Association News, Operations

Turn Cyber Risk Into Opportunity: What to Know About putting Cybersecurity into place.

5 min read

By: Karen Lyons, CSDS, i-SIGMA’s Regulatory Compliance Manager

Think about all the information that lives in your business and on your networks: details about your products and services, financial records, marketing plans, and customer information. If that information were exposed, the consequences could extend far beyond inconvenience. There could be regulatory implications, reputational damage, contractual fallout, and loss of customer trust. This is why i-SIGMA has developed certification specifications that act as practical safety nets for you, our members, strengthening your defenses, showing the general public that cybersecurity is built into your operations, a proactive investment in member credibility, resilience and long-term market strength. While the cybersecurity implementations below may seem like enhancements to PRISM Privacy+, they are a welcome new addition to i-SIGMA’s NAID AAA Certification.

Cybersecurity implementation will soon apply to both i-SIGMA’s NAID AAA and PRISM Privacy+ Certifications

Members should be preparing now for stronger cybersecurity expectations. You will soon be required to have cybersecurity policies  and/or procedures(s), including acceptable use of servers and/or products, password management, and incident response. In practice, that means having clear written rules that define how employees use company systems, how passwords are created and protected, how incidents are reported, and how access to systems is controlled. For example, any non-company device that an employee connects to your network can become a major point of vulnerability if it is not governed by policy. Incident response is already a certification requirement, and your organization should ensure employees understand exactly what to do when suspicious activity is identified. Be sure to include your cybersecurity protocols in their annual signed agreements of your organization’s policies and procedures.

In addition to physical, logical and administrative controls, certified members will be asked to implement policies to prevent unauthorized physical access to servers, storage devices, and network equipment. This may include locked server rooms, restricted key or badge access, secure storage for backup media, and network equipment including who may enter sensitive areas and when. Be sure to amend your policies, procedures, and training materials with this new enhancement.

The third-party network security verification requirement has been expanded to include an annual Security Risk Analysis. In practice this requirement calls for an annual comprehensive security risk analysis performed by a qualified third party to verify that core network security controls are in place. The analysis should include evidence of the following:

  • Enforcement of least-privilege principles
  • Multi-factor authentication
  • Antivirus software
  • Firewall
  • Endpoint detection tools across all devices
  • Patch management

Examples of qualified third party support may include an external cybersecurity firm, an internal risk assessment led by competent security personnel, or a formal assessment aligned to a recognized framework. No or low-cost options include the Cybersecurity and Infrastructure Security Agency (CISA), a U.S. federal agency under the Department of Homeland Security offering a range of no-cost CISA-provided cybersecurity services, and CODE.NSA.GOV (NSA’s Open Source software site that makes NSA-developed software available to the public for use). For some government-related contracts, cybersecurity expectations may also align with frameworks such as NIST SP 800-171 and CMMC 2.0, which are used to verify whether organizations can protect sensitive information in nonfederal systems.

Implementing the security risk analysis demonstrates to your customers that access is limited, threats are detected earlier, known vulnerabilities are patched, and essential protections are consistently applied across the environment.

What i-SIGMA’s NAID AAA overwriting providers should know

NAID AAA certified operations who provide overwriting services should have policies and procedures and physical infrastructure effectively preventing unauthorized access to servers and local workstations to trained and approved Access Individuals. In practice, this means workstation and server access is limited to trained and authorized Access Individuals through documented policies, procedures, and physical protections that prevent unauthorized use

Lastly Overwriting providers will be asked to implement policies and procedures to describe its Identity and Access Management (IAM) and Control methodology approach for all Access Individuals. This description should clearly explain who approves access, how permissions are limited by role, how changes are recorded, and how access is reviewed or removed when responsibilities change. It should also include language specifying the training of Access Individuals on the proper use of imaging/digitization equipment, documenting the completion of such training. This may include how access is assigned, controlled, managed, and reviewed so that only authorized personnel can use systems and resources. Training documentation is important because it demonstrates that access is not only granted, but supported by clear instruction, consistent expectations, and a record of completion.

Why Now?

Digital security is every bit as important as physical security. These controls reflect the types of safeguards customers increasingly expect to see from trusted service providers. Implementation greatly increases a competitive advantage over providers who don’t yet have digital security controls.

This is about more than passing an audit. Many customers want to see a commitment backed by official certification, especially when vendor due diligence is becoming more rigorous. When certified members can show that their cybersecurity practices are documented, enforced, and independently validated, customer confidence grows—and so does the value of certification. In many markets, that level of assurance matters more than ever.

Stay tuned for more i-SIGMA cybersecurity communications, updates, and implementation date information.

 

Stay ahead of the curve

Get the latest insights and resources delivered directly to your inbox.

    loading...