All Tracked
Regulations
- arms/defense 1
- automotive 1
- consumer transactions 1
- education 2
- energy 1
- federal contractors 3
- financial services 7
- government 10
- healthcare 3
- insurance 1
- manufacturing 3
- International
- United States
- New York
- California
- Alabama
- massachusetts
- Canada
- European Union
- Germany
- United Kingdom
The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500)
- New York - US
- Financial Services
- Insurance
11
23 NYCRR Part 500 At a Glance
The intention of the New York State Department of Financial Services (23 NYCRR 500) is to establish minimum regulatory standards to promote the protection of customer information, as well as protect the information technology systems of regulated entities.
23 NYCRR PART 500 REQUIREMENTS
- 1Section 500.02: Cybersecurity Program
- 2Section 500.05: Penetration Testing and Vulnerability Assessments
- 3Section 500.06: Audit Trail
- 4Section 500.07: Access Privileges
- 5Section 500.09: Risk Assessment
- 6Section 500.10: Cybersecurity Personnel and Intelligence
- 7Section 500.11: Third-Party Service Provider Security Policy
- 8Section 500.13: Limitations on Data Retention
- 9Section 500.14: Training and Monitoring
- 10Section 500.15: Encryption of Nonpublic Information
- 11Section 500.16: Incident Response Plan
- Provide incident response plans that include responding to cyberthreats and data breaches
- Audit trails designed to record and respond to cyber attacks
- Create reports covering the risks faced, all material events, and the impact on protected data
- Conduct risk Assessments to identify and document security deficiencies and remediation plans
Alabama Data Breach Notification Act of 2018 (S.B. 318)
- Alabama - US
- All
3
Alabama Data Breach Notification Act of 2018 (S.B. 318) At a Glance
Requires entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information.
ALABAMA DATA BREACH NOTIFICATION (S.B. 318) REQUIREMENTS
- 1 Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.
- 2 Notification is not required if, after a prompt investigation in good faith, it is determined that the breach of security is not reasonably likely to cause substantial harm to the individuals to whom the information relates.
- 3 Must provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.
- Arctic Wolf MDR can help rapidly identify a security incident, and provide evidence on the scope and impact of the incident.
Basel III IT Operational Controls
- International
- Financial Services
1
Basel III At a Glance
The Basel Committee on Banking Supervision (BCBS) is an international supervisory authority that maintains several standards and voluntary frameworks for financial institutions. Basel III (and Standard 239), in particular, affects IT infrastructure and operations, as it includes principles related to data architecture and IT infrastructure, as well as accuracy and integrity of risk data.
BASEL III REQUIREMENTS
- 1To comply with the BCBS effective risk data aggregation and risk reporting principles, financial institutions must have a robust and resilient IT infrastructure that supports risk aggregation capabilities and risk reporting practices both in normal times and in times of stress or crisis.
- Detect and respond to security incidents
- Deliver concierge guidance on an organization's security journey
- Provide evidence, artifacts and reporting on security controls and practices for audit and review
California Consumer Privacy Act
- California - US
- All
3
CCPA At a Glance
The California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, is the first-of-its-kind consumer privacy legislation in the United States. It gives consumers the ability to request, free of charge, information about what businesses collect about them. This includes what sources are collecting information, and for what purpose. They can also request to opt out from having their data sold, and/or request that their data be deleted. The California Attorney General enforces the law, which includes provisions for civil litigation and penalties.
CCPA REQUIREMENTS
- 1The CCPA applies to any business that sells products and services to Californians—and even displaying a website could count as advertising in the state. The law, however, exempts entities that have $25 million or less in revenues, collect data on fewer than 50,000 consumers, and derive less than half of their revenues from selling consumer data.
- 2AB 375 is light on requirements around security and breach response when compared to the GDPR. Businesses are not required to report breaches under AB 375, and consumers must file complaints before fines are possible. The law does define penalties for companies that expose consumer data due to a breach or security lapse.
- 3Businesses should know what data AB 375 defines as private data and take steps to secrure it. Any organization that complies with the GDPR likely does not need to take further action to comply with AB 375 in terms of securing data.
- Detect and respond to security incidents
- Deliver concierge guidance on an organization's security journey
- Provide evidence, artifacts and reporting on security controls and practices for audit and review
CERT Resilience Management Model
- International
- All
6
CERT RMM At a Glance
CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk.
CERT-RMM REQUIREMENTS
- 1The Asset Definition and Management process area has three specific goals: to inventory assets, associate the assets with services, and manage the assets. To meet these goals, the organization must engage in the following practices:
- 2 Establish a means to identify and document assets.
- 3 Establish ownership and custodianship for the assets.
- 4 Link assets to the services they support.
- 5 Establish resilience requirements (including those for protecting and sustaining) fo rassets and associated services. (This is addressed in the Resilience Requirements Definition and Resilience Requirements Management process areas.)
- 6 Provide change management processes for assets as they change and as the inventory of assets changes.
- Arctic Wolf Managed Risk helps identify and audit assets, and supports certain change management activities.
Center for Internet Security - Critical Security Controls
- International
- United States
- All
18
CIS At a Glance
The CIS Controls supplement almost every other security framework—including NIST, ISO 27001, PCI, and HIPAA—and are a useful baseline to develop or assess a security program.
The latest version combines and consolidates the CIS Controls by activities, rather than by who manages the devices, which has resulted in a decrease of the number of controls from 20 to 18. The CIS Controls are also now task-focused and contain 153 “safeguards”—formerly known as “sub-controls.”
CIS CONTROLS REQUIREMENTS
- 1Inventory and Control of Enterprise Assets
- 2Inventory and Control of Software Assets
- 3Data Protection
- 4Secure Configuration of Enterprise Assets and Software
- 5Account Management
- 6Access Control Management
- 7Continuous Vulnerability Management
- 8Audit Log Management
- 9Email and Web Browser Protections
- 10Malware Defenses
- 11Data Recovery
- 12Network Infrastructure Management
- 13Network Monitoring and Defense
- 14Security Awareness and Skills Training
- 15Service Provider Management
- 16Application Software Security
- 17Incident Response Management
- 18Penetration Testing
- Deliver 24×7, 365 scanning of your entire IT environment for threats and vulnerabilities.
- Provide priority context to the criticality of vulnerabilities found within the organization’s networks and endpoints.
- Prevent unnecessary access to critical systems and infrastructure.
- Provide a way to better understand the configuration settings of your servers and workstations—preventing vulnerable services and settings from being exploited.
Criminal Justice Information Services
- United States
- Government
14
CJIS At a Glance
Criminal Justice Information Services (CJIS) released a security policy that outlines 13 policy areas all government agencies should follow to stay compliant and protected from hackers with malintent.
Government entities that access or manage sensitive information from the US Justice Department need to ensure that their processes and systems comply with CJIS policies for wireless networking, data encryption, and remote access—especially since phishing, malware, and hacked VPNs or credentials are the most common attack vectors used to hack into government networks. The CJIS compliance requirements help proactively defend against these attack methods and protect national security (and citizens) from cyber threats.
CJIS REQUIREMENTS
- 1The CJIS Security Policy document–a hefty 230-page read–defines implementation requirements and standards for the following 13 security policy areas:
- 2Information exchange agreements
- 3Security awareness training
- 4Incident Response
- 5Auditing and accountability
- 6Access control
- 7Identification and authentication
- 8Configuration management
- 9Media protection
- 10Physical protection
- 11Systems and communications protection and information integrity
- 12Formal audits
- 13Personnel security
- 14Mobile audits
- Monitor and provide evidence and artifacts for access control, identificationn and authentication, etc.
- Support incident response activities
- Provide standard and custom reporting for audit and review
- Deliver managed security awareness training
Cybersecurity Maturity Model Certification
- United States
- Manufacturing
- Government
5
CMMC At a Glance
The Cybersecurity Maturity Model Certification (CMMC) is designed to maintain the security of Controlled Unclassified Information (CUI) stored on networks of DoD contractors.
CMMC REQUIREMENTS
- 1Level 1 Performed: Basic Cyber Hygiene
- 2Level 2 Documented: Immediate Cyber Hygiene
- 3Level 3 Managed: Good Cyber Hygiene
- 4Level 4 Reviewed: Proactive Cyber Hygiene
- 5Level 5 Optimizing: Advanced / Progressive Cyber Hygiene
- Third-party compliance analyst firm Coalfire found that Arctic Wolf can assist with 84% of CMMC 1.0 controls.
- Hold third party audited SOC II Type 2 and ISO 27001-2013 certifications.
Cyber Essentials
- United Kingdom
- All
6
Cyber Essentials Certification At a Glance
The Cyber Essentials certification is a UK government-backed framework supported by the NCSC (National Cyber Security Centre). It sets out five basic security controls that can protect organizations against 80% of common cyber attacks.
The certification is designed to help organizations of any size demonstrate their commitment to cyber security–while keeping the approach simple and the costs low.
The Cyber Essentials certification process is managed by the IASME Consortium (IASME), which licenses certification bodies to carry out Cyber Essentials and Cyber Essentials Plus certifications.
CYBER ESSENTIALS REQUIREMENTS
- 1It sets out five basic security controls that can protect organisations against 80% of common cyber attacks.
- 2Firewalls & routers
- 3Software updates
- 4Malware protection
- 5Access control
- 6Secure configuration
- Detect and respond to malware and other cybersecurity incidents
- Provide monitoring, evidence, and artifacts related to access control and network infrastructure
- Deliver visibility, benchmarking, reporting and guidance on configurations and vulnerabilities
Federal Acquisition Regulation: Defense Federal Acquisition Regulation Supplement
- United States
- Government
- Manufacturing
8
DFARS At a Glance
A supplement to the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS) has been a requirement since Dec. 31, 2017, requiring all Department of Defense (DoD) contractors and subcontractors that store or process Controlled Unclassified Information (CUI) to comply with the minimum security standards outlined in the DFARS. Failure to adhere to DFARS requirements may result in termination of existing DoD contracts.
DFARS REQUIREMENTS
- 1There are 110 granular requirements contained within the 14 main sections, and DoD contractors must comply with all of them. We’ve narrowed the broader sections down to seven of the most infosec-oriented categories, and the specific requirements down to 13. These are the ones that DoD contractors will likely need the most help to manage:
- 2Section 3.1 - Access Control: Granting or denying permissions to access and/or use information.
- 3Section 3.3 - Audit and Accountability: Tracking, reviewing, and examining adherence to system requirements.
- 4Section 3.5 - Identification and Authentication: Managing user identities and adequately authenticating those identities for use with information/processes.
- 5Section 3.6 - Incident Response: Establishing well-tested incident-handling processes (e.g., threat detection, analysis, response, recovery) for organization information systems.
- 6Section 3.11 - Risk Assessment: Periodically assessing risks to information systems and data to effectively track and manage organizational risk.
- 7Section 3.13 - System and Communication Protection: Monitoring, controling, and protecting all organizational communications.
- 8Section 3.14 - System and Information Integrity: Monitoring all information and communication systems for indicators of threatening traffic and/or activity.
- Creation, Protection, retention, and review of system logs.
- Develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
- Assess the operations risk associated with processing, storage, and transmission of CUI.
- Monitor, assess, and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
Digital Operational Resilience Act
- European Union
- Financial Services
5
DORA At a Glance
The Digital Operational Resilience Act, officially Regulation 2022/2554 is a European Union regulation. It requires financial entities to improve their digital operational resilience.
DORA REQUIREMENTS
- 1ICT Risk Management
- 2ICT-related Incident Clasification & Reporting
- 3Digital OR Testing
- 4Information Sharing
- 5Governance and Accountability: NIS2 places greater emphasis on the role of management in overseeing cybersecurity.
- In addition to our industry-leading Security Operations Platform, Arctic Wolf invented the Concierge Delivery Model, which pairs a team of our security operations experts directly with your IT or security staff. No matter where you are on your security journey, from working toward aligning with the DORA standards to maturing your security posture over time, and beyond, we’re here to offer personalised support over the long term.
Federal Acquisition Regulation
- United States
- Government
0
FAR At a Glance
The Federal Acquisition Regulation (FAR) is a set of regulations that establishes the rules that the Government has to follow to acquire goods and services with procurement contracts.
Notably, FAR 52.204-21—a clause within FAR and its supplement, DFARS—call out specific cybersecurity regulations applying to federal contractors.
Federal Acquisition Regulation: Basic Safeguarding of Covered Contractor Information Systems
- United States
- Government
- Manufacturing
15
FAR 52.204-21 At a Glance
The Federal Acquisition Regulation (FAR) is a set of regulations that establishes the rules that the Government has to follow to acquire goods and services with procurement contracts.
FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” is a contract clause to the Federal Acquisition Regulation (FAR) that applies to all federal contracts, not just those with the Department of Defense. It lays out a set of 15 cybersecurity controls for safeguarding contractor information systems that store, process or transmit federal contract information.
This clause also corresponds to Cybersecurity Maturity Model Certification (CMMC) Level 1.
FAR 52.204-21 REQUIREMENTS
- 1Limit information system access to authorized users.
- 2Limit information systems to the types of transactions and functions that authorized users are permitted to execute.
- 3Verify and control/limit connections to and use of external information systems.
- 4Control information posted or processed on publicly accessible information systems.
- 5Identify information system users, processes acting on behalf of users, or devices.
- 6Verify the identities of those users, processes, or devices as a prerequisite to allowing access to organization information systems.
- 7Sanitize or destroy information system media containing federal contract information before disposal or release for reuse.
- 8Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- 9Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices.
- 10Monitor, control, and protect organizational communications.
- 11Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- 12Identify, report, and correct information and information system flaws in a timely manner.
- 13Provide protection from malicious code at appropriate locations within organizational information systems.
- 14Update malicious code protection mechanisms when new releases become available.
- 15Perform periodic scans of the information system and real-time scans of files from external sources.
- Creation, Protection, retention, and review of system logs.
- Develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
- Assess the operations risk associated with processing, storage, and transmission of CUI.
- Monitor, assess, and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
Family Educational Rights and Privacy Act (FERPA)
- United States
- Education
3
FERPA At a Glance
FERPA gives parents of students under 18 specific rights with regards to student records, and those rights transfer to the students when they reach age 18.
FERPA REQUIREMENTS
- 1Inspect the student records maintained by the institution
- 2Request the correction of records that they believe are inaccurate
- 3Provide written permission for the records to be disclosed
- Perform continuous vulnerability scanning of internal and external networks, and endpoints
- Identify and prioritize vulnerabilities based on threat exposure, assets, and severity
- Audit system access, authentication, and other security controls to detect policy violations
- Detect and scan new devices as they enter the network
Federal Financial Institutions Examination Council
- United States
- Financial Services
6
FFIEC At a Glance
The Federal Financial Institutions Examination Council (FFIEC) is the inter-agency body of the United States government empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. FFIEC guidance applies to federally supervised financial institutions.
FFIEC REQUIREMENTS
- 1Objectives include identifying the institution’s inherent risk profile and determining the organization’s maturity level.
- 2Domain 1 Cyber Risk Management and Oversight
- 3Domain 2 Threat Intelligence and Collaboration
- 4Domain 3 Cybersecurity Controls
- 5Domain 4 External Dependency Management
- 6Domain 5 Cyber Incident Management and Resilience
- Deliver Risk management and managed threat detection and response delivered from security experts
- Provide dedicated security expertise for your IT team
- Offer 24×7 continuous cybersecurity monitoring and vulnerability assessment
- For more information in every domain, control objective, and control activity, check out the full summary of FFIEC-NCUA Compliance.
Federal Information Security Modernization Act of 2014
- United States
- Government
8
FISMA 2014 At a Glance
The Federal Information Security Modernization Act of 2014 (FISMA 2014) codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal executive branch civilian agencies, overseeing agency compliance with those policies, and assisting the Office of Management and Budget (OMB) in developing those policies.
FISMA REQUIREMENTS
- 1NIST develops the standards and guidelines for FISMA compliance using a risk-based approach. It uses a framework that includes seven core steps, some of which map to specific NIST Special Publications (SPs):
- 2Prepare Conducting the essential activities to help prepare for risk management under the framework.
- 3Categorize Classifying the information and systems that must be protected
- 4Select Establishing the baseline controls for protecting the categorized systems and data.
- 5Implement Deploying the appropriate controls and documenting them.
- 6Assess Determining if controls are working correctly and leading to desired outcomes.
- 7Authorize Authorizing the operation of the system based on the risk determination.
- 8Monitor Continuously monitoring and assessing the security controls for effectiveness.
- Monitor access and account changes to in-scope applications in the cloud
- Monitor for application configuration changes
Federal Trade Commission’s Standards for Safeguarding Customer Information
- United States
- Automotive
- Financial Services
9
FTC Safeguards Rule At a Glance
The FTC Safeguards rule applies to a wide range of businesses that provide any type of financial services to customers and aren't regulated by other agencies under GLBA—including such organizations as auto dealerships, retailers that offer credit cards, and more.
The Safeguards rule requires these businesses to develop, implement, and maintain an information security program to protect customer information.
The revised Safeguards rule has 9 key components:
- 1Organizations must designate a ‘qualified individual’ who will serve as the overseer of their cybersecurity program and provide written reports to a governing board
- 2They will need to conduct regular risk assessments of both their own security systems and the security systems of their vendors to ensure that all customer and client data is kept encrypted
- 3They must implement safeguards to control the risks identified, such as identity and access management, encryption, and multi-factor authentication
- 4They must test and monitor effectiveness of key controls, through practices such as continuous monitoring and vulnerability assessments
- 5They must ensure that all employees are provided with security awareness training, updated as necessary to reflect risks
- 6They must require their own service providers to maintain appropriate safeguards, through selection, contract requirements, and assessments
- 7They must continue to adjust their security program based on the results of their monitoring and any changes to the busines
- 8They must establish a written incident response plan, outlining roles, responsibilities, and remediation actions taken in the event of an incident
- 9Finally, the qualified individual must report, in writing, on the overall status of the security program
- Arctic Wolf's security operations solutions will streamline many of the activities required under the safeguards rule
- Arctic Wolf MDR provides monitoring of key security controls, including access controls, system inventory, multi-factor authentication, and more
- Arctic Wolf Managed Risk provides regular vulnerability assessments
- Arctic Wolf Managed Awareness provides security awareness training to employees
- Arctic Wolf MDR and Tetra can play a key role in an incident response plan
- Reporting and guidance from the Concierge Security Team can support the risk assessment, and the qualified individual in managing the overall information security program
General Data Protection Regulation
- European Union
- All
5
GDPR At a Glance
The General Data Protection Rule (GDPR), established by the European Commission, regulates data protection for entities that store or process personal data of EU citizens. In addition to protecting personal data, the GDPR gives consumers broad rights regarding their information, and imposes steep penalties for noncompliance. You don’t need to have a business presence in the European Union to be subject to GDPR.
GDPR REQUIREMENTS
- 1 Appointing a data protection officer
- 2 Using a “privacy by design” approach
- 3 Implementing data security measures
- 4 Notifying regulators of data breaches within 72 hours
- 5GDPR also gives consumers the right to access their data, be informed about data that’s being collected, restrict processing of their data, and more.
- Provide data security through vulnerability management, detection and response, and user training
- Offer guidance and consulting by the CST on other data security measures organizations may implement
- Facilitate rapid notification of data breaches through prompt detection and response
Gramm-Leach-Bliley Act
- United States
- Financial Services
8
GLBA At a Glance
Under the Gramm-Leach-Bliley Act (GLBA), organizations defined as “financial institutions” must keep customer information secure and confidential. The Safeguards Rule, one of three sections of the GLBA, was updated December 9, 2021. With this update, the Federal Trade Commission (FTC) notes that an organization “engaging in an activity that is financial in nature or incidental to such financial activities” is considered a “financial institution” and must comply.
Key changes to the Safeguards Rule will take effect December 6, 2022. Who must comply with the Safeguards Rule?
Consider these examples of organizations deemed to be “financial institutions” under the Safeguards Rule:
- Retailers extending a credit card
- Dealerships leasing a car long term — longer than 90 days
- Organizations appraising real estate or personal property
- Counselors helping individuals associated with a financial institution
- Businesses printing and selling checks on behalf of customers or wiring money
- Businesses engaging in cash checking services
- Income tax return preparers
- Travel agencies
- Real estate settlement services
- Mortgage brokers
- Colleges and universities accepting Title IV funds
GLBA REQUIREMENTS
-
1The Safeguards Rule requires financial institutions protect the consumer information they collect.
Requirements include:- Designating an individual or group to coordinate an information security program.
- Identifying and assessing risks to customer data and evaluating the effectiveness of the existing controls.
- Implementing, monitoring, and testing a safeguards program.
- Evaluating the program when changes take place in business operations and other circumstances.
- Ensuring service providers can maintain the appropriate safeguards.
- 2The Privacy of Consumer Information Rule (or Privacy Rule) requires regulated entities to inform consumers about their information-collection practices and to explain their rights to opt out. The rule includes requirements for the contents of the notices, delivery methods, and frequency.
- Provide broad visibility to threats targeting customer data on remote endpoints, the corporate network, and in cloud applications
- Deliver 24/7/365 threat detection and response to attacks targeting customer non-public information (NPI)
- Proactive cyber risk assessments and strategic security advice to bolster their security posture
Health Insurance Portability and Accountability Act
- United States
- Healthcare
7
HIPAA At a Glance
The U.S. Department of Health and Human Services created the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect the confidentiality and integrity of electronic protected health electronic protected health information (ePHI) data. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 imposed mandatory audits and fines for non-compliance.
HIPAA REQUIREMENTS
- 1HIPAA requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
- 2Administrative safeguard provisions
- 3Requires a risk analysis to determine what security measures are reasonable and appropriate for your organization, including the following activites: Evaluating the likelihood and impact of potential risks to ePHI, implementing appropriate security measures to address the risks identified in the risk analysis, documenting the chosen security measures and, where required, the rationale for adopting those measures, and maintaining continuous, reasonable, and appropriate security protections
- 4Physical safeguard control and security measures
- 5Includes Facility Access and Control Measures: Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI; Workstation and Device Security: Covered entities and business associates must: Implement policies and procedures to specify proper use of and access to workstations and electronic media. Have policies and procedures for the transfer, removal, disposal, and re-use of electronic media.
- 6Technical safeguards
- 7Include measures – including firewalls, encryption, and data backup – to implement to keep ePHI secure. These safeguards consist of the following: Access Controls: Implementing technical policies and procedures that allow only authorized persons to access ePHI. Audit Controls: Implementing hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI. Integrity Controls: Implementing policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. Transmission Security: Implement technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network.
- Third-party compliance analyst firm Coalfire found that Arctic Wolf can assist with eleven out of twelve technical safeguards, and provide additional compliance value.
- Simplify HIPAA compliance with customized reporting.
- Monitor access to electronic patient health information (ePHI) data on premises and in the cloud.
- Provide real-time alerts on unauthorized access of ePHI data.
- Monitor end user and administrative access and configuration changes to all systems that create, receive, maintain, and transmit ePHI data.
- Monitor activities of active and inactive user accounts, escalates de-provisioning of in-active accounts through manual/automated means.
- Audit changes in Active Directory (AD), Group Policies, Exchange, and file servers, and flags unauthorized actions.
- Monitor failed/successful logins/logoffs and all password changes to prevent excessive help desk calls.
- Investigate all attack vectors (e.g. phishing, ransomware, etc.), and generate security incidents to initiate response actions.
- Audit anomalous login activity, and changes, including before/after values for immediate data recovery.
- Scan endpoints for unpatched vulnerabilities and collects log information from endpoint security solutions when unauthorized access or advanced malware is detected.
- Monitor and report user logins/ logouts in Active Directory, all user activity on endpoints, and continuously monitors network traffic to detect anomalous activity.
- Provide reports for account creations and deletions, data retention policies, admin lockouts, configuration changes, and about who, what, where, and when these changes were made.
Healthcare Information Trust Alliance
- United States
- Healthcare
4
HITRUST At a Glance
The Healthcare Information Trust Alliance (HITRUST) developed the Common Security Framework (CSF) based on a variety of federal and state regulations, frameworks, and standards. The HITRUST CSF provides regulated healthcare organizations with a common set of standards they can adopt as well as use for evaluating their vendors.
HITRUST CSF REQUIREMENTS
- 1 Organizational factors such as geographic scope and business volume
- 2 Regulatory factors that are based on compliance requirements specific to the organization’s circumstances, including sector and geography
- 3 System factors that impact data management risks, such as data storage and transmission, internet access, third-party access, number of users, and number of daily transactions
- 4The framework also has allowances for alternate management, technical, or operational controls that can be applied under specific conditions.
- Arctic Wolf MDR produces reports related to the HITRUST controls presented as our services maps to logs sources related to authentication and authorization.
IRS Pub 1075
- United States
- Government
9
IRS Pub 1075 At a Glance
Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for US government agencies and their agents that access federal tax information (FTI) to ensure that they use policies, practices, and controls to protect its confidentiality. IRS 1075 aims to minimize the risk of loss, breach, or misuse of FTI held by external government agencies.
IRS PUB 1075 REQUIREMENTS
- 1To protect FTI, IRS 1075 prescribes security and privacy controls for application, platform, and datacenter services.
- 2Some of the controls needed are as follows. These include both electronic and physical:
- 3Record Keeping Requirements: Maintain a persistent system of all FTI records and anything related to it, including access rights.
- 4Secure Storage: Details about the physical and electronic security of place where FTI data is kept. It includes things like restricted area, authorized access, locks & keys, safes/vaults, transportation security, security of computers and storage media.
- 5Restricting Access: Details related to access of FTI data.
- 6Reporting Requirements: Periodic reports like SAR (Safeguard Activity Report) and SPR (Safeguard Procedures Report) need to be sent to IRS.
- 7Training and Inspections: Awareness about security and annual certification of employees. Annual inspections are also needed to validate proper implementation.
- 8Disposal: Proper standards related to FTI data disposal for physical and electronic media.
- 9Computer System Security: Probably the most complex and detailed section of this regulation related to everything from access control, cryptography, emails, networking to wireless technologies and any emerging technologies.
- Arctic Wolf can provide evidence and artifacts related to data access, security training for employees, and support for computer system security programs.
International Organization for Standardization: Information Security Standard
- International
- All
15
ISO 27002 At a Glance
This document, the International Organization for Standardization: Information Security Standard 2022, provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
A) Within the context of an information security management system (ISMS) based on ISO/IEC27001
B) For implementing information security controls based on internationally recognized best practices
C) For developing organization-specific information security management guidelines.
ISO 27002:2022 REQUIREMENTS
- 1Annex A of ISO 27001 lists 114 security controls divided into 14 control sets, each of which is expanded upon in Clauses 5–18 of ISO 27002:
- 2A.5 Information security policies
- 3A.6 Organization of information security
- 4A.7 Human resource security
- 5A.8 Asset management
- 6A.9 Access control
- 7A.10 Cryptography
- 8A.11 Physical and environmental security
- 9A.12 Operations security
- 10A.13 Communications security
- 11A.14 System acquisition, development, and maintenance
- 12A.15 Supplier relationships
- 13A.16 Information security incident management
- 14A.17 Information security aspects of business continuity management
- 15A.18 Compliance
- Arctic Wolf can provide evidence and artifacts related to asset management, access control, system maintenance, and more. Arctic Wolf MDR provides support for information security incidents.
International Traffic in Arms Regulations
- United States
- Arms/Defense
6
ITAR At a Glance
The United States' International Traffic in Arms Regulations (ITAR) control the manufacture, sale, and distribution of defense and space-related articles and services
ITAR REQUIREMENTS
- Regulations are simple: only U.S. citizens can access items on the USML list. There are 21 categories of Defense Articles in the USML.
- 2Follow these basic principles to secure your ITAR data:
- 3- Discover and Classify Sensitive Data
- 4- Map Data and Permissions
- 5- Manage Access Control
- 6- Monitor Data, File Activity, and User Behavior
- Monitor data, file activty, and user behavior
- Audit assets across systems
- Monitor and log access controls and access activity
IT Security Act 2.0
- Germany
- All
6
KRITIS At a Glance
In Germany, special regulations apply to operators of critical infrastructures under the Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI) Act.
Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences. Which of these are to be regarded as critical infrastructures is regulated by the KRITIS Ordinance within the BSI Act.
The IT Security Act 2.0 in May 2021 added the waste management sector to the group of potential operators of critical infrastructure alongside the energy, information technology and telecommunications, transport and traffic, health, water, food, and finance and insurance sectors.
IT SECURITY ACT 2.0 REQUIREMENTS
- 1If it has been determined on the basis of a review that a company is clearly to be assigned to the critical infrastructure, it must fulfill the following requirements in accordance with the regulations of the BSI Act:
- 2Report to and register with the BSI as a critical infrastructure operator.
- 3Establish a point of contact as an interface to the BSI
- 4Reliably detect critical security incidents and report them immediately to the BSI
- 5Implement IT security in accordance with the state of the art
- 6Conduct an IT security audit every two years
- Detect and respond to security incidents
- Deliver concierge guidance on an organization's security journey
- Provide evidence, artifacts and reporting on security controls and practices for audit and review
Massachusetts General Law Chapter 93H: Security Breach
- Massachussets - US
- All
9
Massachusetts General Law Chapter 93H: Security Breach At a Glance
Chapter 93H requires that a person or agency that owns or licenses data that includes personal information about a resident of the commonwealth shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the Attorney General, to the Office of Consumer Affairs and Business Regulation (OCABR) and to the affected resident(s).
MASSACHUSETTS GENERAL LAW CHAPTER 93H REQUIREMENTS
- 1The notice provided to the Attorney General and the OCABR must include, in addition to the nature of the breach and number of MA residents, the following information:
- 2 The name and address of the person or agency that experienced the breach of security
- 3 Name and title of the person or agency reporting the breach of security
- 4 Their relationship to the person or agency that experienced the breach of security
- 5 The type of person or agency reporting the breach of security
- 6 The person responsible for the breach of security, if known
- 7 The type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data
- 8 Whether the person or agency maintains a WISP (written information security program)
- 9 Any steps the person or agency has taken or plans to take relating to the incident, including whether they have updated the written information security program.
- Arctic Wolf MDR can help rapidly identify a security incident, facilitate a response to such an incident, and provide evidence on the scope and impact of the incident.
National Credit Union Administration
- United States
- Financial Services
2
NCUA At a Glance
The National Credit Union Administration (NCUA) uses a risk-based approach to examining and supervising credit unions.
All federally insured credit unions receive an NCUA examination on a periodic basis. To ensure both compliance with applicable laws and regulations, as well as safety and soundness, a review of the credit union’s information security program is performed at each examination.
NCUA REQUIREMENTS
- 1Although the NCUA uses a variety of resources and frameworks for their risk-based examination, credit unions supervised by the NCUA should follow the Federal Financial Institutions Examination Council (FFIEC) compliance standards.
- See more from the NCUA here or check the FFIEC Compliance Standards.
- Deliver Risk management and managed threat detection and response delivered from security experts
- Provide dedicated security expertise for your IT team
- Offer 24×7 continuous cybersecurity monitoring and vulnerability assessment
- For more information in every domain, control objective, and control activity, check out the full summary of FFIEC-NCUA Compliance.
Federal Energy Regulatory Commission/North American Electric Reliability Corporation Critical Infrastructure Protection
- United States
- Canada
- Energy
11
NERC CIP At a Glance
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring, and managing the security of the Bulk Electric System (BES) in North America. These standards apply specifically to the cybersecurity aspects of BES. The NERC CIP standards provide a cybersecurity framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity of North America's BES.
NERC CIP REQUIREMENTS
- 1CIP-002-5.1a Cyber Security BES Cyber System Categorization
- 2CIP-003-8 Cyber Security Security Management Controls
- 3CIP-004-6 Cyber Security Personnel & Training
- 4CIP-005-6 Cyber Security Electronic Security Perimeter(s)
- 5CIP-006-6 Cyber Security Physical Security of BES Cyber Systems
- 6CIP-007-6 Cyber Security System Security Management
- 7CIP-008-6 Cyber Security Incident Reporting and Response Planning
- 8CIP-009-6 Cyber Security Recovery Plans for BES Cyber Systems
- 9CIP-010-3 Cyber Security Configuration Change Management and Vulnerability Assessments
- 10CIP-011-2 Cyber Security Information Protection
- 11CIP-013-1 Cyber Security Supply Chain Risk Management
- Support incident response activities
- Monitor and provide evidence and artifacts on system and security management
- Provide visibility, benchmarking, and reporting of vulnerabilities, misconfigurations, and risks
- Deliver managed security awareness training
Network and Information Systems 2
- European Union
- All
6
NIS2 At a Glance
The Network and Information Systems 2 (NIS2) directive is a Directive of the European Union to improve the security and resilience of networks and information systems and achieve a high common level of cybersecurity across the member countries in the EU.
The previous Network and Information Systems (NIS) directive (EU-2016/1148) was updated and expanded to form the new NIS2 (EU 2022/2555) directive that was enacted on 14th December 2022, and comes into force, when transposed into local law in each member state, by 17 October 2024.
NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity. It builds on the previous NIS Directive and represents a further development of measures to meet the challenges of an increasingly digitalised world.
NIS2 REQUIREMENTS
- 1Risk Assessment and Management: Organizations must conduct regular risk assessments of their network and information systems and implement appropriate technical and organizational security measures to manage those risks.
- 2Risk Assessment and Management: Organizations must conduct regular risk assessments of their network and information systems and implement appropriate technical and organizational security measures to manage those risks.
- 3Business Continuity: Entities must develop and maintain business continuity and disaster recovery plans to ensure the continuity of essential services in the event of a disruptive incident.
- 4Supply Chain Security: Organizations are responsible for managing cybersecurity risks across their supply chains. They must implement appropriate security measures for relationships with direct suppliers and service providers.
- 5Governance and Accountability: NIS2 places greater emphasis on the role of management in overseeing cybersecurity.
- 6Compliance and Enforcement: Failure to comply with the NIS2 requirements can result in significant penalties, including fines of up to 10 million euros or 2% of global annual turnover for “essential entities” and up to 7 million euros or 1.4% of global annual turnover for “important” entities. Authorities also have the power to impose other sanctions, such as temporary service suspensions.
- Risk Analysis and Assessment
The Arctic Wolf Cyber Resilience Assessment uses industry standard frameworks, like NIST CSF (both 1.1 and 2.0) and CIS Controls, to help organisations measure their own cyber risk and security maturity. As security gaps are identified, organisations can prepare actionable recommendations using our Security Posture in Depth Reviews (SPiDRs) that support mitigating security gaps and improving their overall cybersecurity maturity. - Risk Analysis and Vulnerability Management
Arctic Wolf® Managed Risk helps customers to carry out the necessary risk analysis for assets that fall under the scope of NIS2. We enable you to discover, assess, and harden your environment against digital risk, including vulnerability prioritisation for remediation. - Security Awareness
Arctic Wolf Managed Security Awareness® delivers cybersecurity awareness training through a streamlined process that delivers content and training on a regular cadence. The programme also delivers continuous individual testing of employees and offers training adapted to the real needs of an organisation depending on their industry and the threat landscape. - Incident Handling and Incident Response
Arctic Wolf® Managed Detection and Response (MDR) provides detection and response to threats through 24x7 monitoring of network, endpoint, cloud, and identity sources. In addition to detection, through managed investigations, the Arctic Wolf Security Teams can work with customers to contain immediate threats before they escalate.
Additionally, Arctic Wolf® Incident Response offers a full-service incident response (IR) services that help stop an attack and quickly restore your organisation to pre-incident business operations, while Arctic Wolf Incident Response JumpStart Retainer (IRJS) provides incident planning and review with experts, access to battle-tested runbooks, and an online portal where your organisation can store your IR documents, plans, and more. - Proactive Security Solutions
Arctic Wolf partners can design, implement, support, and operate Arctic Wolf solutions that align with the technical security requirements of NIS2, all of which are further supported by the Arctic Wolf CST within individual customer environments. - Reporting
Arctic Wolf supports the customer’s obligation to report to the central CSIRT, with the ability to provide content that will assist their internal teams in filing incidents required by NIS2 with the regulatory body.
Arctic Wolf also offers Data Explorer, which enables log retention and search, allowing customers to access and gather necessary information for compliance reports, compile artifacts for third-party stakeholders, and collect logs for security posture validation.
Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
- United States
- All
- Federal Contractors
- Government
33
NIST 800-171B At a Glance
NIST SP 800-171B is an entirely new publication that introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs).
The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.
NIST SP 800-171B REQUIREMENTS
- 11. Employ dual authorization to execute critical or sensitive system and organizational operations.
- 2Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
- 3Employ secure information transfer solutions to control information flows between security domains on connected systems.
- 4Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
- 5Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
- 6Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
- 7Employ automated mechanisms to detect the presence of misconfigured or unauthorized system components and either remove the components or place them in a quarantine or remediation network that allows for patching, reconfiguration, or other mitigations.
- 8Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.
- 9Identify and authenticate systems and system components before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
- 10Employ password managers for the generation, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management.
- 11Employ automated mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.
- 12Establish and maintain a full-time security operations center capability.
- 13Establish and maintain a cyber incident response team that can be deployed to any location identified by the organization within 24 hours.
- 14Conduct enhanced personnel screening (vetting) for individual trustworthiness and reassess individual trustworthiness on an ongoing basis.
- 15Ensure that organizational systems are protected whenever adverse information develops regarding the trustworthiness of individuals with access to CUI.
- 16Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
- 17Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
- 18Employ advanced automation and analytics capabilities to predict and identify risks to organizations, systems, or system components.
- 19Document or reference in the system security plan the risk basis for security solution selection, and identify the system and security architecture, system components, boundary isolation, or protection mechanisms and dependencies on external service providers.
- 20Assess the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
- 21Assess, respond to, and monitor supply chain risks associated with organizational systems.
- 22Develop and update as required a plan for managing supply chain risks associated with organizational systems.
- 23Conduct penetration testing at least annually, leveraging automated scanning tools and ad hoc tests using human experts.
- 24Employ diverse system components to reduce the extent of malicious code propagation.
- 25Disrupt the attack surface of organizational systems and system components through unpredictability, moving target defense, or non-persistence.
- 26Employ technical and procedural means to confuse and mislead adversaries through a combination of misdirection, tainting, or disinformation.
- 27Employ physical and logical isolation techniques in the system and security architecture.
- 28Employ roots of trust, formal verification, or cryptographic signatures to verify the integrity and correctness of security critical or essential software.
- 29Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
- 30Ensure that Internet of Things (IoT), Operational Technology (OT) and Industrial Internet of Things (IIoT) systems, components, and devices are compliant with the security requirements imposed on organizational systems or are isolated in purpose-specific networks.
- 31Refresh organizational systems and system components from a known, trusted state at least twice annually.
- 32Conduct periodic reviews of persistent organizational storage locations and purge CUI that is no longer needed consistent with federal records retention policies and disposition schedules.
- 33Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
- Deliver awareness training and exercises updated and managed by the Concierge Security Team
- Scan networks and environments to audit system assets and identify misconfigurations and other vulnerabilities
- Provide logs, records, and evidence related to authorization and access policies and procedures
Security and Privacy Controls for Information Systems and Organizations
- United States
- All
- Federal Contractors
- Government
1
NIST 800-53 At a Glance
The key distinction between NIST 800-171 vs 800-53 is that 800-171 refers to non-federal networks and NIST 800-53 applies directly to any federal organization.
NIST 800-53 REQUIREMENTS
- 1 See the NIST SP 800-171 requirements.
- Simplify NIST 800- 171 compliance with customized reporting
- Protect CUI by monitoring all communications and traffic for malicious activity
- Support incident response
- Deliver 24×7 monitoring with unlimited log source
National Institute of Standards and Technology Cybersecurity Framework
- United States
- ALL
5
NIST CSF At a Glance
The National Institute of Standards and Technology’s cybersecurity framework (NIST CSF) is a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues., The NIST CSF is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs. The NIST CSF is often used as a reporting tool to report security to executive leadership, since the six high-level categories of govern, identify, detect, protect, respond, and recover make it easier to report complex topics under this perspective.
NIST CSF REQUIREMENTS
- 1Govern
- 2Identify
- 3Protect
- 4Detect
- 5Respond
- 6Recover
- Arctic Wolf's security operations solutions provide coverage across the NIST five functions:
- MDR provides support for Detection, Response, and Recovery
- Managed Risk helps businesses Identify their assets and risks and Protect their environments
- Managed Security Awareness leverages people to provide security across the five functions
- Incident Response helps businesses experiencing an incident Respond and Recover
The National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171
- United States
- All
- Federal Contractors
- Government
13
NIST SP 800-171 At a Glance
Executive Order 13556 established the Controlled Unclassified Information (CUI) program to standardize the way federal contractors handle unclassified information that requires protection, such as personally identifiable information or sensitive government assets.
NIST SP 800-171 REQUIREMENTS
- 1Sec. 3.1 Access Control
- 2Sec 3.3 Audit and Accountability
- 3Sec 3.4 Configuration Management
- 4Sec 3.5 Identification and Authentication
- 5Sec 3.6 Incident Response
- 6Sec 3.7 Maintenance
- 7Sec 3.8 Media Protection
- 8Sec 3.9 Physical Protection
- 9Sec 3.10 Personnel Security
- 10Sec 3.11 Risk Assessment
- 11Sec 3.12 Security Assessment
- 12Sec 3.13 System and Communication Protection
- 13Sec 3.14 System and Information Integrity
- Simplify NIST 800- 171 compliance with customized reporting
- Protect CUI by monitoring all communications and traffic for malicious activity
- Support incident response
- Deliver 24×7 monitoring with unlimited log source
Payment Card Industry Data Security Standard
- International
- United States
- Consumer Transactions
12
PCI-DSS At a Glance
While not federally mandated in the United States, PCI-DSS is an industry standard and is mandated by the Payment Card Industry Security Standard Council (PCI SSC) to protect cardholder data.
In March 2022, PCI SSC published the PCI Data Security Standard v4.0 replacing version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.
PCI-DSS REQUIREMENTS
- 1PCI-DSS 1: Install and maintain firewall configurations to protect data.
- 2PCI-DSS 2: Do not use vendor-supplied defaults for system passwords and security parameters.
- 3PCI-DSS 3: Protect stored cardholder data.
- 4PCI-DSS 4: Encrypt transmission of cardholder data across open, public networks.
- 5PCI-DSS 5: Protect all systems against malware and regularly update AV software.
- 6PCI-DSS 6: Develop and maintain secure systems and applications.
- 7PCI-DSS 7: Restrict access to cardholder data by business need-to-know.
- 8PCI-DSS 8: Identify and authenticate access to system components.
- 9PCI-DSS 9: Restrict physical access to cardholder data.
- 10PCI-DSS 10: Track and monitor all access to network resources and cardholder data.
- 11PCI-DSS 11: Regularly test security systems and processes.
- 12PCI-DSS 12: Maintain a policy that addresses information security.
- Simplify PCI-DSS 3.2 compliance with customized reporting
- Monitor access to card holder data on-premises and in the cloud
- Provide real-time alerts based on business risks posed by payment card data
- Perform continuous vulnerability scanning of internal and external networks, and endpoints
- Implement secure configuration policies based on security controls benchmarks, such as CIS
- Identify and prioritize vulnerabilities based on threat exposure, assets, and severity
- Audit system access, authentication, and other security controls to detect policy violations
- Automatically detect and scan new devices as they enter the network
- Create, assign, track, and verify remediation tasks
- Demonstrate compliance and communicate progress with reports, analytics, and live dashboards from the Arctic Wolf Concierge Security Team
Personal Health Information Protection Act
- Canada
- Healthcare
2
PHIPA At a Glance
The Personal Health Information Protection Act, also known as PHIPA, is Ontario legislation established in November 2004. PHIPA is one of two components of the Health Information Protection Act 2004
PHIPA REQUIREMENTS
- 1PHIPA contains notification requirements for both agents and custodians. If personal health information handled by an agent on behalf of a custodian is stolen, lost or accessed by unauthorized persons, the agent must notify the custodian of the breach at the first reasonable opportunity.
- 2PHIPA also requires custodians to notify individuals at the first reasonable opportunity if personal health information is stolen, lost or accessed by an unauthorized person.
- Arctic Wolf MDR produces reports related to the PHIPA controls presented as our services maps to logs sources related to authetication and authorization. It should be noted that each province has its own jurisdictional Health care mandate and controls.
Secure Controls Framework
- International
- ALL
6
SCF At a Glance
The Secure Controls Framework (SCF) is a comprehensive catalog of controls that is designed to enable companies to design, build, and maintain secure processes, systems, and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational, and tactical levels.
SCF REQUIREMENTS:
- 1The SCF's goal is to help organizations of all sizes implement these four principles of cybersecurity and privacy:
- 2CONFIDENTIALITY - Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.
- 3INTEGRITY - Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
- 4AVAILABILITY - Availability addresses ensuring timely and reliable access to and use of information.
- 5SAFETY - Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.
- 6There are thirty-two domains that make up the SCF. There are over 1,000 controls that are categorized within these domains to make it easier to manage. Each domain has a three-letter identifier, which is included in the control name to make it easy to understand what the focus of the control is.
- Arctic Wolf security operations solutions provide evidence and artifacts across SCF domains. Arctic Wolf can provide monitoring, vulnerability management, security awareness training, and more.
New York State "Stop Hacks and Improve Electronic Data Security" Act
- New York - US
- All
3
SHIELD Act At a Glance
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect on March 21, 2020. The act requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect it.
SHIELD REQUIREMENTS
- 1Administrative safeguards such as designating employees to coordinate the security program, identify foreseeable external and insider risks, assess existing safeguards, implement workforce cybersecurity training, and select and manage third-party service providers capable of maintaining appropriate safeguards.
- 2Technical safeguards such as risk assessments of network design, software design, and information processing; transmission and storage; implementation of measures to detect, prevent, and respond to system failures; and regular testing and monitoring of key controls.
- 3Physical safeguards such as detection, prevention, and response to intrusions, as well as protection against unauthorized access to (or use of) private information during or after collection, transportation, and destruction or disposal of the information.
- Monitor your environment for threats and provide regular feedback on your security posture.
- Provide internal and external vulnerability assessment and management capabilities to understand risks.
- Act as your service provider to monitor your systems and assess/manage vulnerabilities in those systems.
Service Organization Control II Type 2
- International
- United States
- All
6
SOC II Type 2 At a Glance
A SOC 2 Type 2 Report is a service organization control (SOC) audit on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company’s controls and their operating effectiveness.
SOC 2 is a popular security and risk framework to assess security, but companies might consider using ISO/IEC 27001 or HITRUST instead.
SOC II TYPE 2 REQUIREMENTS
- 1SOC 2 compliance is based on specific criteria for managing customer data correctly, which consists of five Trust Services Categories: security, availability, processing integrity, confidentiality, and privacy.
- 2When it comes to security, the most basic SOC 2 compliance checklist (which will satisfy an auditor) is detailed in the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Document, and should address these controls:
- 3Logical and physical access controls: How you restrict and manage logical and physical access, to prevent any unauthorized access
- 4System operations: How you manage your system operations to detect and mitigate deviations from set procedures
- 5Change management: How you implement a controlled change management process and prevent unauthorized changes
- 6Risk mitigation:How you identify and develop risk mitigation activities when dealing with business disruptions and the use of any vendor services
- Monitor and provide evidence and artifacts on the behavior of access controls and systems operations
- Support risk management through vulnerability management and tracking
Student Online Personal Information Protection Act
- California - US
- Education
3
SOPIPA At a Glance
SOPIPA, which came into effect in January 2016, applies to entities that operate websites, online services, and online and mobile apps that are designed and marketed primarily for K-12 educational purposes. It requires these operators to implement reasonable security practices to protect the student data, and prohibits them from sharing the data or using it for advertising for noneducational purposes.
SOPIPA REQUIREMENTS
- 1Aside from non-disclosure of K-12 student data, companies are encouraged to comply with security and deletion requirements through the following:
- 2Implement and maintain security procedures to protect the collected information from unauthorized access, destruction, use, modification, or disclosure.
- 3Delete a student's covered information (as defined by SOPIPA) if the school or the district requests deletion of data under the control of the school or district.
- Arctic Wolf security operatiosn solutions support security procedures designed to protect covered information, and can provide evidence and artifacts documenting the procedures.
Sarbanes–Oxley Act
- International
- United States
- Financial Services
3
SOX At a Glance
SOX are expanded regulatory requirements governing all U.S. public companies, foreign companies with securities registered with the Securities and Exchange Commission, and public accounting firms. Its primary goal is to prevent fraudulent financial reporting and protect investors.
SOX REQUIREMENTS
- 1Section 302 mandates that senior corporate officers personally certify in writing that the company’s financial statements “comply with SEC disclosure requirements and fairly present in all material aspects the operations and financial condition of the issuer.” Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms.
- 2Section 404 requires that management and auditors establish internal controls and reporting methods to ensure the adequacy of those controls. Some critics of the law have complained that the requirements in Section 404 can have a negative impact on publicly traded companies because it’s often expensive to establish and maintain the necessary internal controls.
- 3Section 802 contains the three rules that affect recordkeeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, which includes electronic communications.
- Analyze, prioritize, and manage vulnerabilities
- Maintain, monitor, and analyze audit logs
- Perform regular risk assessments to identify weak points in your security
use current location
Legend
INTERNATIONAL
REGULATIONCOUNTRY
REGULATIONUS State / EU Member
Specific REGULATION
VIEW ALL REGULATIONS
Explore the Complex World of Regulations
Compliance can be overwhelming. Multiple frameworks. Overlapping requirements. Let Arctic Wolf be your guide.
EXPLORE YOUR REGULATIONSClick a region to view its regulations
“Getting clear visibility across our infrastructure was a worrisome issue until we engaged Arctic Wolf. Collaborating with Arctic Wolf’s Concierge Security® Team lets us maintain visibility and meet compliance obligations.”
Dr. Jason A. Thomas,
Chief Operating Officer and Chief Information Officer, Jackson Parish Hospital
Arctic Wolf Helps Thousands
of Teams Achieve Compliance
24x7x365
Scanning
24x7x365 scanning of your entire IT environment for threats and vulnerabilities.
Priority
Context
Priority context to the criticality of vulnerabilities found within the organization’s networks and endpoints.
Prevent Unnecessary
Access
Prevent unnecessary access to critical systems and infrastructure.
Better Understand
Your Assets
Provide a way to better understand the configuration settings of your servers and workstations—preventing vulnerable services and settings from being exploited.
Legal Disclaimer:
This information is provided for informational purposes and is not legal advice and should not be interpreted as such. Consult with your own legal counsel to determine your regulatory obligations and assess the effectiveness of your compliance programs. Arctic Wolf products and services are not compliance solutions but are tools that can support your compliance programs.
