Throughout my career, I’ve listened to and participated in the debate or discussion surrounding security vs compliance. Most often it seems that those involved in the discussion feel as though they need to take one side or the other. That co-mingling the two is more of a necessary evil versus an activity that provides value to the overall security strategy and program. In this blog, we’ll identify the differences between security compliance and security in general and highlight the potential benefits of a robust security compliance program. WHAT IS SECURITYSecurity is a journey. It’s a collection of people, processes, and technologies operating at multiple layers within the organization that should work together to help strengthen a company’s overall security profile and ultimately protect its digital and non-digital assets. While journeys typically include a beginning and an end, I would argue that the security journey has no end. Good luck finding a CISO or security executive who will openly admit that their company has achieved security, or who can truthfully state that they are able to sleep through the night without any concern for the assets they’ve been charged to protect. The task of securing a company’s assets is a daunting endeavor. With the constant barrage of automated alerts, weekly releases of newly discovered vulnerabilities, relentless and never-ending attacks from a growing list of known and unknown bad actors, the challenges posed by external forces appear to be never-ending. Coupled with constant requests from internal teams to use the latest unproven or untested technology and a queue full of internal requests to integrate and share data with external vendors, who can blame today’s security executive for losing sleep. While many battles within the security journey can be won, the security war is endless and rages on with no end in sight. What is IT Security Compliance?IT or security compliance is the activity that a company or organization engages in to demonstrate or prove, typically through an audit, that they meet the security requirements or objectives that have been identified or established by an external party. That list of security requirements could be as simple as a list of security objectives that a customer or business partner deems critical or pertinent to the established or proposed business relationship. It could also represent a much more complex and lengthier list of controls and objectives (i.e. security framework) which has been established by external professional organizations, specific industries, or government agencies. It’s easier for a company, customer, or business partner to adopt an industry-recognized framework versus establishing their own set of criteria however some companies may have a framework dictated to them based on the industry they operate in or regulatory obligations, i.e. Payment Card Industry, Healthcare, DOD, etc. Recognized and established third party security frameworks, certifications or reports can include but are not limited to, ISO’s 27001, NIST’s 800-53, PCI, HIPAA, and SOC 2 reports. The resulting certifications or reports demonstrate to customers, business partners (i.e. user organizations) and potential regulators that the company or service organization has achieved compliance, per the opinion of an independent auditor, with the stated security controls and objectives identified within the applicable framework. Demonstrating compliance with a recognized security report or certification helps relieve the burden from the service organization of having to open its doors to multiple auditors from several different user organizations that may want to validate the service organization’s security operations. It can also simplify a user organization’s vendor management process by being able to place reliance on the work of an independent auditor versus having to build out or expand their own technical audit team. Does Compliance Equal Security?Yes and no. Passing a security audit or obtaining a certification or a report that demonstrates your organization complies with an industry-accepted security standard or framework is a big deal. It definitely adds value and strengthens the overall security program. Depending on the certification obtained, the achievement demonstrates that a company has invested time, money, and resources into its people, processes, and technology to both design, implement and operate in accordance with a defined security framework. It is important to remember however that security compliance standards or frameworks aren’t a one size fits all and aren’t all-encompassing. It would be an impossible feat for one organization, regulatory body, or agency to define a security framework that identifies and mitigates all security risks for every company that chooses to adopt it. No two company’s security risk profile or technology landscape are the same. A security framework attempts to establish a baseline or identify a high-level suite of control activities that are applicable to all organizations regardless of their size, technology footprint, or industry. In other words, IT compliance frameworks help to establish an excellent security foundation for additional security activities that a company should engage in based on identified risks, to secure their organization. So yes, security compliance absolutely helps a company establish, strengthen, and add value to its Information Security Management System. However, the security journey will require additional effort beyond the baseline control activities identified in a security framework. How Can Security Compliance Help My Company?Security compliance can identify gaps in a security program. Some security practitioners may have a difficult time identifying the benefits of security compliance within their security program. In their minds, security compliance may act more as an inhibitor to the company’s progress and efficiency rather than as a benefit. While strong security programs can be established without compliance, at times, some of the more foundational or baseline security controls can be overlooked or forgotten. This is typically the result of increasing demands being placed on security organizations and the need to place more focus on some of the more complex security risks facing a company. For those organizations that aren’t required to adhere to a compliance framework, it has proven beneficial to perform a gap assessment against a recognized compliance standard. This validates if their security program addresses all identified baseline security controls. It can prove to be an eye-opening experience when potential gaps or areas for improvement are identified. Why is Security Compliance Important?Security compliance also helps to establish governance, formality, ownership, and accountability within your security program. Sometimes, security compliance may be referred to as a burden or a waste of time. However, the documentation requirements surrounding policy, procedure, frequency, and preservation of evidence should help to establish confidence that security objectives and control activities are uniformly understood throughout the organization and that assignments or ownership have been designated and defined. Clearly defined ownership surrounding risks, controls, and data also helps to establish accountability which instills more confidence in a team’s ability to execute against state objectives. Security Compliance – The Importance of ReportingSecurity compliance reporting provides an effective and formal method to measure and evaluate performance against stated control objectives that otherwise may not occur. Again, the reporting should be considered an all-encompassing reflection of all security activities and initiatives within the company, but it should act as an effective report card regarding performance against the baseline set of controls identified by the adopted framework. When compliance with stated security objectives is measured and reported on via compliance reporting, a clearer picture can be established as to what areas of the security program may require more focus and attention, which further helps to prioritize and perhaps realign resources. Compliance with a recognized security standard also helps strengthen a company’s reputation within the marketplace and continues to become the norm for business relationships as more scrutiny continues to be placed on a company’s internal security practices, their sub-service provider’s and those they choose to share data with. Compliance with a recognized security standard becomes even more critical when the data being processed includes PII, PCI, or PHI as the number of different privacy and security regulations continues to grow. ConclusionTo sum it up, security compliance is not the be-all-end-all security silver bullet that at times it may be made out to be. Establishing an effective security program will require additional effort above and beyond demonstrating alignment with an applicable security framework. However, while achieving compliance with a security framework doesn’t represent the completion of the security journey, it does complement and provide several benefits to a company’s overall security program. It can demonstrate to external parties that security has been established as a critical component of the company’s overall business objectives and strategy.
Proactive Risk is an independent assessment firm that specializes cyber security. If you have any additional questions or are interested in retaining our services, please contact us. ![]() I received a call this week from a fortune 500 business, they organization had a problem and wanted to do a meeting related to cyber security centrality analyst. I suggested that we engage with our standard agreement and schedule time to meet and go over the matter details. Although we have published lots of guides and tools for FREE online there was a expectation that all knowledge and experience is "free". The experience reminded me of the story of "The Giant Navy Ship" A giant ship engine failed. The ship’s owners tried one expert after another, but none of them could figure but how to fix the engine. Then they brought in an old man who had been fixing ships since he was a young. He carried a large bag of tools with him, and when he arrived, he immediately went to work. He inspected the engine very carefully, top to bottom. Two of the ship’s owners were there, watching this man, hoping he would know what to do. After looking things over, the old man reached into his bag and pulled out a small hammer. He gently tapped something. Instantly, the engine lurched into life. He carefully put his hammer away. The engine was fixed! A week later, the owners received a bill from the old man for ten thousand dollars. “What?!” the owners exclaimed. “He hardly did anything!” So they wrote the old man a note saying, “Please send us an itemized bill. The man sent a bill that read: Tapping with a hammer………………….. $ 2.00 Knowing where to tap…………………….. $ 9,998.00 Effort is important but knowing where to make an effort makes all the difference! For an IT managed services company to effectively take over the helpdesk, operations, and security for a small business with 10-1000 devices as example, several key items and levels of access will need to be provided. This ensures the service provider has all the necessary tools and permissions to manage your IT infrastructure efficiently and securely.
Here's a general checklist:
We invite you to download our complimentary Cybersecurity Checklist or explore our managed service, ManageIT, by ProactiveRISK for more detailed information. The Federal Trade Commission recently amended the Safeguards Rule, 16 C.F.R. § 314.1, et seq., with significant changes to how an information security program should be designed, what it must include, and who needs to be in charge. Some may note the similarity to the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00, et seq.
The Rule is now considerably lengthier, but not all the amendments added anything new or substantive. In this article we will explain which changes look new but are not, which are new and substantial, which do not apply to small businesses, and when certain provisions go into effect. THE RULE The Rule was promulgated under the Gramm-Leach-Bliley Act which, in part, requires the FTC to issue rules setting forth standards that financial institutions must implement to safeguard certain information. The Rule applies to customer information held by non-banking financial institutions and “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of [that information].” The Rule provides this non-inclusive list of entities that are considered financial institutions under the Gramm-Leach-Bliley Act and subject to the rule:
THE AMENDMENTS The amendments to the Rule became effective Jan. 10, 2022, although some of the most important provisions are not effective until Dec. 9, 2022. The FTC summarized the highlights as providing:
WHAT’S NOT NEW Section 314.1 – Purpose and Scope. Although amended subsection (b) appears significantly lengthier, it simply incorporates the definition of “financial institution” from the Privacy Rule, as modified and with examples, “to allow the Rule to be read on its own, without reference to the Privacy Rule.” Section 314.2 – Eleven Old Definitions. Previously, the Rule had only three defined terms and a general provision explaining that the terms used in the Rule had the same meaning as those defined in the Privacy Rule, 16 C.F.R. § 313.3. Now, the Rule has 18 defined terms, but the majority have been carried over from the Privacy Rule to “improve clarity and ease of use.” The Rule’s pre-amendment terms and those carried over from the Privacy Rule without substantive change are:
WHAT’S NEW Section 314.2 – Seven New Definitions. As mentioned above, most of the defined terms are newly added to this section but not new to the Rule because they were previously cross-referenced to their definitions in the Privacy Rule. Following are the seven new terms, and one that has been modified:
Section 314.6 – Exceptions. This “small business” section identifies certain provisions of § 314.4 that “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.” Those provisions are identified below. WHAT’S HOT Section 314.4 – Elements. This section has been completely overhauled, and now explains with specificity the elements, new and old, that must be included in an information security program. Except where indicated, these elements must be incorporated by Dec. 9, 2022. In summary, the elements checklist includes:
COMPLIANCE The elements described in § 314.4 are not new concepts and many entities are already compliant. However, because the elements are now far more specific and detailed than before, we recommend those subject to the Rule compare its elements to those of their own programs to ensure compliance, leaving time for compliance by Dec. 9, 2022.
![]() Published in CPO Magazine April 6th 2022 Post-COVID, a growing number of mid-sized businesses are merging with and acquiring other companies to adapt, grow and expand. This process takes a tremendous amount of preparation and research. From business financials and intellectual property to contracts and tax issues, there is much to be done to help ensure a successful M&A transaction. Among top considerations during the M&A process should be your technical controls. In specific, you need to pay close attention to the software bill of materials (SBOM), and several other vital areas of your technology-enabled business. If the target organization cannot demonstrate technical maturity, it will be score lowered and may ultimately see a reduced acquiring offer or be a deal-breaker altogether. During the due diligence process, be prepared to present and describe your software-based technology product with documentation. What is expected during a technical due diligence review is architectural diagrams, scalability, and performance metrics. Technology choices made, including programming languages, databases, and infrastructure choices, will be reviewed. Your key staff must also be able to describe any software development practices and provide details on continuous deployment environments.. In particular, a review of the OWASP Top 10 2021 List is recommended. Be certain that you are able to answer questions about how you ensure code quality in a hostile internet-connected environment and perform an independent third party code audit Depending on the reason for the merger or acquisition, it could be equally important to have technical controls in place for the operations side of the business. Here it’s important to evaluate how data is processed in 17 key areas:
Remember – confidentiality, integrity and availability are important items of consideration for your technology choices from day one. Be certain to use company that has been accredited to perform valuable third-party assessments with proven policies, processes and procedures to validate your technology and environment. With a credible third-party validation of your technical maturity, you can ensure that the technical elements of your due diligence will enhance acquisition offers and simplify the integration process.
For more information, contact us on how we can help you be proactive. Published in Information Security Buzz
Scrutiny over data protection and privacy, and the reporting and analysis behind a powerful threat defense, is moving to the boardroom as organizations are seeing the need to take a closer look at just how effective their security posture is. In a report, Gartner labels it ‘A New Era of Risk Reporting to the Board,’ noting that “Board members are increasingly aware and concerned about the importance of information security.” Gartner also notes that discussions have evolved from standard security metrics to understanding the enterprise-wide ramifications of information security risks. Boards are now expecting analysis and reporting of the organization’s cyber resilience at the same level as other formal mandatory reporting and company controls. However, executing a cyber resilience strategy is easier said than done, particularly for small or mid-sized businesses that do not have the skills or expertise in house, or large organizations that are dealing with legacy or complex, interconnected business models. Aligning Controls with the Threat Landscape Historically, security controls used to monitor the output and efficiency of a company have been traditionally based around the areas of policy, process procedures and management, along with technical, physical and personnel metrics. In today’s world of constant cyber threats, although these areas are still valid, they must be reinforced with the ability to consider the context of the controls in relation to threats to which the organisation is exposed. This context is provided by the results of cyber incident responses, the exchange of cyber-attack information via information exchanges, CERTS (Computer Emergency Response Teams) and the fast-emerging threat intelligence industry. The additional information provides the ability to review and consider all the controls in the context of the current threat landscape. Then, it is possible to justify new spend to deploy appropriate controls to further mitigate risk. For the first time, the availability of this almost real-time threat information allows security teams to react to a change in threat and prevent a breach. This is a better response strategy rather than waiting for a successful attack or simply trying to contain a threat once the network flags anomalous behavior. Although an abundance of information is becoming available on how to protect a business, the issue is: what is considered as effective and can demonstrate that the business has taken the appropriate action to protect itself and any personal data? Analyzing security options from this perspective of corporate governance will form the basis for building a cyber security resilient operation. An example of why this is important has been the growth of controls covering health and safety. Mandatory compliance regulations and reporting are now standard practice. Should there be a serious health and safety issue the mandatory reports are used to provide evidence of best practices and help demonstrate compliance. This has not only helped to protect people but has also become part of the corporate culture. Taking Corporate Responsibility for Cyber Resilience Assessing the business value of cyber resilience comes in several forms. A privacy breach, for example, can damage customer goodwill for the long term. Compliance violations and fines can damage the confidence of stakeholders and even impact board tenure. Gartner notes that organizations need to create their own value chain, looking at the continuum of security/risk dependencies, IT dependencies, business process and business outcomes and determining the causal relationships connected to each dependency. The message is, reporting tied to business value needs this level of analysis to support board evaluation of risk and to determine risk tolerance. In parallel, the cyber security industry is now working with regulators and businesses alike to develop the concept of a set of formal statements around cyber resilience to provide evidence of best practices and proportionality, backed up by standards, technical assessments, maturity models and a number of other relevant metrics. These documents will then be signed off by suitably credentialed professionals from within the cyber security industry and combined to provide an overall opinion on the company’s cyber security resilience. By more extensive risk reporting and analysis and standardizing on cyber resilience criteria within the security industry, boardrooms will be able to make better informed assessments of their company’s risk posture and plan more carefully for investments for a more secure future. What are your thoughts on the topic? If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected. Update [03/04/2020]: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise. We are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, Azure Sentinel advanced hunting queries, and Microsoft Defender for Endpoint product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation. Microsoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also published a blog post with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all. Who is HAFNIUM?HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States. Technical detailsMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit. CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. Attack detailsAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below: Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:
HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users. Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise. Can I determine if I have been compromised by this activity?The below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems. Check patch levels of Exchange ServerThe Microsoft Exchange Server team has published a blog post on these new Security Updates providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches. Scan Exchange log files for indicators of compromiseThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.
Host IOCsHashesWeb shell hashes
Customers should monitor these paths for LSASS dumps:
Microsoft Defender Antivirus detectionsPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.
Microsoft Defender for Endpoint advanced hunting queriesMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ Additional queries and information are available via Threat Analytics portal for Microsoft Defender customers. UMWorkerProcess.exe in Exchange creating abnormal content Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability: DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "CacheCleanup.bin" | where FileName !endswith ".txt" | where FileName !endswith ".LOG" | where FileName !endswith ".cfg" | where FileName != "cleanup.bin" UMWorkerProcess.exe spawning Look for Microsoft Exchange Server’s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability: DeviceProcessEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "wermgr.exe" | where FileName != "WerFault.exe" Please note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization. Azure Sentinel advanced hunting queriesAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/. Look for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging: SecurityEvent | where EventID == 4688 | where Process has_any ("powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient" Look for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs: SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1" Look for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage: SecurityEvent | where EventID == 4688 | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where isnotempty(CommandLine) | where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine Its going to be a busy week... CREST is short for Council of Registered Ethical Security Testers
The Council of Registered Ethical Security Testers (CREST) is a not-for profit certification body and trade association for the technical information security industry established in 2006. CREST was established in response to the clear need in the technical information security marketplace for a more regulated professional services industry. By looking for CREST accreditation, organizations buying penetration testing services get the assurance that the work will be carried out by trusted companies and qualified individuals with up to date knowledge, skills and competence to deal with all the latest vulnerabilities and techniques used by real attackers. All assessments and examinations used to evaluate companies and individuals have been reviewed and approved by GCHQ, CESG. CREST accreditation also ensures that technical penetration testing capabilities are supported by appropriate policies, processes and procedures for conducting this type of work and for the integrity and protection of client information. For those organizations that have experienced a cyber security attack, or are trying to reduce the likelihood or severity of such an attack, CREST’s Cyber Security Incident Response scheme is endorsed by GCHQ and CPNI. It focuses on appropriate standards for incident response aligned to demand from all sectors of industry, government, the wider public sector and academia. Companies included in this scheme have demonstrated that they meet the high standards required to help organizations plan for, manage and recover from significant cyber security related incidents. These companies will also have access to professional CREST qualified staff in intrusion analysis and reverse engineering. Penetration testing and cyber incident response services provided under the CREST banner are also supported by comprehensive for both the company and individual. These codes are used to ensure the quality of the services provided, the integrity of the companies and individuals and adherence to audited policies, processes and procedures. CREST is also part of a consortium with the IISP and Royal Holloway, University of London to provide examinations for Security Architects under the CESG Certified Professional Scheme. The introduction of this accreditation for the technical security industry is part of a concerted move to increase professionalism. Conducting its own research and working closely with e-Skills UK, academia and training organizations, CREST provides a structured approach for entry into the industry and sets out professional development pathways for those wishing to progress. CREST has member companies in a number of countries and a formally established Chapter in Australia. that has the full support of the Australian Government. CREST now also has a USA Chapter for more information see CREST USA page - click here US Cybersecurity Maturity Model Certification (CMMC) Webinar: Overview, Updates and Opportunities8/1/2020
Watch the webinar for an introduction and overview of the US Cybersecurity Maturity Model Certification (CMMC). Key CMMC stakeholders share the practical steps that an organization can take in order to prepare for CMMC requirements; discuss market opportunities resulting from CMMC; and explain the role of tools in conducting CMMC assessments.
The Panel: Karlton Johnson – Vice Chairman, Board Directors of CMMC Katie Arrington – CISO, A&S Organization, Department of Defense Charlie Tupitza – Cybersecurity & Data Breach Protection Lead,SBA Tony Sager – Senior Vice President, Center for Internet Security Phil Lewis, COO – Titania Armando Seay – Director, Maryland Innovation and Security Institute (MISI) Moderator: Tom Brennan, Chair – CREST USA Chairman / ProactiveRISK ** Updated 11/10 Additional information can be found in the DFARS summary |
CategoriesTom BrennanThis is my blog, there are many like it but this one is mine. Enjoy. BLOG Archives
February 2025
|