FAQ - Compliance

FAQ

CYBERSECURITY & COMPLIANCE  GENERAL QUESTIONS

What is cybersecurity?

Definition: cybersecurity (a.k.a. computer network security) refers to the specialization of computer network security that consists of technologies, policies, and procedures that protect networked computer systems from unauthorized use or harm. Broadly speaking, cybersecurity topics can be subdivided into two complementary areas: cyberattacks, which are essentially offensive and emphasize network penetration techniques; and cyber defenses, which are essentially protective and emphasize counter-measures intended to eliminate or mitigate cyber attacks.

Who do cyberattacks “attack”?

Cyberattacks can take aim at the enterprise, government, military, and other infrastructural assets of a nation or its citizens, where these assets can include physical infrastructure (e.g., power grids, nuclear reactors) as well as computational infrastructure (e.g., computers, networks). Cyberattacks can be classified by their participating actors (states vs. non-states) and their attack mechanisms (e.g., direct attack, malware, exploits)

Why do we need cybersecurity?

The increasing reliance of our information age economies and governments on cyber (computer-based) infrastructure makes them progressively more vulnerable to cyber attacks on our computer systems, networks, and data. In their most disruptive form, cyber attacks target the enterprise, government, military, or other infrastructural assets of a nation or its citizens. Both the volume and sophistication of cyber threats (cyber warfare, cyber terrorism, cyber espionage, and malicious hacking) are monotonically increasing, and pose potent threats to our enterprise, government, military, or other infrastructural assets. Knowing that to be forewarned is to be forearmed, we are well-advised to effect strong Cybersecurity defenses that will thwart rapidly evolving cyber threats.

What are the different types of cyberattacks?

The most common malware types are viruses, worms, trojans, and bots.

Should I be leery of buying online?
You should be especially leery when buying goods or services online, especially when it is an unknown/untrusted source. In general you should:
    • Check the website is secure. Check that the website URL starts with the letters “HTTPS://” and has an image of a small “padlock”, usually in the top left-hand corner (see #5 above)
    • Select your item(s) you wish to purchase, add them to your Shopping Cart temporary storage, and proceed to the Check Out page to pay.
    • Enter your credit card details (name, address, phone number, email, credit card#, CVV#, etc.) as needed.
    • Verify that shipping and billing information is correct.
    • Confirm payment and keep a soft copy of the payment information.

NIST QUESTIONS

Why should SMBs care about cybersecurity?

Cybersecurity is vitally important to a business’s bottom line. Cybersecurity breaches cost businesses billions of dollars in lost revenue and loss of productivity every year. The impact on reputation and the loss of customers’ trust can cause long term damage to a small business.

What is the Framework, and what is it designed to accomplish?

The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Is my organization required to use the Framework?

No. Use of the Framework is voluntary.

Does it provide a recommended checklist of what all organizations should do?

The Framework is guidance. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations.

Why should an organization use the Framework?

The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate the current or desired cybersecurity posture between a buyer or supplier.

GDPR QUESTIONS

What is GDPR?

The General Data Protection Regulation is a European Union law that was implemented May 25, 2018, and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated. It also empowers member state-level data protection authorities to enforce the GDPR with sanctions and fines. The GDPR replaced the 1995 Data Protection Directive, which created a country-by-country patchwork of data protection laws. The GDPR, passed in European Parliament by an overwhelming majority, unifies the EU under a single data protection regime.

Who must comply with the GDPR?

Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.

What are the GDPR fines?

The GDPR allows the data protection authorities in each country to issue sanctions and fines to organizations it finds in violation. The maximum penalty is €20 million or 4% of global revenue, whichever is higher. Data protection authorities can also issue sanctions, such as bans on data processing or public reprimands.

How do I comply with the GDPR?

Organizations can comply with the GDPR by implementing technical and operational safeguards to protect the personal data they control. The first step is to conduct a GDPR assessment to determine what personal data they control, where it is located, and how it is secured. They must also adhere to the privacy principles outlined in the GDPR, such as obtaining consent and ensuring data portability. You may also be required to appoint a Data Protection Officer and update your privacy notice, among other organizational measures.

What is a Data Protection Officer?

A Data Protection Officer (DPO) is an employee within your organization who is responsible for understanding the GDPR and ensuring your organization’s compliance. The DPO is the main point of contact for the data protection authority. Typically, the DPO has knowledge of both information technology and law.

Does the GDPR require encryption?

The GDPR requires organizations to implement “appropriate technical and organizational measures” to secure personal data and provides a shortlist of options for doing so, including encryption. In many cases, encryption is the most feasible method of securing personal data. For instance, if you regularly send emails within your organization that contains personal information, it may be more efficient to use an encrypted email service than to anonymize the information each time.

CCPA QUESTIONS

What is CCPA?

California enacted, in June 2018, the California Consumer Privacy Act (CCPA). The CCPA constitutes the broadest and most comprehensive privacy law in the United States to date. The CCPA is the beginning of “America’s GDPR.” The CCPA provides for both a limited private right of action for Consumers and more robust enforcement capabilities for the California attorney general.

When did CCPA go into effect?

The CCPA went into effect on January 1, 2020.  Similar to the GDPR, the CCPA will require organizations to focus on the correct handling of user data and transparency in how they’re collecting, sharing and using such data.  Failure to comply with CCPA regulations can lead to fines of up to 7,500$ per violation. Therefore, it is paramount that companies employing or serving California residents, if not already, become CCPA compliant.  

What does VCR mean?

Verifiable Consumer Request: (VCR): A “Verifiable Consumer Request” means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer’s behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.

 

Are there exceptions to the CCPA?  The CCPA DOES NOT apply to:

* Medical information collected by a covered entity governed by the Health Insurance Portability and Accountability Act (HIPAA) or California Confidentiality of Medical Information Act (CMIA); entities subject to HIPAA or CMIA; or information collected as part of a clinical trial.

* Information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.

* Personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or California Financial Privacy Information Act.

*  The sale of personal information to or from a consumer reporting agency to be reported in or used to generate a consumer report.

* Cooperation with law enforcement agencies or exercising/defending legal claims.

* Efforts to comply with federal, state, or local law; a civil, criminal, or regulatory investigation; or a subpoena or summons.

* Until January 1, 2021: Personal information collected from job applicants, employees, owners, directors, staff, officers and contractors of a business (except that employees will be subject to the right-to-know notification requirements).

* Vehicle information and vehicle ownership information retained or shared by dealers and vehicle manufacturers for warranty or recall-related repair.

* Until January 1, 2021: Personal information about an employee, owner, director, officer or contractor collected pursuant to due diligence or a business-to

business communications or transactions.

 

 

What activities related to Personal Information (PI) should be documented?

To begin, create a Data Map documenting:

  • What Personal Information you hold; 
  • Where that Personal Information came from;
  • How that Personal Information was collected;
  • How is that Personal Information used;
  • Where the Personal Information is stored and when it is deleted;
  • Who that Personal Information is shared/sold to;
  • Why that Personal Information remains held;
  • Whether the business knows, or can reasonably ascertain,
    the age of the Consumer; 
  • Whether the Consumer has any type of account with
    the Business; 

 

CMMC QUESTIONS

What is the Cyber Security Maturity Model Certification?

The Cyber Security Maturity Model Certification is the Department of Defense’s (DoD) newest verification process created to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.  The CMMC will be mandatory for a wide range of manufacturers and businesses beginning January 1st 2020. 

How do I know what level my business will need?

The CMMC is comprised of five separate levels of certification.  Depending on what type of CUI your company handles, you will be required to be certified in one of these 5 levels.  The higher the level of certification the more comprehensive your cyber hygiene must be. 

  • CMMC Level 1 | Basic Cyber Hygiene | 17 security controls (NIST SP 800-171 rev 1)
  • CMMC Level 2 | Intermediate Cyber Hygiene | 46 security controls (NIST SP 800-171 rev 1)
  • CMMC Level 3 | Good Cyber Hygiene | 47 security controls (NIST SP 800-171 rev 1)
  • CMMC Level 4 | Proactive | 26 security controls (NIST SP 800-171B)
  • CMMC Level 5 | Advanced/Progressive | 4 security controls (NIST SP 800-171B)
What is CUI?

CUI stands for “Controlled Unclassified Information”. “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”  Examples of CUI could be information regarding:

  • Critical Infrastructure
  • Finance
  • Law Enforcement 
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
What is DIB?

DIB: The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.