Solutions – Industries – Compliance

VIEW ALL REGULATIONS

All Tracked
Regulations

Regulations
37
Industries
  • arms/defense 1
  • consumer transactions 1
  • education 2
  • energy 1
  • federal contractors 3
  • financial services 6
  • government 10
  • healthcare 3
  • insurance 1
  • manufacturing 3
Locations
  • International
  • United States
  • New York
  • California
  • Alabama
  • massachusetts
  • Canada
  • European Union
  • Germany
  • United Kingdom
Filter Regulations (37)
  • Name
  • Industry

    • All Industries
    • arms/defense

    • consumer transactions

    • education

    • energy

    • federal contractors

    • financial services

    • government

    • healthcare

    • insurance

    • manufacturing

    • Apply
  • Location

    • All Locations
    • International

    • United States

      • New York

      • California

      • Alabama

      • massachusetts

    • Canada

    • European Union

      • Germany

    • United Kingdom

    • Apply
23 NYCRR Part 500
The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500)
Financial Services, Insurance
New York - US
23 NYCRR Part 500

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500)

23 NYCRR Part 500 At a Glance

The intention of the New York State Department of Financial Services (23 NYCRR 500) is to establish minimum regulatory standards to promote the protection of customer information, as well as protect the information technology systems of regulated entities.

Requirements

23 NYCRR PART 500 REQUIREMENTS

  • 1Section 500.02: Cybersecurity Program
  • 2Section 500.05: Penetration Testing and Vulnerability Assessments
  • 3Section 500.06: Audit Trail
  • 4Section 500.07: Access Privileges
  • 5Section 500.09: Risk Assessment
  • 6Section 500.10: Cybersecurity Personnel and Intelligence
  • 7Section 500.11: Third-Party Service Provider Security Policy
  • 8Section 500.13: Limitations on Data Retention
  • 9Section 500.14: Training and Monitoring
  • 10Section 500.15: Encryption of Nonpublic Information
  • 11Section 500.16: Incident Response Plan
How ARCTIC WOLF CAN HELP
  • Provide incident response plans that include responding to cyberthreats and data breaches
  • Audit trails designed to record and respond to cyber attacks
  • Create reports covering the risks faced, all material events, and the impact on protected data
  • Conduct risk Assessments to identify and document security deficiencies and remediation plans
Alabama Data Breach Notification Act of 2018 (S.B. 318)
Alabama Data Breach Notification Act of 2018 (S.B. 318)
All
Alabama - US
Alabama Data Breach Notification Act of 2018 (S.B. 318)

Alabama Data Breach Notification Act of 2018 (S.B. 318)

Alabama Data Breach Notification Act of 2018 (S.B. 318) At a Glance

Requires entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information.

Requirements

ALABAMA DATA BREACH NOTIFICATION (S.B. 318) REQUIREMENTS

  • 1 Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.
  • 2 Notification is not required if, after a prompt investigation in good faith, it is determined that the breach of security is not reasonably likely to cause substantial harm to the individuals to whom the information relates.
  • 3 Must provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.
How ARCTIC WOLF CAN HELP
  • Arctic Wolf MDR can help rapidly identify a security incident, and provide evidence on the scope and impact of the incident.
Basel III
Basel III IT Operational Controls
Financial Services
International
Basel III

Basel III IT Operational Controls

Basel III At a Glance

The Basel Committee on Banking Supervision (BCBS) is an international supervisory authority that maintains several standards and voluntary frameworks for financial institutions. Basel III (and Standard 239), in particular, affects IT infrastructure and operations, as it includes principles related to data architecture and IT infrastructure, as well as accuracy and integrity of risk data.

Requirements

BASEL III REQUIREMENTS

  • 1To comply with the BCBS effective risk data aggregation and risk reporting principles, financial institutions must have a robust and resilient IT infrastructure that supports risk aggregation capabilities and risk reporting practices both in normal times and in times of stress or crisis.
How ARCTIC WOLF CAN HELP
  • Detect and respond to security incidents
  • Deliver concierge guidance on an organization's security journey
  • Provide evidence, artifacts and reporting on security controls and practices for audit and review
CCPA
California Consumer Privacy Act
All
California - US
CCPA

California Consumer Privacy Act

CCPA At a Glance

The California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, is the first-of-its-kind consumer privacy legislation in the United States. It gives consumers the ability to request, free of charge, information about what businesses collect about them. This includes what sources are collecting information, and for what purpose. They can also request to opt out from having their data sold, and/or request that their data be deleted. The California Attorney General enforces the law, which includes provisions for civil litigation and penalties.

Requirements

CCPA REQUIREMENTS

  • 1The CCPA applies to any business that sells products and services to Californians—and even displaying a website could count as advertising in the state. The law, however, exempts entities that have $25 million or less in revenues, collect data on fewer than 50,000 consumers, and derive less than half of their revenues from selling consumer data.
  • 2AB 375 is light on requirements around security and breach response when compared to the GDPR. Businesses are not required to report breaches under AB 375, and consumers must file complaints before fines are possible. The law does define penalties for companies that expose consumer data due to a breach or security lapse.
  • 3Businesses should know what data AB 375 defines as private data and take steps to secrure it. Any organization that complies with the GDPR likely does not need to take further action to comply with AB 375 in terms of securing data.
How ARCTIC WOLF CAN HELP
  • Detect and respond to security incidents
  • Deliver concierge guidance on an organization's security journey
  • Provide evidence, artifacts and reporting on security controls and practices for audit and review
CERT RMM
CERT Resilience Management Model
All
International
CERT RMM

CERT Resilience Management Model

CERT RMM At a Glance

CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk.

Requirements

CERT-RMM REQUIREMENTS

  • 1The Asset Definition and Management process area has three specific goals: to inventory assets, associate the assets with services, and manage the assets. To meet these goals, the organization must engage in the following practices:
  • 2 Establish a means to identify and document assets.
  • 3 Establish ownership and custodianship for the assets.
  • 4 Link assets to the services they support.
  • 5 Establish resilience requirements (including those for protecting and sustaining) fo rassets and associated services. (This is addressed in the Resilience Requirements Definition and Resilience Requirements Management process areas.)
  • 6 Provide change management processes for assets as they change and as the inventory of assets changes.
How ARCTIC WOLF CAN HELP
  • Arctic Wolf Managed Risk helps identify and audit assets, and supports certain change management activities.
CIS
Center for Internet Security - Critical Security Controls
All
International, United States
CIS

Center for Internet Security - Critical Security Controls

CIS At a Glance

The CIS Controls supplement almost every other security framework—including NIST, ISO 27001, PCI, and HIPAA—and are a useful baseline to develop or assess a security program.

The latest version combines and consolidates the CIS Controls by activities, rather than by who manages the devices, which has resulted in a decrease of the number of controls from 20 to 18. The CIS Controls are also now task-focused and contain 153 “safeguards”—formerly known as “sub-controls.”

Learn more about the latest updates here.

Requirements

CIS CONTROLS REQUIREMENTS

  • 1Inventory and Control of Enterprise Assets
  • 2Inventory and Control of Software Assets
  • 3Data Protection
  • 4Secure Configuration of Enterprise Assets and Software
  • 5Account Management
  • 6Access Control Management
  • 7Continuous Vulnerability Management
  • 8Audit Log Management
  • 9Email and Web Browser Protections
  • 10Malware Defenses
  • 11Data Recovery
  • 12Network Infrastructure Management
  • 13Network Monitoring and Defense
  • 14Security Awareness and Skills Training
  • 15Service Provider Management
  • 16Application Software Security
  • 17Incident Response Management
  • 18Penetration Testing
How ARCTIC WOLF CAN HELP
  • Deliver 24×7, 365 scanning of your entire IT environment for threats and vulnerabilities.
  • Provide priority context to the criticality of vulnerabilities found within the organization’s networks and endpoints.
  • Prevent unnecessary access to critical systems and infrastructure.
  • Provide a way to better understand the configuration settings of your servers and workstations—preventing vulnerable services and settings from being exploited.
CJIS
Criminal Justice Information Services
Government
United States
CJIS

Criminal Justice Information Services

CJIS At a Glance

Criminal Justice Information Services (CJIS) released a security policy that outlines 13 policy areas all government agencies should follow to stay compliant and protected from hackers with malintent.

Government entities that access or manage sensitive information from the US Justice Department need to ensure that their processes and systems comply with CJIS policies for wireless networking, data encryption, and remote access—especially since phishing, malware, and hacked VPNs or credentials are the most common attack vectors used to hack into government networks. The CJIS compliance requirements help proactively defend against these attack methods and protect national security (and citizens) from cyber threats.

Requirements

CJIS REQUIREMENTS

  • 1The CJIS Security Policy document–a hefty 230-page read–defines implementation requirements and standards for the following 13 security policy areas:
  • 2Information exchange agreements
  • 3Security awareness training
  • 4Incident Response
  • 5Auditing and accountability
  • 6Access control
  • 7Identification and authentication
  • 8Configuration management
  • 9Media protection
  • 10Physical protection
  • 11Systems and communications protection and information integrity
  • 12Formal audits
  • 13Personnel security
  • 14Mobile audits
How ARCTIC WOLF CAN HELP
  • Monitor and provide evidence and artifacts for access control, identificationn and authentication, etc.
  • Support incident response activities
  • Provide standard and custom reporting for audit and review
  • Deliver managed security awareness training
CMMC
Cybersecurity Maturity Model Certification
Manufacturing, Government
United States
CMMC

Cybersecurity Maturity Model Certification

CMMC At a Glance

The Cybersecurity Maturity Model Certification (CMMC) is designed to maintain the security of Controlled Unclassified Information (CUI) stored on networks of DoD contractors.

In November 2021, the DoD announced CMMC 2.0 to streamlines the model from 5 to 3 compliance levels.

Requirements

CMMC REQUIREMENTS

  • 1 Level 1 Foundational: 17 Practices + Annual Self-Assessment
  • 2Level 2 Advanced: 110 Practices Aligned with NIST SP 800-171 & Triennial 3rd Party Assessments for Criticial National Security Information; Annual Self-Assessment for Select Programs
  • 3Level 3 Expert: 110+ Practices Aligned with NIST SP 800-172 & Triennial Government-Led Assessments
How ARCTIC WOLF CAN HELP
  • Third-party compliance analyst firm Coalfire found that Arctic Wolf can assist with 84% of CMMC 1.0 controls.
  • Hold third party audited SOC II Type 2 and ISO 27001-2013 certifications.
Cyber Essentials Certification
Cyber Essentials
All
United Kingdom
Cyber Essentials Certification

Cyber Essentials

Cyber Essentials Certification At a Glance

The Cyber Essentials certification is a UK government-backed framework supported by the NCSC (National Cyber Security Centre). It sets out five basic security controls that can protect organizations against 80% of common cyber attacks.

The certification is designed to help organizations of any size demonstrate their commitment to cyber security–while keeping the approach simple and the costs low.

The Cyber Essentials certification process is managed by the IASME Consortium (IASME), which licenses certification bodies to carry out Cyber Essentials and Cyber Essentials Plus certifications.

Requirements

CYBER ESSENTIALS REQUIREMENTS

  • 1It sets out five basic security controls that can protect organisations against 80% of common cyber attacks.
  • 2Firewalls & routers
  • 3Software updates
  • 4Malware protection
  • 5Access control
  • 6Secure configuration
How ARCTIC WOLF CAN HELP
  • Detect and respond to malware and other cybersecurity incidents
  • Provide monitoring, evidence, and artifacts related to access control and network infrastructure
  • Deliver visibility, benchmarking, reporting and guidance on configurations and vulnerabilities
DFARS
Federal Acquisition Regulation: Defense Federal Acquisition Regulation Supplement
Government, Manufacturing
United States
DFARS

Federal Acquisition Regulation: Defense Federal Acquisition Regulation Supplement

DFARS At a Glance

A supplement to the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS) has been a requirement since Dec. 31, 2017, requiring all Department of Defense (DoD) contractors and subcontractors that store or process Controlled Unclassified Information (CUI) to comply with the minimum security standards outlined in the DFARS. Failure to adhere to DFARS requirements may result in termination of existing DoD contracts.

Requirements

DFARS REQUIREMENTS

  • 1There are 110 granular requirements contained within the 14 main sections, and DoD contractors must comply with all of them. We’ve narrowed the broader sections down to seven of the most infosec-oriented categories, and the specific requirements down to 13. These are the ones that DoD contractors will likely need the most help to manage:
  • 2Section 3.1 - Access Control: Granting or denying permissions to access and/or use information.
  • 3Section 3.3 - Audit and Accountability: Tracking, reviewing, and examining adherence to system requirements.
  • 4Section 3.5 - Identification and Authentication: Managing user identities and adequately authenticating those identities for use with information/processes.
  • 5Section 3.6 - Incident Response: Establishing well-tested incident-handling processes (e.g., threat detection, analysis, response, recovery) for organization information systems.
  • 6Section 3.11 - Risk Assessment: Periodically assessing risks to information systems and data to effectively track and manage organizational risk.
  • 7Section 3.13 - System and Communication Protection: Monitoring, controling, and protecting all organizational communications.
  • 8Section 3.14 - System and Information Integrity: Monitoring all information and communication systems for indicators of threatening traffic and/or activity.
How ARCTIC WOLF CAN HELP
  • Creation, Protection, retention, and review of system logs.
  • Develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
  • Assess the operations risk associated with processing, storage, and transmission of CUI.
  • Monitor, assess, and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
FAR
Federal Acquisition Regulation
Government
United States
FAR

Federal Acquisition Regulation

FAR At a Glance

The Federal Acquisition Regulation (FAR) is a set of regulations that establishes the rules that the Government has to follow to acquire goods and services with procurement contracts.

Notably, FAR 52.204-21—a clause within FAR and its supplement, DFARS—call out specific cybersecurity regulations applying to federal contractors.

FAR 52.204-21
Federal Acquisition Regulation: Basic Safeguarding of Covered Contractor Information Systems
Government, Manufacturing
United States
FAR 52.204-21

Federal Acquisition Regulation: Basic Safeguarding of Covered Contractor Information Systems

FAR 52.204-21 At a Glance

The Federal Acquisition Regulation (FAR) is a set of regulations that establishes the rules that the Government has to follow to acquire goods and services with procurement contracts.

FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” is a contract clause to the Federal Acquisition Regulation (FAR) that applies to all federal contracts, not just those with the Department of Defense. It lays out a set of 15 cybersecurity controls for safeguarding contractor information systems that store, process or transmit federal contract information.

This clause also corresponds to Cybersecurity Maturity Model Certification (CMMC) Level 1.

Requirements

FAR 52.204-21 REQUIREMENTS

  • 1Limit information system access to authorized users.
  • 2Limit information systems to the types of transactions and functions that authorized users are permitted to execute.
  • 3Verify and control/limit connections to and use of external information systems.
  • 4Control information posted or processed on publicly accessible information systems.
  • 5Identify information system users, processes acting on behalf of users, or devices.
  • 6Verify the identities of those users, processes, or devices as a prerequisite to allowing access to organization information systems.
  • 7Sanitize or destroy information system media containing federal contract information before disposal or release for reuse.
  • 8Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  • 9Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices.
  • 10Monitor, control, and protect organizational communications.
  • 11Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  • 12Identify, report, and correct information and information system flaws in a timely manner.
  • 13Provide protection from malicious code at appropriate locations within organizational information systems.
  • 14Update malicious code protection mechanisms when new releases become available.
  • 15Perform periodic scans of the information system and real-time scans of files from external sources.
How ARCTIC WOLF CAN HELP
  • Creation, Protection, retention, and review of system logs.
  • Develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
  • Assess the operations risk associated with processing, storage, and transmission of CUI.
  • Monitor, assess, and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
FERPA
Family Educational Rights and Privacy Act (FERPA)
Education
United States
FERPA

Family Educational Rights and Privacy Act (FERPA)

FERPA At a Glance

FERPA gives parents of students under 18 specific rights with regards to student records, and those rights transfer to the students when they reach age 18.

Requirements

FERPA REQUIREMENTS

  • 1Inspect the student records maintained by the institution
  • 2Request the correction of records that they believe are inaccurate
  • 3Provide written permission for the records to be disclosed
How ARCTIC WOLF CAN HELP
  • Perform continuous vulnerability scanning of internal and external networks, and endpoints
  • Identify and prioritize vulnerabilities based on threat exposure, assets, and severity
  • Audit system access, authentication, and other security controls to detect policy violations
  • Detect and scan new devices as they enter the network
FFIEC
Federal Financial Institutions Examination Council
Financial Services
United States
FFIEC

Federal Financial Institutions Examination Council

FFIEC At a Glance

The Federal Financial Institutions Examination Council (FFIEC) is the inter-agency body of the United States government empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. FFIEC guidance applies to federally supervised financial institutions.

Requirements

FFIEC REQUIREMENTS

  • 1Objectives include identifying the institution’s inherent risk profile and determining the organization’s maturity level.
  • 2Domain 1 Cyber Risk Management and Oversight
  • 3Domain 2 Threat Intelligence and Collaboration
  • 4Domain 3 Cybersecurity Controls
  • 5Domain 4 External Dependency Management
  • 6Domain 5 Cyber Incident Management and Resilience
How ARCTIC WOLF CAN HELP
  • Deliver Risk management and managed threat detection and response delivered from security experts
  • Provide dedicated security expertise for your IT team
  • Offer 24×7 continuous cybersecurity monitoring and vulnerability assessment
  • For more information in every domain, control objective, and control activity, check out the full summary of FFIEC-NCUA Compliance.
FISMA 2014
Federal Information Security Modernization Act of 2014
Government
United States
FISMA 2014

Federal Information Security Modernization Act of 2014

FISMA 2014 At a Glance

The Federal Information Security Modernization Act of 2014 (FISMA 2014) codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal executive branch civilian agencies, overseeing agency compliance with those policies, and assisting the Office of Management and Budget (OMB) in developing those policies.

Requirements

FISMA REQUIREMENTS

  • 1NIST develops the standards and guidelines for FISMA compliance using a risk-based approach. It uses a framework that includes seven core steps, some of which map to specific NIST Special Publications (SPs):
  • 2Prepare Conducting the essential activities to help prepare for risk management under the framework.
  • 3Categorize Classifying the information and systems that must be protected
  • 4Select Establishing the baseline controls for protecting the categorized systems and data.
  • 5Implement Deploying the appropriate controls and documenting them.
  • 6Assess Determining if controls are working correctly and leading to desired outcomes.
  • 7Authorize Authorizing the operation of the system based on the risk determination.
  • 8Monitor Continuously monitoring and assessing the security controls for effectiveness.
How ARCTIC WOLF CAN HELP
  • Monitor access and account changes to in-scope applications in the cloud
  • Monitor for application configuration changes
GDPR
General Data Protection Regulation
All
European Union
GDPR

General Data Protection Regulation

GDPR At a Glance

The General Data Protection Rule (GDPR), established by the European Commission, regulates data protection for entities that store or process personal data of EU citizens. In addition to protecting personal data, the GDPR gives consumers broad rights regarding their information, and imposes steep penalties for noncompliance. You don’t need to have a business presence in the European Union to be subject to GDPR.

Requirements

GDPR REQUIREMENTS

  • 1 Appointing a data protection officer
  • 2 Using a “privacy by design” approach
  • 3 Implementing data security measures
  • 4 Notifying regulators of data breaches within 72 hours
  • 5GDPR also gives consumers the right to access their data, be informed about data that’s being collected, restrict processing of their data, and more.
How ARCTIC WOLF CAN HELP
  • Provide data security through vulnerability management, detection and response, and user training
  • Offer guidance and consulting by the CST on other data security measures organizations may implement
  • Facilitate rapid notification of data breaches through prompt detection and response
GLBA
Gramm-Leach-Bliley Act
Financial Services
United States
GLBA

Gramm-Leach-Bliley Act

GLBA At a Glance

This act requires financial institutions and other entities that provide financial products—including loans, insurance, and investment advice—to safeguard sensitive data and to explain their information-sharing practices to their customers.

Requirements

GLBA REQUIREMENTS

  • 11. The Safeguards Rule requires financial institutions protect the consumer information they collect.
  • 2Requirements include:
  • 3- Designating an individual or group to coordinate an information security program.
  • 4- Identifying and assessing risks to customer data and evaluating the effectiveness of the existing controls.
  • 5- Implementing, monitoring, and testing a safeguards program.
  • 6- Evaluating the program when changes take place in business operations and other circumstances.
  • 7- Ensuring service providers can maintain the appropriate safeguards.
  • 82. The Privacy of Consumer Information Rule (or Privacy Rule) requires regulated entities to inform consumers about their information-collection practices and to explain their rights to opt out. The rule includes requirements for the contents of the notices, delivery methods, and frequency.
How ARCTIC WOLF CAN HELP
  • Provide broad visibility to threats targeting customer data on remote endpoints, the corporate network, and in cloud applications
  • Deliver 24/7/365 threat detection and response to attacks targeting customer non-public information (NPI)
  • Proactive cyber risk assessments and strategic security advice to bolster their security posture
HIPAA
Health Insurance Portability and Accountability Act
Healthcare
United States
HIPAA

Health Insurance Portability and Accountability Act

HIPAA At a Glance

The U.S. Department of Health and Human Services created the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect the confidentiality and integrity of electronic protected health electronic protected health information (ePHI) data. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 imposed mandatory audits and fines for non-compliance.

Requirements

HIPAA REQUIREMENTS

  • 1HIPAA requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
  • 2Administrative safeguard provisions
  • 3Requires a risk analysis to determine what security measures are reasonable and appropriate for your organization, including the following activites: Evaluating the likelihood and impact of potential risks to ePHI, implementing appropriate security measures to address the risks identified in the risk analysis, documenting the chosen security measures and, where required, the rationale for adopting those measures, and maintaining continuous, reasonable, and appropriate security protections
  • 4Physical safeguard control and security measures
  • 5Includes Facility Access and Control Measures: Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI; Workstation and Device Security: Covered entities and business associates must: Implement policies and procedures to specify proper use of and access to workstations and electronic media. Have policies and procedures for the transfer, removal, disposal, and re-use of electronic media.
  • 6Technical safeguards
  • 7Include measures – including firewalls, encryption, and data backup – to implement to keep ePHI secure. These safeguards consist of the following: Access Controls: Implementing technical policies and procedures that allow only authorized persons to access ePHI. Audit Controls: Implementing hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI. Integrity Controls: Implementing policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. Transmission Security: Implement technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network.
How ARCTIC WOLF CAN HELP
  • Third-party compliance analyst firm Coalfire found that Arctic Wolf can assist with eleven out of twelve technical safeguards, and provide additional compliance value.
  • Simplify HIPAA compliance with customized reporting.
  • Monitor access to electronic patient health information (ePHI) data on premises and in the cloud.
  • Provide real-time alerts on unauthorized access of ePHI data.
  • Monitor end user and administrative access and configuration changes to all systems that create, receive, maintain, and transmit ePHI data.
  • Monitor activities of active and inactive user accounts, escalates de-provisioning of in-active accounts through manual/automated means.
  • Audit changes in Active Directory (AD), Group Policies, Exchange, and file servers, and flags unauthorized actions.
  • Monitor failed/successful logins/logoffs and all password changes to prevent excessive help desk calls.
  • Investigate all attack vectors (e.g. phishing, ransomware, etc.), and generate security incidents to initiate response actions.
  • Audit anomalous login activity, and changes, including before/after values for immediate data recovery.
  • Scan endpoints for unpatched vulnerabilities and collects log information from endpoint security solutions when unauthorized access or advanced malware is detected.
  • Monitor and report user logins/ logouts in Active Directory, all user activity on endpoints, and continuously monitors network traffic to detect anomalous activity.
  • Provide reports for account creations and deletions, data retention policies, admin lockouts, configuration changes, and about who, what, where, and when these changes were made.
HITRUST
Healthcare Information Trust Alliance
Healthcare
United States
HITRUST

Healthcare Information Trust Alliance

HITRUST At a Glance

The Healthcare Information Trust Alliance (HITRUST) developed the Common Security Framework (CSF) based on a variety of federal and state regulations, frameworks, and standards. The HITRUST CSF provides regulated healthcare organizations with a common set of standards they can adopt as well as use for evaluating their vendors.

Requirements

HITRUST CSF REQUIREMENTS

  • 1 Organizational factors such as geographic scope and business volume
  • 2 Regulatory factors that are based on compliance requirements specific to the organization’s circumstances, including sector and geography
  • 3 System factors that impact data management risks, such as data storage and transmission, internet access, third-party access, number of users, and number of daily transactions
  • 4The framework also has allowances for alternate management, technical, or operational controls that can be applied under specific conditions.
How ARCTIC WOLF CAN HELP
  • Arctic Wolf MDR produces reports related to the HITRUST controls presented as our services maps to logs sources related to authentication and authorization.
IRS Pub 1075
IRS Pub 1075
Government
United States
IRS Pub 1075

IRS Pub 1075

IRS Pub 1075 At a Glance

Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 aims to minimize the risk of loss, breach, or misuse of FTI held by external government agencies.

Requirements

IRS PUB 1075 REQUIREMENTS

  • 1To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services.
  • 2Some of the controls needed are as follows. These include both electronic and physical:
  • 3Record Keeping Requirements: Maintain a persistent system of all FTI records and anything related to it, including access rights.
  • 4Secure Storage: Details about the physical and electronic security of place where FTI data is kept. It includes things like restricted area, authorized access, locks & keys, safes/vaults, transportation security, security of computers and storage media.
  • 5Restricting Access: Details related to access of FTI data.
  • 6Reporting Requirements: Periodic reports like SAR (Safeguard Activity Report) and SPR (Safeguard Procedures Report) need to be sent to IRS.
  • 7Training and Inspections: Awareness about security and annual certification of employees. Annual inspections are also needed to validate proper implementation.
  • 8Disposal: Proper standards related to FTI data disposal for physical and electronic media.
  • 9Computer System Security: Probably the most complex and detailed section of this regulation related to everything from access control, cryptography, emails, networking to wireless technologies and any emerging technologies.
How ARCTIC WOLF CAN HELP
  • Arctic Wolf can provide evidence and artifacts related to data access, security training for employees, and support for computer system security programs.
ISO 27002
International Organization for Standardization: Information Security Standard
All
International
ISO 27002

International Organization for Standardization: Information Security Standard

ISO 27002 At a Glance

This document, the International Organization for Standardization: Information Security Standard 2022, provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:

A) Within the context of an information security management system (ISMS) based on ISO/IEC27001

B) For implementing information security controls based on internationally recognized best practices

C) For developing organization-specific information security management guidelines.

Requirements

ISO 27002:2022 REQUIREMENTS

  • 1Annex A of ISO 27001 lists 114 security controls divided into 14 control sets, each of which is expanded upon in Clauses 5–18 of ISO 27002:
  • 2A.5 Information security policies
  • 3A.6 Organization of information security
  • 4A.7 Human resource security
  • 5A.8 Asset management
  • 6A.9 Access control
  • 7A.10 Cryptography
  • 8A.11 Physical and environmental security
  • 9A.12 Operations security
  • 10A.13 Communications security
  • 11A.14 System acquisition, development, and maintenance
  • 12A.15 Supplier relationships
  • 13A.16 Information security incident management
  • 14A.17 Information security aspects of business continuity management
  • 15A.18 Compliance
How ARCTIC WOLF CAN HELP
  • Arctic Wolf can provide evidence and artifacts related to asset management, access control, system maintenance, and more. Arctic Wolf MDR provides support for information security incidents.
ITAR
International Traffic in Arms Regulations
Arms/Defense
United States
ITAR

International Traffic in Arms Regulations

ITAR At a Glance

The United States' International Traffic in Arms Regulations (ITAR) control the manufacture, sale, and distribution of defense and space-related articles and services

Requirements

ITAR REQUIREMENTS

How ARCTIC WOLF CAN HELP
  • Monitor data, file activty, and user behavior
  • Audit assets across systems
  • Monitor and log access controls and access activity
KRITIS
IT Security Act 2.0
All
Germany
KRITIS

IT Security Act 2.0

KRITIS At a Glance

In Germany, special regulations apply to operators of critical infrastructures under the Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI) Act.

Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences. Which of these are to be regarded as critical infrastructures is regulated by the KRITIS Ordinance within the BSI Act.

The IT Security Act 2.0 in May 2021 added the waste management sector to the group of potential operators of critical infrastructure alongside the energy, information technology and telecommunications, transport and traffic, health, water, food, and finance and insurance sectors.

Requirements

IT SECURITY ACT 2.0 REQUIREMENTS

  • 1If it has been determined on the basis of a review that a company is clearly to be assigned to the critical infrastructure, it must fulfill the following requirements in accordance with the regulations of the BSI Act:
  • 2Report to and register with the BSI as a critical infrastructure operator.
  • 3Establish a point of contact as an interface to the BSI
  • 4Reliably detect critical security incidents and report them immediately to the BSI
  • 5Implement IT security in accordance with the state of the art
  • 6Conduct an IT security audit every two years
How ARCTIC WOLF CAN HELP
  • Detect and respond to security incidents
  • Deliver concierge guidance on an organization's security journey
  • Provide evidence, artifacts and reporting on security controls and practices for audit and review
Massachusetts General Law Chapter 93H: Security Breach
Massachusetts General Law Chapter 93H: Security Breach
All
Massachussets - US
Massachusetts General Law Chapter 93H: Security Breach

Massachusetts General Law Chapter 93H: Security Breach

Massachusetts General Law Chapter 93H: Security Breach At a Glance

Chapter 93H requires that a person or agency that owns or licenses data that includes personal information about a resident of the commonwealth shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the Attorney General, to the Office of Consumer Affairs and Business Regulation (OCABR) and to the affected resident(s).

Requirements

MASSACHUSETTS GENERAL LAW CHAPTER 93H REQUIREMENTS

  • 1The notice provided to the Attorney General and the OCABR must include, in addition to the nature of the breach and number of MA residents, the following information:
  • 2 The name and address of the person or agency that experienced the breach of security
  • 3 Name and title of the person or agency reporting the breach of security
  • 4 Their relationship to the person or agency that experienced the breach of security
  • 5 The type of person or agency reporting the breach of security
  • 6 The person responsible for the breach of security, if known
  • 7 The type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data
  • 8 Whether the person or agency maintains a WISP (written information security program)
  • 9 Any steps the person or agency has taken or plans to take relating to the incident, including whether they have updated the written information security program.
How ARCTIC WOLF CAN HELP
  • Arctic Wolf MDR can help rapidly identify a security incident, facilitate a response to such an incident, and provide evidence on the scope and impact of the incident.
NCUA
National Credit Union Administration
Financial Services
United States
NCUA

National Credit Union Administration

NCUA At a Glance

The National Credit Union Administration (NCUA) uses a risk-based approach to examining and supervising credit unions.

All federally insured credit unions receive an NCUA examination on a periodic basis. To ensure both compliance with applicable laws and regulations, as well as safety and soundness, a review of the credit union’s information security program is performed at each examination.

Requirements

NCUA REQUIREMENTS

How ARCTIC WOLF CAN HELP
  • Deliver Risk management and managed threat detection and response delivered from security experts
  • Provide dedicated security expertise for your IT team
  • Offer 24×7 continuous cybersecurity monitoring and vulnerability assessment
  • For more information in every domain, control objective, and control activity, check out the full summary of FFIEC-NCUA Compliance.
NERC CIP
Federal Energy Regulatory Commission/North American Electric Reliability Corporation Critical Infrastructure Protection
Energy
United States, Canada
NERC CIP

Federal Energy Regulatory Commission/North American Electric Reliability Corporation Critical Infrastructure Protection

NERC CIP At a Glance

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring, and managing the security of the Bulk Electric System (BES) in North America. These standards apply specifically to the cybersecurity aspects of BES. The NERC CIP standards provide a cybersecurity framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity of North America's BES.

Requirements

NERC CIP REQUIREMENTS

  • 1CIP-002-5.1a Cyber Security BES Cyber System Categorization
  • 2CIP-003-8 Cyber Security Security Management Controls
  • 3CIP-004-6 Cyber Security Personnel & Training
  • 4CIP-005-6 Cyber Security Electronic Security Perimeter(s)
  • 5CIP-006-6 Cyber Security Physical Security of BES Cyber Systems
  • 6CIP-007-6 Cyber Security System Security Management
  • 7CIP-008-6 Cyber Security Incident Reporting and Response Planning
  • 8CIP-009-6 Cyber Security Recovery Plans for BES Cyber Systems
  • 9CIP-010-3 Cyber Security Configuration Change Management and Vulnerability Assessments
  • 10CIP-011-2 Cyber Security Information Protection
  • 11CIP-013-1 Cyber Security Supply Chain Risk Management
How ARCTIC WOLF CAN HELP
  • Support incident response activities
  • Monitor and provide evidence and artifacts on system and security management
  • Provide visibility, benchmarking, and reporting of vulnerabilities, misconfigurations, and risks
  • Deliver managed security awareness training
NIST 800-171B
Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
All, Federal Contractors, Government
United States
NIST 800-171B

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

NIST 800-171B At a Glance

NIST SP 800-171B is an entirely new publication that introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs).

The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

Requirements

NIST SP 800-171B REQUIREMENTS

  • 11. Employ dual authorization to execute critical or sensitive system and organizational operations.
  • 2Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
  • 3Employ secure information transfer solutions to control information flows between security domains on connected systems.
  • 4Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
  • 5Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
  • 6Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
  • 7Employ automated mechanisms to detect the presence of misconfigured or unauthorized system components and either remove the components or place them in a quarantine or remediation network that allows for patching, reconfiguration, or other mitigations.
  • 8Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.
  • 9Identify and authenticate systems and system components before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
  • 10Employ password managers for the generation, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management.
  • 11Employ automated mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.
  • 12Establish and maintain a full-time security operations center capability.
  • 13Establish and maintain a cyber incident response team that can be deployed to any location identified by the organization within 24 hours.
  • 14Conduct enhanced personnel screening (vetting) for individual trustworthiness and reassess individual trustworthiness on an ongoing basis.
  • 15Ensure that organizational systems are protected whenever adverse information develops regarding the trustworthiness of individuals with access to CUI.
  • 16Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
  • 17Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
  • 18Employ advanced automation and analytics capabilities to predict and identify risks to organizations, systems, or system components.
  • 19Document or reference in the system security plan the risk basis for security solution selection, and identify the system and security architecture, system components, boundary isolation, or protection mechanisms and dependencies on external service providers.
  • 20Assess the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
  • 21Assess, respond to, and monitor supply chain risks associated with organizational systems.
  • 22Develop and update as required a plan for managing supply chain risks associated with organizational systems.
  • 23Conduct penetration testing at least annually, leveraging automated scanning tools and ad hoc tests using human experts.
  • 24Employ diverse system components to reduce the extent of malicious code propagation.
  • 25Disrupt the attack surface of organizational systems and system components through unpredictability, moving target defense, or non-persistence.
  • 26Employ technical and procedural means to confuse and mislead adversaries through a combination of misdirection, tainting, or disinformation.
  • 27Employ physical and logical isolation techniques in the system and security architecture.
  • 28Employ roots of trust, formal verification, or cryptographic signatures to verify the integrity and correctness of security critical or essential software.
  • 29Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
  • 30Ensure that Internet of Things (IoT), Operational Technology (OT) and Industrial Internet of Things (IIoT) systems, components, and devices are compliant with the security requirements imposed on organizational systems or are isolated in purpose-specific networks.
  • 31Refresh organizational systems and system components from a known, trusted state at least twice annually.
  • 32Conduct periodic reviews of persistent organizational storage locations and purge CUI that is no longer needed consistent with federal records retention policies and disposition schedules.
  • 33Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
How ARCTIC WOLF CAN HELP
  • Deliver awareness training and exercises updated and managed by the Concierge Security Team
  • Scan networks and environments to audit system assets and identify misconfigurations and other vulnerabilities
  • Provide logs, records, and evidence related to authorization and access policies and procedures
NIST 800-53
Security and Privacy Controls for Information Systems and Organizations
All, Federal Contractors, Government
United States
NIST 800-53

Security and Privacy Controls for Information Systems and Organizations

NIST 800-53 At a Glance

The key distinction between NIST 800-171 vs 800-53 is that 800-171 refers to non-federal networks and NIST 800-53 applies directly to any federal organization.

Requirements

NIST 800-53 REQUIREMENTS

  • 1 See the NIST SP 800-171 requirements.
How ARCTIC WOLF CAN HELP
  • Simplify NIST 800- 171 compliance with customized reporting
  • Protect CUI by monitoring all communications and traffic for malicious activity
  • Support incident response
  • Deliver 24×7 monitoring with unlimited log source
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework
All
United States
NIST CSF

National Institute of Standards and Technology Cybersecurity Framework

NIST CSF At a Glance

The NIST Cybersecurity Framework (NIST CSF) leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. The NIST CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues.

The NIST CSF has the least coverage of the major cybersecurity frameworks, and therefore works best for smaller or unregulated businesses. The NIST CSF is often used as a reporting tool to report security to executive leadership, since the five high-level categories of identify, detect, protect, respond, and recover make it easier to report complex topics under this perspective.

Requirements

NIST CSF REQUIREMENTS

  • 1Identify
  • 2Protect
  • 3Detect
  • 4Respond
  • 5Recover
How ARCTIC WOLF CAN HELP
  • Arctic Wolf's security operations solutions provide coverage across the NIST five functions:
  • MDR provides support for Detection, Response, and Recovery
  • Managed Risk helps businesses Identify their assets and risks and Protect their environments
  • Managed Security Awareness leverages people to provide security across the five functions
  • Incident Response helps businesses experiencing an incident Respond and Recover
NIST SP 800-171
The National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171
All, Federal Contractors, Government
United States
NIST SP 800-171

The National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171

NIST SP 800-171 At a Glance

Executive Order 13556 established the Controlled Unclassified Information (CUI) program to standardize the way federal contractors handle unclassified information that requires protection, such as personally identifiable information or sensitive government assets.

Requirements

NIST SP 800-171 REQUIREMENTS

  • 1Sec. 3.1 Access Control
  • 2Sec 3.3 Audit and Accountability
  • 3Sec 3.4 Configuration Management
  • 4Sec 3.5 Identification and Authentication
  • 5Sec 3.6 Incident Response
  • 6Sec 3.7 Maintenance
  • 7Sec 3.8 Media Protection
  • 8Sec 3.9 Physical Protection