantage to a company.
  • It helps to protect critical business assets.

Benefits of ISO 22301

            ISO 22301 Certification, BSMS

Why do you need a Business Continuity Management System (BCMS)?

Looking back, could you have planned for Covid? The effects of Covid-19 have significantly raised awareness for Business Continuity Planning. Most office-based firms have adapted and applied their plans for a hybrid model to work from home.  However, many others did not foresee the operational impacts, including service providers and supporting customers.

For most organizations, today might be business as usual. However, problems can happen when you least expect them. Whether it’s a cyber-attack, an IT-related issue, building unavailability due to natural disasters, a planned outage, or a supply chain disaster. We’re all at risk, and sooner or later, every business will have to deal with such issues.

If there is no plan, the outcome could be much worse than they need to be.

Organizations can opt for BCMS, ISO 22301:2019, one of the best suitable options as it lays down the requirements that an organization can use for understanding the needs and necessities for business continuity policy and objectives. It helps to protect business and reputation, stay agile and resilient, and to minimize the impact of unexpected interruptions. 

Implementation Flowchart

RECOMMENDATION: DESIGNING YOUR ISO 22301 CERTIFIED BUSINESS CONTINUITY PLAN

A single disaster can put the entire organization’s structure in jeopardy. Here are a few best practises we can consider within the Information Security domain that can help keep the business running regardless of a disaster.

Process and Strategy to ensure their effectiveness

An organization cannot keep its operations running successfully without appropriate and realistic testing of its BCP/DR Plan regularly. Without this, the organization may not even know what is practically executable and what is not. Testing must be performed in a way that covers every process, from a younger failing process to the entire service being wiped out because of a tornado.  This gives a level of maturity to your plan over time and minimizes the recovery time during a disaster or crisis.

Enhance the Utilization of Virtualization

The objective must be to switch the users from the traditional environment to a virtualized environment smoothly, where they can continue their work and provide the services they always did. This helps build trust in the users, and predominantly towards the organization. It also allows the organization to continue its business seamlessly during a crisis.

Conducting Business Continuity Awareness & Training Program

Training & Awareness programs play an essential role in preparing employees and organizations for a crisis. These programs should be conducted regularly for each employee of an organization. For this, an organization can also create a Business Continuity Awareness Team, which performs regular Business Continuity Training & Awareness Programs and keeps track of the performance of every employee.  

HITRUST CERTIFICATION: IMPORTANCE IN HEALTHCARE

Being HITRUST-certified is one-way companies can demonstrate their commitment to security and privacy to clients and partners

Healthcare is one of the most highly regulated industries regarding privacy and security. There is a good reason for this, too, as personal health information (PHI) is some of the most valuable information for cybercriminals and people that commit fraud. According to the US Department of Health and Human Services 2020 Healthcare Breach Report, the average cost per breached record is $499 and can be sold for over $1000. As a result, PHI has become highly targeted by criminals, and to combat this, regulations and security standards have been created to ensure that businesses protect this information correctly. This article will discuss a popular security framework and certification in the healthcare industry called HITRUST.

What is HITRUST Certification?

HITRUST, created in 2007, is a standards and certification body that helps organizations manage information security, privacy, and regulatory compliance.

Organizations that achieve HITRUST certification have passed the framework checks and have shown an ability to adhere to the security requirements of HIPAA. 

Then there is the HITRUST CSF framework.

What is HITRUST CSF

The HITRUST CSF is a certifiable security and privacy controls framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with data protection professionals, the HITRUST CSF provides structure, transparency, guidance, and cross-references to 40+ authoritative sources, standardizing requirements and providing clarity and consistency. The HITRUST CSF is regularly updated as mapped authoritative sources change and new sources are introduced. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and regulatory requirements.

The HITRUST CSF assurance program combines aspects of many popular security frameworks, including ISO, NIST, PCI, and HIPAA. So it’s not limited to just evaluating companies based on HIPAA requirements. There is a roadmap that organizations can follow to achieve data security and compliance with HIPAA. 

Why is HITRUST Important in Healthcare?

Whether you are a healthcare provider or a processor of healthcare information, you have a big responsibility to ensure that you protect that information. Not only is this heavily mandated through regulations like HIPAA, but your potential clients will want to know that you can uphold these standards as part of their requirements for doing business with you. Being HITRUST certified is one-way companies can demonstrate their commitment to security and privacy to potential clients and business partners.

HITRUST vs. HIPAA

The relationship between HITRUST and HIPAA can be confusing at first. However, it’s essential to understand that they are not the same but are closely related. HIPAA stood for the Health Insurance Portability & Accountability Act and was passed by Congress in 1996. While HIPPA is a regulation created by lawmakers, HITRUST is a framework developed by security experts that covers key aspects of HIPAA compliance and draws from dozens of other authoritative sources, as well.

One of the issues organizations face with HIPAA compliance is translating somewhat vague requirements into quantifiable and measurable criteria and objectives. HITRUST helps companies achieve this by providing a framework for identifying the organization’s appropriate administrative, technical, and physical safeguards. 

HITRUST Certification Requirements

Now that we’ve discussed the value of HITRUST in the healthcare industry, let’s look at how a company can become certified. For an organization to become HITRUST certified, it must undergo a validated assessment by a HITRUST assessor firm. The company must purchase a MyCSF subscription from HITRUST and a certification report credit. Upon completion of the validated review, the organization will submit the corrective action plans required for issues that were found. The assessor firm will, in turn, assess the company’s compliance with HITRUST CSF requirements and submit the assessment to HITRUST to spot-check the assessment results. If no significant problems are identified beyond what was found in the assessment, then the organization will be awarded HITRUST certification. 

HITRUST Assessment Levels

HITRUST offers three levels of assessments, basic, current-state assessment (bC), HITRUST Implemented, 1-year assessment (i1), and HITRUST risk-based, 2-year assessment.

                                                                                       Source @ HITRUST

HITRUST bC Assessment

This is the starting point for organizations seeking a HITRUST assessment. It is a standardized self-assessment that companies can perform without hiring an external assessor. It focuses on good hygiene and performs simple validations by applying HITRUST’s Intelligence Engine. The level of effort required is the lowest of all three, and it provides the lowest level of assurance and results in no HITRUST Certification. 

HITRUST i1 Validated Assessment + Certification

This assessment is considered a validation of cybersecurity best practices and is well-suited for environments with moderate risk. HITRUST stated that this assessment would be threat-adaptive to reflect the evolving threat landscape and include a static list of required security controls. The level of effort required is considered moderate by HITRUST, but it gives a good level of assurance and allows you to get a one-year certification by HITRUST. The i1 assessment must be completed annually or replaced by an r2 Validated Assessment on or before the anniversary of the i1 submission.

HITRUST r2 Validated Assessment + Certification

This fully tailored assessment considers multiple risk factors relevant to the company that is undergoing the assessment to determine its scope. The r2 is most suitable for high-risk scenarios where high-level assurance is required or expected. When an external assessor completes this, it results in a two-year certification for HITRUST as opposed to 1 year under i1. 

What is HITRUST MyCSF?

The MyCSF tool is a SaaS platform that helps organizations navigate and prepare for the HITRUST assessment process. It allows organizations to manage information risk and meet international, federal, and state regulations around privacy and security. It also helps organizations understand the gaps between their current state and international standards and best practices. Some of its key features include:

MyCSF Compliance and Reporting Pack for HIPAA:

The tool automatically compiles the list of evidence collected from your HITRUST assessment process and provides recommendations on what is required to ensure HIPAA compliance. The information from your assessments is consolidated into a report formatted by HIPAA control and populated with evidence that can be shared directly with the Office for Civil Rights (OCR) investigators.

Custom Assessments:

It can tailor assessments to fit your organization’s needs by focusing on specific regulatory factors or specific control requirements individually.

Assurance Intelligence Engine:

This feature provides automated checks that evaluate our assessment documentation and flag potential errors that may slow down the assessment review process. 

Recap

Healthcare is one of the most heavily regulated data security and privacy industries. This is why frameworks like HITRUST were created. HITRUST is not a regulation but a security framework and certification that demonstrates that the certified company adheres to security best practices, particularly the security requirements of HIPAA. Organizations that want to achieve HITRUST compliance must complete an i1 or r2 assessment by a HITRUST-certified external assessor. This certification allows other organizations to verify that this company has the proper security controls to protect PHI in their environment. The MyCSF tool is a SaaS platform that helps organizations govern risk and prepare for HITRUST assessment. If you want help getting your organization certified in HITRUST, you can book some time with one of our HITRUST experts here.

Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

© 2023 Accorian. All Rights Reserved.

    Ready to Start?

    Download Case study

    Download SOC2 Guide

    Human Resources Director

    Posted On: 09 May, 2022

    Drop your CVs to joinourteam@accorian.com

      Interested Position
      First Name
      Last Name
      Email
      Total Experience
      Mobile Number
      Upload Resume