It is Cybersecurity Awareness Month! Every October we are reminded of the potential threats that are up against our cybersecurity. It is no surprise that employees make their way to the top of the vulnerability lists each year. It is time we created a culture of cybersecurity in the workplace.

Employees are often an organization’s weakest link. Whether it be the lack of funding or misunderstanding of cybersecurity best practices, security awareness training often becomes an afterthought. The reality is that security awareness training is a vital part of your cybersecurity that cannot go without doing. If there is even one person naive of cybersecurity best practices, they could unknowingly compromise the integrity of your security and dismantle your business processes. There is an endless number of ways this can happen, whether it be someone failing to recognize a phishing attempt, recycling weak passwords, not properly disposing of sensitive documents, neglecting company-wide security policies, or falling victim to any other attack tactics, techniques, and procedures (TTPs) of malicious hackers.

To battle the outbreak of human error in cybersecurity, many information security frameworks and regulations have made security awareness training a requirement.

  • What are the security awareness training requirements from each framework?
  • What does your organization need to do to ensure compliance with these standards?
  • How can security awareness training offer you peace of mind?

What Do Common Frameworks Require for Security Awareness Training?

  • SOC 2

    • AICPA (American Institute of Certified Public Accountants) explains that to earn compliance with common criteria 2.2, entities must “communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

  • ISO 27001/27002

    • According to Requirement 8.2.2 of ISO 27001, “All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”

  • PCI DSS

    • According to requirement 12.6 of the PCI (Payment Card Industry) DSS (Data Security Standard), entities must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

  • NIST 800-53

    • According to requirement AT-2, an organization is responsible for “providing basic security awareness training to information system users.” There are also two control enhancements that encourage the practical exercise of insider and outsider cyber-attack simulations.

  • HIPAA Security Rule

    • According to the administrative safeguard, 45 CFR 164.308(a)(5), covered entities and business associates must “implement a security awareness and training program for all member of its workforce.”

  • HIPAA Privacy Rule

    • According to administrative requirements under the HIPAA Privacy Rule, 45 CFR 164.530(b)(1) says, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

  • GDPR

    • According to article 39(1)(b), Data Protection Officers are responsible for “monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits…”

  • FISMA

    • According to U.S.C. 3544. (b). (4). (A), (B) under FISMA, entities are required to implement “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”

Prepare Your People for Cyber Threats

How can the regular training of your employees be a critical component of your organization’s compliance and security? It can have everything to do with it. By offering these resources to your employees you are ensuring that they are aware of your company’s cybersecurity policies and industry’s best practices. Security awareness training can help minimize your organization’s risk of a data breach, thus protecting your sensitive company data and your brand reputation. Security awareness training costs less than 1% of what the average breach costs, this makes the regular training of your employees worth the investment 100 times over.

What’s New With NIST 800-53 and Penetration Testing?

In September of 2020, NIST released Revision 5 to SP 800-53. Now, a year later, the changes will take effect on September 23. A common theme throughout this new revision is real-world simulation becoming an expected cybersecurity best practice for U.S. federal government agencies and contractors.

The world of technology and cybersecurity is rapidly evolving. With new tactics and techniques uncovered every day, organizations need to strengthen the types of tests they employ.

Control Enhancements Related to Pen Test Best Practices

There are three revised controls – AT-2, CA-7, and CA-8 – that have to do with cyber simulation and penetration testing:

1. NIST AT-2: Literacy Awareness and Training

In NIST AT-2, there is narrative about training your employees by putting them through “practical exercises.” What do those practical exercises look like?

NIST’s enhancement narrative explains that social engineering exercises are the most practical way to educate and test your employees. Social engineering is the attempt of an ethical hacker trying to gain unauthorized access, collect information, and/or simulate the impact of opening a malicious email attachment or spear-phishing link.

Most organizations do not put their employees through interactive training. Instead, employees are asked to complete online modules with no practical exercises. To be trained on something, you need to have practiced it. Online module security training is great for educating employees, but that education needs to be incorporated with an applicable real-world scenario for the employee to practice. Think of it like a lecture and then homework. People need to exercise what they learn to be properly trained.

Are you tired of online modules not sticking with your employees? Practice makes perfect. Put them through real-world simulations to test their awareness.

2. NIST CA-7: Continuous Monitoring

The NIST CA-7 narrative emphasizes the importance of continuously monitoring threat trends. A suggested security best practice is the ongoing analysis of today’s common social engineering campaigns.

Once aware of their risk, organizations can then devise a plan to defend against them. They can create educational materials and testing scenarios that educate their employees on common attacks and then implement controls that defend against those sorts of advances.

Is your organization aware of today’s advanced threats and the targeted social engineering campaigns conducted by adversaries? Stay up-to-date and implement proactive controls to defend against today’s most common attacks.

3. NIST CA-8: Penetration Testing

NIST control CA-8 is to conduct penetration testing in a way that realistically simulates scenarios of an adversarial compromise. The enhancements on this control are that organizations should employ an independent pen testing firm, perform red team exercises, and conduct physical facility pen testing.

A best practice advised by NIST is for organizations to be sure that they are receiving a quality, real-world penetration test from a firm that has experience in current adversarial tactics, techniques, procedures, and tools. Most organizations don’t realize the harm in performing automated, monotonous tests. When it comes to the world’s real threats, adversaries use tactics and techniques that are unexpected and persistent. Organizations should hire penetration firms who have the expertise to simulate realistic attacks.

By conducting penetration testing, red team exercises, and physical facility testing, organizations can learn about their vulnerabilities and improve their processes to better secure their organization.

How Can These Revisions Help Your Org?

This catalog of security and privacy controls helps organizations protect operations and assets, individuals, other organizations, and the nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks (NIST).

Many of these controls were updated because cyber threats and breaches are evolving rapidly. Federal regulators want real-world simulations to become a routine part of governmental organizations’ cybersecurity efforts. This new revision gives organizations clear illustrations of what are now considered today’s best security practices.

Simulating real-world threat scenarios can help your organization gain better insight into your vulnerabilities and how to efficiently secure them. It is a proactive approach to security, helping prepare you for the inevitable.

Partner With an Expert

KirkpatrickPrice can partner with you on your journey to compliance with the new NIST Revision 5 standards. Our expert penetration testers and auditors know the ins and outs of cybersecurity, how to pursue compliance, and how to prepare for cyber threats.

NIST 800-53 Revision 5 has accelerated federal organizations to a more secure future. It is a helpful guide to what initiatives are necessary to properly prepare the government supply chain for the modern world’s advancing threats.

To view the NIST 800-53 Rev. 5 updated control catalog, click here.

To analyze the updates between Rev. 4 and Rev. 5, click here.

More KirkpatrickPrice Resources:

5 Critical Things to Consider When Choosing Your Penetration Tester

Using NIST 800-53 vs. NIST 800-171 in a FISMA Audit

How Can Penetration Testing Protect Your Assets?

The DarkSide Ransomware Attack on CompuCom

On March 3, the IT managed service provider (MSP) announced they had fallen victim to a Darkside ransomware attack. The cybercrime group installed CobaltStrike beacons on several systems throughout the MSP’s environment. These beacons helped the threat actor steal data, spread the virus, and deploy ransomware payloads. 

The MSP expects the incident to result in losses of $20 million and counting due to the disruption of customer services and internal operations. Since CompuCom is up for sale, the attack has come at an inopportune time for the company. 

Independent Audit Verifies National Commercial Service’s Internal Controls and Processes

Van Nuys, CA – National Commercial Services (NCS), an experienced and specialized subrogation and commercial collection agency, today announced that it has completed its SOC 1 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that NCS has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 1 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA and SSAE 18. During the audit, a service organization’s controls that are relevant to ICFR are tested. The SOC 1 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of NCS’s controls to meet the standards for these criteria.

“NCS is committed to providing our clients with the most secure and efficient collection and subrogation services nationally.  In an environment that has changed drastically within the last year, NCS is proud to have continued to maintain the security and effectiveness of our operations.  NCS will complete the SOC 1 Type II audit annually to provide secure services to our clients and the public, as well as to stay abreast of all industry and standard improvements,” said Natalie Mansour, Vice President and Chief Operating Officer of NCS.

“Many of NCS’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, NCS has implemented best practice controls demanded by their clients to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance to NCS’s clients.”

About National Commercial Services

National Commercial Services (NCS) is a California Certified Corporation located in Los Angeles County. With over 24 years of experience in the fields of Subrogation and Commercial Collections, NCS is a Premier Sponsor of the National Association of Subrogation Professionals and is licensed and bonded in every mandated state. NCS is dedicated to compliance with Federal and State Specific Fair Debt Collection, TCPA, PCI, and all best practices protocol.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.