Compliance Kit - head start on meeting all mandated requirements
Everything from an Industry standard White Paper to a detail audit program - Compliant with GDPR, HIPAA, FIPS 199, ISO and mandated security and business continuity requirements
Recent ransomware attacks focused most C-Level executives on asset security and compliance as more business is conducted on the Internet. In addition, not meeting compliance mandates exposes enterprises to damaged reputations and fines. The Compliance Management Kit provides tools that are properly implemented minimizes those risks. The Compliance Management Kit is the must-have tool to meet mandated governmental and industry compliance objectives.
The Kit comes in three versions. Each version contains the Compliance Management White Paper, a self-scoring Security Audit Program, a PCI Audit Program, and 25 key job descriptions including one for the Chief Compliance Officer which is six pages in length.
Compliance Management - Gold Edition
- Compliance Management White Paper
- HIPPA Audit Program
- Security Audit Program
- PCI Audit Program
- Compliance Management Job Descriptions (25 key positions)
- Record Classification and Management Policy - Word - Policy which complies with mandated US, EU, and ISO requirements
- Privacy Compliance Policy that address the EU's GDPR and the latest California Consumer Privacy Act
Compliance Management Kit
Janco offers a full range of tools to help enterprises of all sizes to address these issues. The Compliance Management kit provides the infrastructure tools necessary to address these mandated requirements.
- License Conditions
- Compliance Management
- Compliance Requirements
- Record Classification, Management, Retention, and Destruction
- ISO Security Domains
- ISO 27000
- Governmental Mandates
- California Consumer Privacy Act (CaCPA)
- California SB 1386 Personal Information Privacy
- FTC Information Safeguards
- General Data Protection Regulation (GDPR)
- Gramm-Leach-Bliley (Financial Services Modernization)
- Massachusetts 201 CMR 17.00 Data Protection Requirements
- Sarbanes-Oxley Act
- State Security Breach Notification Laws
- Compliance Tools Purchase Options
- COBIT Edition
- Version History
With the greater dependence by corporations on open INTERNET-based systems there has been a notable increase in fraud and theft. In 2021, 70% of companies were impacted by IT-related fraud. IT-related fraud is now the most common security threat that enterprises of all types and sizes face. IT professionals not only need to be concerned with the protection of sensitive information in the new mobile computing environment.
Janco in its monthly interviews of CIOs found that one in three organizations has experienced some type of fraud associated with their systems.
Janco conducted a security survey of 827 senior executives, 62 percent of them at the C-suite level. They found that over seventy percent of CIOs and CFOs said their companies experienced fraud in the previous 12 months. That is compared to 61% percent in 2021. The fraud they found went beyond IT systems.
Types of Cyberattacks
During the survey the analyst found 7 primary types of cyberattacks including ransomware.
- Mass Phishing
- Financial Fraud
- Vendor Fraud
- Credential Phishing
- Account Takeover
Top 10 Enterprise Security Weaknesses
There were a number of enterprise-wide security weaknesses that were drivers in the causes of the breaches. If followed, mandated security and privacy compliance requirements are the best lines of defense.
The top 10 security weaknesses we have concluded are:
- Using only single-level verification for access to sensitive data - Password authentication is more easily cracked than cryptographic key-based authentication. The purpose of a password is to make it easier to remember the login credentials needed to access a secure resource, however biometric or key-based authentication is a stronger authentication method that makes credentials more difficult to crack.
- Having “public” workstations or access points is connected to a secure network - If a workstation that anyone can use or re-boot is connected to a secure resource you can't guarantee it is secure. Keyloggers, compromised network encryption clients, and other tricks of the malicious security cracker's trade can all allow someone unauthorized access to sensitive data regardless of all the secured networks, encrypted communications, and other networking protections you employ.
- Work From Home Controls - With the rapid deployment of WFH, sufficient controls were not implemented.
- Sharing login credentials - The more login credentials are shared, the more likely they are commonly known by too many others, even with people who should not have access to the system. The more they are shared, the more difficult it is to establish an audit trail to help track down the source of a problem. The more they are shared, the greater the number of people affected when logins need to be changed due to a security breach or threat.
- Static Passwords - No formal process to require passwords to be changed over time or after an employee leaves the enterprise or is terminated.
- Connect to network from an insecure access point - When traveling avoid connecting from open wi-fi networks, networks with unknown or uncertain security characteristics, or from those with known poor security such as wireless access points in coffee shops. This is especially important whenever you must log in to the server or Web site for administrative purposes or otherwise access secure resources. If you must access the Web site or Web server when connected to an unsecured network, use a secure proxy so that your connection to the secure resource comes from a proxy on a secured network.
- A corporate website is encrypted but the login process is not - Encrypting a session after login may be useful but failing to encrypt logins is a bit like leaving the key in the lock when you are done locking the barn door. Even if a login form POSTs to an encrypted resource, in many cases this can be circumvented by a malicious security cracker who develops their own login form to access the same resource and allow them access to sensitive data.
- Using weak encryption for back-end management - Using Windows Remote Desktop without an encrypted user-id and password in a non-VPN environment is opening your site to the world. Using proprietary platform-specific technologies often leads to resistance to the use of secure encryption for Web site access. Cross-platform-compatible strong encryption such as SSH is usually preferable to platform-specific, weaker encryption tools such as Windows Remote Desktop.
- Using unencrypted or weak encryption for the website or webserver management- Using unencrypted connections (or even connections using only weak encryption), such as unencrypted FTP or HTTP for website or webserver management, opens you up to man-in-the-middle attacks and login/password sniffing. Use encrypted protocols such as SSH to access secure resources, using verifiably secure tools. Once someone has intercepted your login and password information, that person can do anything you could have done.