WELCOME TO THE SECOND ARC CONTENT UPDATE OF THE YEAR! - EDGILE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Welcome to the second ArC Content update of the year!
We’re pleased to reconnect and bring you up to speed on the exciting ArC enhancements made
over the past quarter.
Keeping up with cybersecurity risks
Click on any tile below to learn more about
This past year, the accelerated digital Edgile’s ServiceNow Risk and Security services
transformation of the economy has and solutions!
exacerbated cybersecurity-related risks
and events faced by organizations
across the globe. Between the
SolarWinds and San Francisco water
treatment plant breaches earlier this
year and the recent Colonial Pipeline
and JBS Foods ransomware attacks,
organizations across all sectors are
placing a renewed focus on
strengthening and protecting their
critical assets and infrastructure. While
cybercrimes can occur suddenly,
considerable preparation is needed to
effectively mitigate such risks in a way
that minimizes downside impact and
improves overall security and
organizational agility.
Managing modern cybersecurity risks
begins with aligning the strategic objectives of Risk, Security and IT Operations teams. These core
stakeholder groups are often hampered by disconnected teams, manual processes, multiple siloed
tools and fragmented data flows that further complicate cross-functional communication. To bridge
widening information gaps between Risk, Security, and IT Operations stakeholders, integration
between the domain relevant tools and related process flows is key. Consolidating Security
Incident Response (SIR), Vulnerability Response (VR) and Threat Intelligence (TI) tools on a
centralized, workflow-driven platform equips organizations with the insights needed to shift their
cybersecurity risk postures from reactive to proactive.Edgile’s Risk and Security practice is actively helping clients solve interconnected risk and security
challenges by integrating the ServiceNow Integrated Risk Management and Security Operations
applications using techniques to enable intelligent automation and drive process efficiencies.
What’s new with ArC?
Edgile’s harmonized ArC Content Library now contains over 570 laws, regulations and best-
practice frameworks! The Q2 2021 content release incorporates 22 new authoritative sources to
the library across our three core risk taxonomies – Information Technology Risk Management
(ITRM), Operational Risk Management (ORM) and Enterprise Risk Management (ERM).
Additions to the ArC Master Library for this quarter include:
Expanded cybersecurity and data privacy controls through several key sources, including:
Virginia Consumer Data Protection Act
Center for Information Security (CIS) Control v8
NIST SP 800-53B
Updated utility and energy infrastructure-related sources, including:
NERC Critical Infrastructure Protection (CIP) standards
International Organization for Standardization (ISO) 50001 publication
New financial and operational risk management focused laws and frameworks, including:
Federal Reserve Board Supervisory and Regulation Letters
Basel Committee Operational Risk Standards
Farm Credit Administration directives
EU Solvency II mandates
Hong Kong Monetary Authority (HKMA) Cyber Resilience Assessment framework
People’s Republic of China Laws on Banking and Cybersecurity
FFIEC Cloud Computing Security joint statement
Scroll down to see this quarter’s library updates, new sources, retired sources, and noteworthy
regulatory news, as well as what’s coming in Q3 2021.
Master Library Updates
The attached “Quarterly Update – Edgile ArC Content (Q2 2021)” document includes instructions
for requesting updated content packs for your GRC environment, instructions for requesting the
addition of new sources to the ArC Master Library, and the full listing of 570 active sources
maintained in the Master Library.
The attached “Digest – Edgile ArC Content (Q2 2021)” document provides a quarterly overview of
noteworthy regulatory changes and compliance enforcement activities that occurred during the
quarter.
As an ArC Content Service subscriber, you may request source content updates for your GRC
platform at any time. If you have any questions about how to update your source content packs or
how to update content into your library, or would otherwise like assistance, please contact us at
ArC@edgile.com
New Sources AddedSource ID 634 | NERC CIP-003-8 View Source → Cyber Security – Security Management Controls Per NERC, the purpose of this source is to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES). * This source updates and replaces Source ID 207 ( “NERC CIP-003-6 Cyber Security - Security Management Controls”), which is now retired. Source ID 635 | NERC CIP-005-7 View Source → Cyber Security – Electronic Security Perimeter(s) Per NERC, the purpose of this source is to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES). * This source updates and replaces Source ID 37 (“NERC CIP-005-5 – Cyber Security - Electronic Security Perimeter(s)”), which is now retired. Source ID 636 | NERC CIP-010-4 View Source → Cyber Security – Configuration Change Management and Vulnerability Per NERC, the purpose of this source is to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES). * This source updates and replaces Source ID 220 (“NERC CIP-010-2 – Cyber Security - Configuration Change Management and Vulnerability Assessments”), which is now retired. Source ID 637 | NERC CIP-013-2 View Source → Cyber Security – Supply Chain Risk Management Per NERC, to mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of Bulk Electric System (BES) Cyber Systems. Source ID 638 | Farm Credit Administration (FCA) Examination View Source → Manual Per FCA, the purpose of the Examination Manual is to provide procedures and guidance for examining Farm Credit System (System) institutions. The Examination Manual is updated to reflect changes in laws, regulations, or other examination criteria, and to address new or emerging risks and changes in the System or its products and services.
Source ID 639 | Farm Credit Administration (FCA) Informational View Source → Memorandum Maintaining and Using Stockholder Lists Per FCA, the purpose of this memorandum is to provide Farm Credit System institutions with guidance on maintaining stockholder lists and using these lists to establish who should receive voting and financial information. Source ID 640 | Federal Reserve Board of Governors – View Source → Supervisory and Regulation Letter 13-1 / CA 13-1 Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing Per the Federal Reserve, the purpose of this supervisory and regulation letter is to provide institutions with additional guidance related to interagency guidance that was issued in 2003 and which remains in effect. Source ID 641 | Federal Reserve Board of Governors – View Source → Supervisory and Regulation Letter 10-11 Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006 Per the Federal Reserve, the purpose of this supervisory and regulation letter is to provide interagency guidance for reviewing compliance by supervised financial institutions with the final rule implementing the Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA). Source ID 642 | Federal Reserve Board of Governors – View Source → Supervisory and Regulation Letter 03-5 Amended Interagency Guidance on the Internal Audit Function and its Outsourcing Per the Federal Reserve, the purpose of this supervisory and regulation letter is to provide supervisory policy regarding the external auditor in concordance with the prohibition on internal audit outsourcing imposed by the Sarbanes-Oxley Act of 2002 and pertinent regulations of the U.S. Securities and Exchange Commission. Source ID 643 | Federal Reserve Board of Governors – View Source → Supervisory and Regulation Letter 96-37 Supervisory Guidance on Required Absences from Sensitive Positions Per the Federal Reserve, the purpose of this supervisory and regulation letter is to provide guidance intended to ensure that each banking organization conducts an assessment of significant areas and with few exceptions, require that employees in sensitive positions not be allowed to transact or otherwise carry out their assigned duties for a minimum of two consecutive weeks. Source ID 644 | Virginia Consumer Data Protection Act View Source → Per the Virginia Senate, the purpose of the bill is to establish a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct
business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The bill has a delayed effective date of January 1, 2023. Source ID 645 | ISO 50001:2018 View Source → Energy Management Systems – Requirements with Guidance for Use Per ISO, the purpose of this document is to specify requirements for establishing, implementing, maintaining and improving an energy management system (EnMS). The intended outcome is to enable an organization to follow a systematic approach in achieving continual improvement of energy performance and the EnMS. Source ID 646 | Directive 2009/138/EC of the European View Source → Parliament and of the Council of 25 November 2009 On the Taking-Up and Pursuit of the Business of Insurance and Reinsurance (Solvency II) Per the European Union, the purpose of the Solvency II regime is to introduce for the first time a harmonized, sound and robust prudential framework for insurance firms in the EU. It is based on the risk profile of each individual insurance company in order to promote comparability, transparency and competitiveness. Source ID 647 | NIST SP 800-53B View Source → Control Baselines for Information Systems and Organizations Per NIST, the purpose of this publication is to establish security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. Source ID 648 | CIS Controls v8 View Source → Per the Center for Internet Security, the purpose of this control framework is to prioritize a set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. The controls contained within are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, work- from-home, and changing attacker tactics prompted the update and supports an enterprise's security as it moves to both fully cloud and hybrid environments. * This source updates and replaces Source ID 288 (“CIS Critical Security Controls v6.1”) and 483 (“CIS Controls Version 7”), which are now retired.
Source ID 649 | Basel Committee on Banking Supervision: View Source → Revisions to the Principles for the Sound Management of Operational Risk Per the Basel Committee on Banking Supervision, the purpose of this set of revisions is to (i) assess the extent to which banks have implemented the Principles; (ii) identify significant gaps in implementation; and (iii) highlight emerging and noteworthy operational risk management practices at banks not currently addressed by the Principles. Source ID 650 | Basel Committee on Banking Supervision: View Source → Principles for Operational Resilience Per the Basel Committee on Banking Supervision, the purpose of this document is to promote a principles-based approach to improving operational resilience. The principles aim to strengthen banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters. The approach builds on revisions to the Committee's Principles for the Sound Management of Operational Risk (Source ID 276), and draws from previously issued principles on corporate governance for banks, as well as outsourcing-, business continuity- and relevant risk management-related guidance. Source ID 651 | U.S. Department of State – Foreign Affairs View Source → Manual Per the U.S. Department of State, the purpose of the Foreign Affairs Manual is to provide a single, comprehensive and authoritative source for the Department's organization structures, policies, and procedures that govern the operations of the State Department, the Foreign Service and, when applicable, other federal agencies. The Foreign Affairs Manual (generally policy) and the Handbooks (generally procedures) together convey codified information to Department staff and contractors so they can carry out their responsibilities in accordance with statutory, executive and Department mandates. Source ID 652 | Law of the People’s Republic of China on The View Source → People’s Bank of China Per the legal document, the purpose of the law is to define the status of and make clear the functions and responsibilities of the People’s Bank of China, ensure the correct formulation and implementation of the monetary policy of the State, establish and improve a macro- economic management system though a central bank, and maintain financial stability. Source ID 653 | Hong Kong Monetary Authority (HKMA) Cyber View Source → Resilience Assessment Framework v2.0 Per the Hong Kong Monetary Authority, the purpose of this framework is to further strengthen the cyber resilience of authorized institutions in Hong Kong through three core pillars, namely (i) the Cyber Resilience Assessment Framework (C-RAF); (ii) the Cyber Intelligence Sharing Platform; and (iii) the Professional Development Programme. The scope of the assessment
set out in the C-RAF covers those systems, infrastructure, processes, and people supporting
an AI’s Hong Kong business and operations.
Source ID 654 | Federal Financial Institutions Examination View Source →
Council (FFIEC) – Security in a Cloud Computing Environment
Per the FFIEC, the purpose of this document is to address the use of cloud computing
services and security risk management principles for the financial services sector.
Source ID 655 | Cybersecurity Law of the People’s Republic of View Source →
China
Per the legal document, the purpose of the law is to ensure cybersecurity, safeguard
cyberspace sovereignty and national security, and social and public interests. Additionally, the
law seeks to protect the lawful rights and interests of citizens, legal persons, and other
organizations, as well as to promote the healthy development of the informatization of the
economy and society.
Noteworthy Regulatory News
Executive Order on improving the nation’s cybersecurity
On May 12, President Biden signed Executive Order 14028, “Improving the Nation’s
Cybersecurity,” which outlines a set of directives and initiatives to strengthen the cybersecurity
posture of the nation’s public and private sectors and protect their critical digital assets. The
highlights of the Executive Order include:
Removing barriers to government / private sector threat-information-sharing, and requiring IT
service providers to share breach information that could impact government networks.
Implementing stronger cybersecurity standards and best practices within the Federal
government, including the adoption of secure cloud services, zero-trust architecture,
multifactor authentication, and data encryption.
Bolstering software supply chain security by establishing a set of baseline software
development security standards, defining a category of “critical software,” and requiring the
provision of a Software Bill of Materials (SBOM) to purchasers.
• Creating a Cybersecurity Safety Review Board to review and analyze significant cyber
incidents and make recommendations for improving cybersecurity and incident response
practices.
Establishing a standardized playbook and set of definitions to guide cyber incident response
activities by Federal departments and agencies.
Ensuring employment of appropriate resources and authorities to maximize the early
detection of cybersecurity vulnerabilities and incidents on Federal government networks,
including the deployment of an Endpoint Detection and Response (EDR) initiative.
Establishing requirements for cybersecurity event logging, log retention, and log management
by Federal departments and agencies.Executive Order 14028 → Enforcement Activity (SEC) In June, the Securities and Exchange Commission (SEC) announced settlement of charges against First American Financial Corporation, a real estate settlement services company, arising out of alleged violations of Rule 13a-15(a) of the Exchange Act, which requires subject entities to maintain, and regularly evaluate, disclosure controls and procedures. The alleged failures related to a cybersecurity vulnerability in an image-sharing application that exposed sensitive customer data. Senior management was not timely advised that the company’s information security staff had identified the vulnerability, but had not remediated it. First American agreed to pay a $487,616 penalty as part of the settlement. Additional Information → Enforcement Activity (FTC) In April, the FTC announced a settlement with Vivant Smart Homes, Inc., a Utah-based home security and monitoring company, over allegations that it improperly acquired credit reports to assist unqualified customers to receive financing for its products and services, in violation of the Fair Credit Reporting Act. The FTC also alleged that Vivant failed to establish an identity theft prevention program, a violation of the FTC’s Red Flag Rule. As part of the settlement, Vivant agreed to pay a $15 million civil penalty and an additional $5 million to compensate affected consumers. Additional Information → In June, the FTC announced a settlement with the operators of the MoviePass subscription service over allegations that they actively blocked subscribers from using the service and failed to secure subscribers’ personal information. Under the settlement, MoviePass, Inc., its parent company, and their principals, are barred from misrepresenting their business and data security practices. Additionally, any business controlled by the parties must implement a comprehensive information security program, and obtain a biennial assessment of the information security program by a third party. Additional Information → Enforcement Activity (HHS/OCR – HIPAA) In May, HSS/OCR announced a settlement with Peachstate Health Management, LLC, a Georgia- based clinical laboratory testing services provider, over allegations of systemic noncompliance with the HIPAA Security Rule. The alleged deficiencies included: failure to conduct an enterprise risk analysis, failure to implement risk management and audit controls, and failure to maintain required HIPAA Security Rule documentation. Under the terms of the settlement, Peachstate agreed to pay $25,000 to HHS/OCR and to implement a corrective action plan. Additional Information → In June, HHS/OCR announced its nineteenth enforcement action settlement under its HIPAA Right of Access Initiative. The purpose of the Initiative is to “support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.” Under the terms of the
settlement, the Diabetes, Endocrinology & Lipidology Center, Inc., a healthcare provider based in
West Virginia, agreed to pay $5,000 and implement a corrective action plan, including two years of
monitoring.
Additional Information →
Looking Ahead to Q3 2021
Privacy Legislation
Colorado has become the third state to pass a comprehensive consumer data privacy law (joining
California and Virginia), through passage of the Colorado Privacy Act (CPA). The CPA is expected
to be signed into law by Governor Polis and would become effective on July 1, 2023.
The CPA applies to legal entities that conduct business or produce commercial products or
services that are intentionally targeted to Colorado residents and that either:
Control or process personal data of more than 100,000 consumers per calendar year; or
Derive revenue from the sale of personal data and control or process the personal data of at
least 25,000 consumers.
The law grants consumers the following rights:
The right to opt out of certain processing of their personal data;
The right to access their personal data;
The right to correct their personal data;
The right to delete their personal data;
The right to obtain a portable copy of their personal data.
The CPA specifies the obligations of data controllers and processors, including heightened duties
relevant to “sensitive” data. It defines a "controller" as a person that, alone or jointly with others,
determines the purposes and means of processing personal data. A "processor" is defined as a
person that processes personal data on behalf of a controller. The CPA specifies that a violation of
its requirements is a deceptive trade practice, but limits enforcement to the attorney general or
district attorneys (no private right of action for violations).
Additional Information →
Colorado Privacy Act →
NAIC Insurance Data Security Model Law Adoption
Maine, Iowa, North Dakota, and Tennessee recently passed versions of the National Association of
Insurance Commissioners (NAIC) Insurance Data Security Model Law. The Model Law establishes
data security standards for insurers and requires them and other entities licensed by state
insurance departments to establish, implement, and maintain an information security program,
investigate cybersecurity events, and notify the state insurance commissioner of such events.
Individual states are free to adopt variations of the Model Law’s provisions, so affected insurance
licensees are advised to review relevant enacted versions to identify applicable requirements.Additional Information → International Data Transfers The European Commission adopted new Standard Contractual Clauses (SCCs) on June 4, with official publication expected within weeks. The new SCCs become effective twenty (20) days following publication in the Official Journal of the European Union and the old SCCs will be repealed three months after that date. The decision of the EU Commission contains a sunset clause whereby: Entities entering into new contracts shall use the new SCCs after the date of repeal, and Entities using the old SCCs before the date of repeal may continue to use them for fifteen (15) months following the date of repeal, thus creating a transition period of eighteen (18) months after the effective date for these companies. Historically, SCCs addressed only two transfer scenarios (controller to controller, and controller to processor) the new SCCs apply a more expansive and modular approach which covers four data transfer scenarios: 1. Controller to Controller 2. Controller to Processor 3. Processor to Processor 4. Processor to Controller The new SCCs can be used not only by Controllers and Processors established in the European Economic Area (EEA), but also by Controllers or Processors not established in the EU, for processing activities subject to the GDPR. Significantly, although the New SCCs contain several provisions addressing the Schrems II decision, affected entities will need to assess transfer risks and consider whether additional safeguards are needed to protect personal data in the destination country. Additional Information → Please contact us at ArC@edgile.com with suggestions on ways to improve the ArC Content Service, to share ideas for new or emerging sources, or to request support with Security and Privacy, IT Compliance, or other GRC matters. A current paid subscription is required to receive the quarterly updates. Thank you and we appreciate your business. Edgile: We Secure the Modern EnterpriseSM Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations. We provide advisory consulting, expert implementation, and ongoing managed services across three interrelated disciplines: Information Security; Risk and Compliance; and Modern Identity. By transforming risk into opportunity, Edgile secures the modern enterprise through solutions that increase business agility and create competitive advantages for clients. Edgile services 27 of the Fortune 100 and 90 of the Fortune 500. Visit us at edgile.com.
You can also read
