If previous years have shown us anything, it’s that we want to be prepared for all situations. With IT due diligence, you have processes and procedures designed so your organization has a complete picture of your infrastructure and any risk associated with it. Here’s how to get started in 2021 with IT due diligence, especially in cybersecurity.
Are You Doing Your IT Due Diligence?
The words “due diligence” may make you think of a courtroom drama on television. Surely, that’s something only lawyers have to worry about? Not so fast. Due diligence is something your business can be doing, too. Are you covering the basics?
Due diligence is about taking care and being cautious in doing business. It extends to how you manage your technology, too. This is vitally important when it comes to cybersecurity. You may think you’re immune to a data breach or cyberattack, but cybercriminals can target you regardless of business size or industry sector.
Depending on your industry, you may even have compliance or regulatory laws to follow. Some insurance providers also expect a certain level of security standards from you. The costs associated with these cyber incidents are increasing, too. Don’t leave your business vulnerable.
What is IT Due Diligence?
Cybersecurity due diligence requires attention to several areas. There are several items listed below that should be considered, and we recommend starting with a security risk assessment. You’ll learn any security gaps and easy-to-follow recommendations to help you achieve due diligence.
Here are some topics to consider regarding IT due diligence:
- Do you have an up-to-date list of authorized devices and authorized software?
- Are you checking for vulnerabilities as well as patching and remediating those vulnerabilities?
- What type of Malware defense do you have in place?
- Application security – How are you protecting your systems and software from attack?
- Wireless devices with WIFI network access – are employees able to connect over insecure WIFI?
- Are you testing your Data Recovery capabilities – backups and restoration?
- Do your employees have access to Security skills assessment and training?
- Do you systematically change passwords and secure configurations for network hardware?
- Are you able to track and control the use of administrator privileges?
- Are you actively monitoring network attacks?
- How is remote network access activity logged?
- Account monitoring and control – have you removed inactive accounts?
- Data loss prevention – are mobile storage media devices encrypted?
- Incident Response and Management – Is there a written incident response plan?
- Do you require Penetration testing?
Vendor Due Diligence
It will become more and more important to vet your contractors and vendors especially if you work on any sort of government contract.
Consider CMMC – While it may only be required for Department of Defense contractors, it will be good practice for vendor due diligence moving forward.
Here is more information:
The upcoming Cybersecurity Maturity Model Certification (CMMC) may be a concern to you if you are a government contractor in an organization that contains Controlled Unclassified Information (CUI).
Privacy is going to be of major concern going forward. Just as NIST 800-171 is a subset of 800-53. CMMC, as discussed previously, will take from NIST 800-171 and 800-53 to produce a list of requirements around any data about a contract, including CUI. NIST has upped their game/concern for privacy. It stands to reason that this would make its way into the CMMC. Table F-2 of NIST 800-53 is a great place to start to begin understanding how important privacy will be.
Because of the privacy emphasis in the industry at large and the latest draft of 800-53 we at Cybriant suggest the following actions to prepare:
- Develop a privacy program
- Begin identifying all types of PII captured by your organization
- Develop or modify training to address privacy
- Begin updating all policies to address privacy concerns
- Record retention and destruction
- Communications policy & procedures
- Business continuity and disaster recovery
- and more
- Be thinking about
- Does your company need the PII it does have?
- How does your organization communicate privacy concerns to all parties?
- Who will be ultimately responsible for privacy?
- How will allowing redress of privacy concerns affect your processes?
Processes, People, and Technology
Yes, that old trope is back. We’ve heard it a thousand times but, it is our belief contractors will need to start getting their ducks in a row now if they want the road to CMMC compliance to be as painless as possible. Long gone are the days of throwing together a System Security Plan (SSP) a couple of Plan of Action and Milestone (PoAM)s and calling it a day. It is our strong belief that CMMC will require more than just adherence to particular security controls, an SSP, and enough PoAMs to make the auditors happy. After seeing the concerted effort to implement RMF throughout the entire organization, pushing that process down the chain is almost certain.
What do I mean by that?
The Risk Management Framework places heavy importance on ensuring that not only controls are implemented but your daily operations, the very fabric of how you run your organization, live and breathe security. Marry that with the industry-accepted thought that NIST is aligning itself closer to industry norms of ISO 27001, GDPR, etc, and there are a few items that organizations wishing to win contracts must be made aware of.
Risk Assessments take center stage
Within most frameworks, one of the main starting points is a risk assessment. This helps define the major deficiencies of the organization as compared to the standard. Not only that but, a Cybriant risk assessment allows an organization to understand its security more holistically. Being compliant does not make you secure just as being secure does not make you compliant. As such, a Cybriant risk assessment addresses both issues.
IT due diligence protects your business. Meeting these security standards can also cut costs and preserve your brand reputation. Demonstrating vigilance helps you avoid hefty compliance or regulatory fines and fight litigation. In the event of legal action, you’ll also want to prove the efforts you made. So, be sure to thoroughly document all IT security efforts.
Due diligence doesn’t have to be difficult. Start with a security risk assessment and our experts can help you determine the best preventative measures for your organization. Some business risks will pay off, sure, but when it comes to your IT, caution will have the best results.