vCISO

You’ve heard of a Chief Information Security Officer, but what about a virtual CISO (AKA vCISO). A vCISO is a part-time, executive-level consultant who serves as an Information Security advisor for businesses of many sizes. Rather than pay a real CISO a hefty salary and benefits, many small and medium-sized companies bring a vCISO aboard to help them align Information Security with business needs.

vCISOs have input with everything Information Security, from audits to policies, disaster recovery planning and cybersecurity hygiene. You can read more about each facet of the vCISO’s scope on this page:

Audits

Aside from providing invaluable insights, vCISOs help their consultees prepare for PCI, HIPAA and SOX audits that could be potential causes for concern in many cases. These audits are done to help ensure that your business is keeping its customers’ and clients’ personal information safe (in the case of PCI and HIPAA) and keeping accounting records responsibly and honestly (in the case of SOX). You can read more about these audits below.

Payment Card Industry (PCI) Compliance

All merchants that process credit card transactions must follow the PCI Data Security Standard (DSS). The PCI DSS is not run by any government organization or single entity; the DSS is an agreement on standards from all major card companies who perform routine and investigative audits.

Audits are usually handled by private security assessment companies hired by the insurance provider of the card company. You may undergo regular audits (monthly and yearly), or an alleged violation may trigger one.

Consequences for data breaches due to PCI violations are severe, and for good reason. Punitive measures vary from processor to processor, but they generally follow these lines:

  • Stiff penalties: compliance fines range anywhere from $100 to $1.5 million per violation depending on the merchant’s level and volume of business. Keep in mind that each customer affected is one violation. If you lose 100 customers’ information, you’re facing 100 violations.

  • Loss of reputation and brand image: your reputation is perhaps your most important asset. If it’s damaged from a data breach or a failed audit, it’s hard to gain that trust back.

  • Legal costs: if you’re sued by consumers or banks, you could be looking at a small fortune in legal fees to sort it all out.

  • Costs for forensics, investigations and identity monitoring: you could be on the hook paying for 3rd-party professional investigators to verify what went wrong, and you could be responsible for paying for identity and credit monitoring for all those affected.

Use a pre-audit checklist to make sure you’re covered before the audit. It’s also advised to centralize all important data and utilize good organization processes. Check out this resource for more information on PCI compliance: https://squareup.com/guides/pci-compliance.

Health Insurance Portability and Accountability Act (HIPAA) Compliance

HIPAA provides security provisions and data privacy to keep patients’ medical information safe. It is enforced by the US Department of Health and Human Services Office for Civil Rights (OCR). The act contains 5 sections called titles:

  • Title I protects health insurance coverage for those who lost or changed jobs and prevents group health plans from refusing coverage for pre-existing diseases, conditions, or setting lifetime coverage limits

  • Title II standardizes the processing procedures of electronic healthcare information

  • Title III is related to tax provisions and general healthcare guidelines

  • Title IV sets out further health insurance reform, including provisions for people with pre-existing diseases and conditions

  • Title V includes provisions for company-owned insurance plans and treatment of those who lost their citizenship for tax reasons

For the purposes of cybersecurity, HIPAA audits focus on Title II, also known as the “Administrative Simplification” provisions, which include the following rules:

  • National Provider Identifier Standard: requires every health care provider—both individuals and organizations—to have a 10-digit identifying code called a National Provider Identifier (NPI)

  • Transactions and Code Sets Standards: requires organizations to follow standards for electronic data interchange (EDI) when processing or submitting insurance claims

  • HIPAA Privacy Rule: Establishes national standards to safeguard patients’ protected health information (PHI). The privacy rule typically covers physical records in all formats.

  • HIPAA Security Rule: Similar to the Privacy Rule, but focuses on administrative, technical and physical safeguards for electronic PHI (ePHI)

  • HIPAA Enforcement Rule: This rule sets the guidelines for investigating HIPAA violations

The OCR conducts periodic audits to ensure all providers and individuals remain compliant. Audits are primarily a compliance improvement activity, so failed audits don’t necessarily mean you’ll incur penalties. However, the penalties for an actual HIPAA violation are incredibly costly.

Penalties are based on the level of negligence and number of patients affected. Fines can range from $100 to $50,000 per violation (or per record) with a maximum of $1.5 million per year for an identical provision. (e.g., you can be fined a maximum of $1.5 million for failing to secure patient ePHI and another maximum of $1.5 million for not following EDI standards).

Certain violations can also carry criminal charges that could result in jail time.

Fines and charges are broken down into 2 categories: “reasonable cause” and “willful neglect.” Reasonable cause violations range from $100 to $50,000 per violation with no jail time, and willful neglect violations range from $10,000 to $50,000 per violation with potential for jail time.

Sarbanes-Oxley (SOX) Compliance

The SOX Act was passed in 2002 to shield investors and the public from accounting errors and fraudulent practices in response to financial scandals that occurred at Enron, WorldCom, Tyco and others. SOX was enacted to improve the reliability of companies’ financial reporting and restore consumer trust in the government oversight of corporate crimes.

Though all public companies must comply with SOX, which includes being subject to routine audits and complying with financial regulations, some provisions apply to all business entities, including private companies and non-profit organizations.

There are 2 key sections for SOX compliance: Sections 302 and 404.

Section 302 involves “Corporate Responsibility for Financial Reports,” and it requires that CEOs and CFOs review all financial reports to make sure they’re “fairly presented” and contain no misrepresentations.

Section 404 involves “Management Assessment of Internal Controls.” It requires that businesses publish their internal accounting controls details and financial reporting procedures as part of their annual financial reports. It requires executives to certify the company’s statements and holds them personally liable if the SEC finds violations.

Other important provisions include the following:

  • Companies must disclose all off-balance-sheet transactions and relationships that could affect financial status

  • Executives may not receive any sort of personal loan from the corporation

  • Fines and prison terms for document tampering

Though the SEC oversees all corporate financial regulations, audits are conducted by independent 3rd-party assessors hired by the corporation. All accounting firms that audit public companies must register with the Public Company Accounting Oversight Board (PCAOB), which enforces SOX compliance for these firms.

Policies

Having sensible and comprehensive policies and management protocols is a huge part of having a secure business. vCISOs help their consultees prepare these policies that cover a number of business operations.

Acceptable Use Policies (AUP)

Sometimes called Internet & Email Policy, Internet AUP, Network AUP, or Acceptable IT Use Policy, these policies provide guidelines and policy statements on what behavior is acceptable by users connected to the company’s network. Each company’s AUP will be different, but most of them carry common policies like the following:

  • Not using the service to violate any laws

  • Not attempting to break the security of any network or user

  • Not posting to social media about or as the company

  • Not sending spam emails and solicitations

Remote Access Policies

These policies outline how employees can remotely access the company’s internal network while working away from the office. Remote access policies help companies secure these remote connections and close up vulnerabilities that hackers can exploit. Remote access policies specify how a user can connect to the network and the requirements for systems before connecting to the network. They should cover all available connection methods:

  • Cable modem

  • Dial-in (SLIP, PPP)

  • ISDN/Frame Relay

  • Telnet access from the internet

Mobile Device Management Policies (MDM)

Otherwise known as Bring Your Own Device (BYOD), MDM policies set procedures, standards and restrictions for all end users connecting to a company’s network with their own personal device like these:

  • Smartphones, tablets and other mobile devices

  • eReaders and other portable media devices

  • Laptops and other computers

  • Wearable tech devices like smartwatches

  • Any device that can store data and connect to a network

Each of these policies is critical for maintaining security and closing vulnerabilities inherent to office networks and productivity practices like remote access and BYOD. Your vCISO will help you spell out all policies along with repercussions for violating any provisions in these policies.

Disaster recovery planning

For when things go wrong, having a Disaster Recovery Plan is key to mitigating and recovering from failures in your security measures. There are so many ways for disasters to happen, be they large or small.

What if your cloud provider went bankrupt? You’d lose all of your data with no way to get it back. What if your server crashed? Your whole network will go down until it’s back up and running. What if a hacker breaches your network and gets to your data? You have a whole heap of troubles on your hands. For all of these scenarios and many more, you should have plans in place, and all parties should know their roles in those plans.

Your vCISO has probably seen it all and prepared many a Disaster Recovery Plan. They will help you get your bases covered so that you’ll be prepared when disaster strikes.

Cybersecurity hygiene

All of the policies and plans will be a lot easier to manage if you and your employees practice good cybersecurity hygiene. The term refers to best practices and activities that system admins and end users can follow to help minimize the potential for disaster.

Good cybersecurity hygiene can include but are definitely not limited to the following practices:

  • Requiring strong passwords and two-factor or multi-factor authentication (2FA/MFA)

  • Using anti-virus and other malware protection services and updating them regularly

  • Keeping “white lists” (authorized users) and “black lists” (unauthorized users) updated

  • Making sure all routers and firewalls are installed and configured correctly and keeping computer networks physically segmented

  • Updating all operating systems and keeping software up to date with security patches

Once again, your vCISO is here to help by encouraging good cybersecurity hygiene and training employees on best practices.