Todays Topic: Cybersecurity Attestation

Tulsa IT Team Member

Brian Largent

CEO at the ArcLight Group

About The ArcLight Group

ArcLight Group partners with many types of businesses in the Tulsa area and nationwide to provide managed IT services and eliminate IT issues before they cause expensive downtime. Our dedicated and deeply experienced staff loves seeing our clients succeed. We provide technical helpdesk support and IT consulting to businesses of all sizes. We also help with cloud services and cyber security, especially for clients concerned about HIPAA compliance. We offer IT help desk service and business phone systems. We’re in this business to help other businesses grow and move forward.

The truth is that your organization’s cyber security is currently being driven more by insurance and banking than government regulation. HIPAA and the HITECH ACT have been the driving force behind healthcare record portability and subsequently the security of patient information since its creation in August1996. However, it really didn’t have any real teeth until March 2013. Even with the new “teeth,” the Office of Civil Rights (OCR) has lacked the necessary funding to enforce compliance effectively (for better or worse), although the HIPAA Wall of Shame posted to the U.S. Department of Health and Human Services Office for Civil Rights Breach Report is alive and well with more than forty-six reported incidents in March 2024 alone!

pushing-cyber

BUT WHAT DOES IT COST YOU?

pushing-cyber2

If we only consider the penalties imposed by HIPAA the max fine for a Tier 4 penalty per year is $2,067,813 as of 2024. That likely doesn’t put much fear into many medical practices when the cost of properly securing data can far exceed that amount in a few short years. You know who does care? Your insurance carrier and your lending institution! Statistics show that 60% of small businesses fold within six months of a cyber-attack. Insurance carriers know that 80% of ransomware victims suffer repeat attacks. That is how the dominoes fall. A healthcare provider gets hit with ransomware and files a claim. Insurance carriers are forced to drop coverage or dramatically increase premiums. Healthcare providers must implement very costly cyber security controls. Lending institutions see healthcare providers as high risk and must increase interest rates or refuse loan applications. An organization’s internal technical team often resigns taking their historical knowledge with them. Occasionally, your third-party technical support company is embroiled in a legal battle with your carrier. Your insurance attestation does not allow you to retain your current IT provider. In the meantime, you have a hospital to rebuild from scratch. This is the stuff of nightmares, but it doesn’t have to be YOU!

Questions

question-image1

Does the Applicant collect any data or information from consumers, usersorother third parties that is not reasonably required to complete a transaction or provide a service, asapplicable?

Does the Applicant collector utilize biometric data?

  • If yes, does the Applicant obtain consent from each individual forth ecollection and use of such biometric data in writing, and was such consent reviewed by an attorney for compliance with the Illinois Biometric Information Privacy Act (BIPA)and any similar law?

Does the Applicant collect any geolocation information?

  • If yes, does the Applicant obtain consent from each individual forth ecollection and useof such information?

Does the Applicant collect information on children under the age of 13?

  • If yes, has the Applicant complied with Children's Online Privacy Protection Act (COPPA)?

Is the Applicant's customer information shared with third parties for targeted marketing (i.e. affinity cards, special promotions with business partners (airline/hotel)? VIDEO

Does the Applicant use any code, software, tool, or other technology that tracks, collects, or otherwise records user activity including Flash Cookies, Meta Pixel, Microsoft Clarity, or any similar tracking tool or technology? VIDEO

  • If yes:
    • Does Applicant obtain user consent before using such tracking tools or technology to track, collect, or otherwise record user activity? Yes
    • Are consumers or users able to opt-out of the use of tracking tools or technology?
    • Is a process in place for legal counsel to evaluate and approve the use of tracking pixels?
    • If Applicant is a Covered Entity or Business Associate under HIPAA, does Applicant comply with current guidance from the HHS Office for Civil Rights regarding online tracking technologies?
question-image2

Who is managing your online marketing technologies? VIDEO

  • If an external party, how are they ensuring compliance with relevant privacy
    laws and regulatory standards applicable to your organization?

Does the insured allow customers to log onto any online services using account credentials associated with 3rd party social media? If yes, please describe:

Does the Applicant publish a privacy policy?

  • Does the privacy policy describe the types of information collected by the Applicant from consumers, users or other third parties, and how that information is used?
  • Is the privacy policy reviewed and updated at least annually?

Does the Applicant buy any type of data pertaining to consumers or users from third parties?

  • Does the Applicant buy any type of data pertaining to consumers or users from third parties?

Does the Applicant sell or share any type of data pertaining to consumers or users to third parties?

  • If yes, please describe:

Does the Applicant have a process in place to respond to data subject requests (access requests, right to erasure / rectification / processing restriction / objection/automated decision making/etc.) and complaints based on applicable privacy regulations? How often are these processes reviewed?

How often are all privileged accounts (such as those used in Active Directory and SaaS solutions as well as Service and Local accounts) inventoried and reviewed? VIDEO

  • If yes, please describe:

Is logging and alerting configured for privileged account usage/changes? VIDEO

  • (Please list vendor(s) used and example alerts in Notes)

Are interactive logins disabled for all Service Accounts? VIDEO

  • (Service accounts are administrator accounts which are created for use by applications not humans)
  • If no to question above, please describe the purpose of the interactive login Service Accounts and if any have Domain Admin privileges.

Is Local Administrator access disabled for all users, or limited to employees who need it for their job function? VIDEO

  • (If No, please describe the groups of employees with local administrator access in Notes)

Are Domain Administrator accounts unique, separate accounts from other accounts used for everyday activities? VIDEO

question-image3

Total Number of Domain Administrator Accounts VIDEO

Total Number of Domain Administrator Service Accounts VIDEO

  • (Please describe what each Service Account with DA privileges is used for in Notes)

Is a password vault in use? VIDEO

  • If yes, what solution is used?
  • If yes, is MFA required for access?
  • If yes, please indicate below what accounts are stored in the solution
    • All Domain Administrator accounts
    • (If No to ALL Domain Admins, please indicate percentage in Notes)
  • Service accounts
  • Back up accounts
  • Elevated privilege (Non-domain admin) accounts
  • Local administrator accounts
  • Standard User accounts
  • Other
    • (if yes, please indicate in Notes)

Is a Privileged Access Management (PAM) Solution deployed? VIDEO

  • If no, please describe any plans and associated timeline to deploy a PAM solution
  • If yes, what solution is used?
  • If yes, is MFA required for access?
  • If yes, is access in a Check in/out model? (Enforced automatic credential rotation after each use)
    • (If no, please describe the model in Notes)

Please indicate below what accounts are stored in the solution VIDEO

  • (If no for any of the below, please indicate percentage in Notes)
    • ALL Domain Administrator accounts?
    • ALL Service Accounts
    • ALL Back up Accounts (used to manage or access back ups)
    • ALL Elevated privilege (non-domain admin) accounts
    • ALL Local administrator accounts
    • (If another solution such as Microsoft LAPS is utilized please indicate in Notes)
    • Other

Regardless of the solution used, please indicate the cadence of required password rotation for each type of privileged account:

  • Domain Administrator accounts
  • Service Accounts
  • Back up Accounts (used to manage or access back ups)
  • Elevated privilege (Non-domain admin) accounts
  • Local administrator accounts
  • Other

Regardless of the solution used, please indicate required password length for each type of privileged account: VIDEO

  • Domain Administrator accounts
  • Service Accounts
  • Back up Accounts (used to manage or access back ups)
  • Elevated privilege (Non-domain admin) accounts
  • Local administrator accounts
  • Other
question-image4

Provide any other comments related to your privileged access management efforts (i.e. if PAM Solution is not deployed, please describe any plans /associated timeline to roll out; if only some domain admins are integrated into PAM, please provide timeline to roll in the remaining admin accounts; etc VIDEO

  • If yes, please describe what access is exposed and why
  • If yes, please describe plans to take offline and associated timeline

Is MFA required for all forms of remote access (VPN, VDI, Login Portals, Webmail, Vendors, etc.) VIDEO

  • If yes, please list which MFA methods or tool is used.
    • (Hard Token, Soft Token, App-Based, Device Certificate, SMS, etc.)
  • If no, please list where MFA is and is not deployed, what MFA methods are used, as well any timeline to deploy MFA.

Provide any other comments related to your efforts to secure remote access: VIDEO

Is email filtered to block phishing attempts (filtering for malicious attachments, links)?: 

  • If yes, please list the product(s):
  • If yes, is a Phishing Button implemented for users to report suspicious messages?:
  • By whom, and how are these communicated? (Email, Phone call, etc.)

Are email filtering protections in place?

  • If yes, please list the product(s):
  • If yes, does it include filtering for malicious links?
  • If yes, does it include removal of malware/executables?
  • If yes, does it include filtering for suspicious senders?
  • If yes, does it include quarantine and/or detonation in a sandbox?
  • Is DKIM in place?
    • (If No, is there a plan to implement? Please identify in Notes)
  • Is DMARC in place?
    • (If No, is there a plan to implement? Please identify in Notes)
  • Is SPF in place?
    • (If No, is there a plan to implement? Please identify in Notes)

Please include any additional information related to email security and protections that are currently in place:

question-image5

Is an Endpoint Protection Platform (EPP) in use in your organization?

  • If yes, please list the product(s):
  • If yes, what percentage of endpoints is EPP applied to?
    • (Please explain any gaps in coverage in Notes)
  • If yes, are alerts monitored 24/7?
  • If yes, by whom, and how are these communicated? (Email, Phone call, etc.)

Is an Intrusion Detection/Prevention System (IDS/IPS) deployed?

  • If yes, please list the product(s):
  • If yes, are alerts monitored 24/7?
  • If yes, by whom, and how are these communicated? (Email, Phone call, etc.)

Provide any other comments related to your endpoint / network security efforts:

Are all hardware and software assets documented in an inventory?

  • If no, why not, and are there any plans to begin tracking assets?
  • If yes, does this include software installed on assets?
  • If yes, how often is the inventory updated?
  • If yes, how often is scanning completed to discover new devices?
  • If yes, is an agent used for tracking assets? What vendor?
  • If yes, are alerts configured to inform you of new vulnerabilities in products?

Is vulnerability scanning conducted against the network perimeter (External Network)?

  • If yes, how often is it conducted?
  • If yes, what scanner or tool is used?
  • If yes, please describe how vulnerabilities are remediated and any documented target mitigation times.
    • (If you break out by criticality, please provide target mitigation times for
      each criticality level)
  • What percentage of the enterprise is covered by scans
    • (If less than 90%, please explain any gap in coverage)
question-image6

Is vulnerability scanning conducted against the internal network?

  • If yes, how often is it conducted?
  • If yes, what scanner or tool is used?
  • If yes, please describe how vulnerabilities are remediated and any documented target mitigation times.
    • (If you break out by criticality, please provide target mitigation times for
      each criticality level)
  • What percentage of the enterprise is covered by scans
    • (If less than 90%, please explain any gap in coverage)

Provide any other comments related to your vulnerability management
efforts:

Is a Security Operations Center (SOC) in use?

  • If yes, please indicate if it is staffed internally, by a third party, or both?
    (if internally please provide number of FTE on the SOC)
  • If yes, is monitoring 24.7.365 eyes on glass?
    (If No, please describe scope of monitoring and how alerts are provided during off hours (phone, email, call tree, etc.)
  • Please provide any additional information related to your SOC, monitoring, or
    plans for SOC implementation.

Is a SIEM Tool in use?

  • If yes, please identify the product in use.
  • If yes, please indicate if the tool has been tuned for your environment.
  • If yes, please describe the log sources and events integrated.
  • If yes, please indicate any logs/events that are NOT included.
  • If yes, are alerts monitored 24/7?
  • If yes, by whom, and how are these communicated to internal response team?
    (Email, Phone call, etc.)

Are critical data sets backed up to allow recovery for Disaster Recovery purposes?

  • (If yes, please select each method being used in A through D below and
    complete the corresponding questions)
  • Network Attached Storage (NAS), which maintains a constant connection to
    the corporate network (physically and virtually)

    • (If yes, please complete A.1 through A.5 below the below)
    • Are accounts used to access NAS backups unique (not used for other systems)?
    • Are accounts used to access NAS backups domain joined?
    • Does access to NAS backups requires MFA?
    • Is access to NAS backups logged with alerts configured for suspicious activity?
    • Is the NAS on a segmented VLAN with access restricted?
      (If Yes please describe what traffic is restricted in Notes)
  • Network Attacked Storage (NAS), connected to the corporate network only during uploads, and then disconnected (virtually, physically, or both)
    • (If yes please select which type you are using below)
    • Tapes, stored on-premise.
    • Tapes, stored off-premise.
  • Cloud
    • (If Yes Please complete C.1 through C.5 below)
    • Are accounts used to access Cloud backups unique (not used for other systems)
    • Are accounts used to access Cloud backups domain joined?
    • Does access to Cloud backups require MFA?
    • Is access to Cloud backups logged with alerts configured for suspicious activity?
    • Versioning, data deletion prevention, and/or copies of the backups in other availability zones, are present?
  • Other (describe in Notes)

If multiple options are selected, please describe how they are used and the differences between the data stored on each:

question-image1

Does your organization have a documented plan for recovering systems after a ransomware encryption event?

  • If yes, is planning supported by a documented Business Continuity (BC) plan, which describes how critical business functions should continue if IT systems are unavailable?
  • If yes, has this been updated in the last 12 months?
  • If yes, is planning supported by a documented Disaster Recovery (DR) plan, which can be used to provide practical steps for recovering IT systems after a mass ransomware encryption event?
  • If yes, has this been updated in the last 12 months?
  • If yes, are critical data sets identified and covered by your planning?

Is a Recovery Time Objective (RTO) set for restoring critical systems?

  • If yes, what is the RTO for critical systems (if multiple exist please list your fastest and your slowest with a description of what is contained in each)

Is a Recovery Point Objective (RPO) set for restoring critical systems using critical data sets?

  • If yes, what is the RPO for critical systems (if multiple exist, please list your fastest and your slowest with a description of what is contained in each):

Has restoration of critical data sets (or a rotating subset of the data) been tested in the past 12 months in a dedicated exercise (not a part of business operations)?

  • If yes, were RTOs and RPOs achieved?

Provide any other comments related to your backup strategy, disaster recovery, restoration testing, etc.:

Does your organization have a documented Cybersecurity Incident Response plan?

  • (If yes, please check all elements below that it addresses.)
  • Roles and responsibilities for internal/external stakeholders
  • Process for categorizing and escalating an incident
  • Guidance on how to contain the incident and recover from it
  • Contact information for interested parties both internal/external
  • Playbooks which detail granular response steps for specific incidents like ransomware are in place.
    (If yes, please list in Notes)

Has a cybersecurity incident response tabletop been completed in the last year to exercise your plan?

  • If yes, please describe who facilitated it (in-house or third-party), who participated, the scenario used, and any lessons learned.

Is Cybersecurity training completed by all employees at least annually?

  • If yes, is it also completed during onboarding by all new employees?

Is additional training for specific roles and functions also required? (such as PCI handling, cybersecurity for Executives, secure code development, or others)

  • If yes, please identify what types of training:

Was a cybersecurity phishing test conducted against the workforce in the last year?

  • If yes, how often are they conducted?
question-image7

Does your organization maintain a third party or vendor management program?

  • If yes, does it include a full inventory of third parties?
  • If yes, does it include a ranking of the criticality/risk of third parties?
  • If yes, does it include an assessment of third parties via document review or questionnaire?
  • If yes, are security risks identified, tracked, and remediation required?
  • If yes, is visibility of third-party risks provided to executive management?

Please indicate which of the following network segmentation is in use on your network: If yes, please describe what technology is used to enforce the segmentation (ACLs, Firewalls, VLAN, Airgap etc.)

  • Geographic
  • Between Sites
  • Business Unit
  • IT and OT Segmentation
  • IT Management
  • Guest Wi-Fi
  • VoIP
  • PCI
  • DMZ
  • Other (please identify in notes)

Is your web traffic currently filtered for employees?

  • If yes, is firewall-based filtering in place?
  • If yes, is agent-based filtering in place?

Are there any end-of-life systems in use in your organization that are not receiving any security updates?

  • If yes, are all of these systems tracked in an inventory?
  • If yes, are any of these systems publicly exposed to the internet?
    (If yes, please describe the number and purpose in Notes)
  • If yes, are these systems segmented internally?
  • If yes, please describe the method (ACLs, Firewalls, etc.) used for segmentation.
  • If No, please describe the purpose of these systems:

Provide any other comments related to your end of life systems and related mitigating efforts:

Provide any other comments related to your ransomware preparedness:

Please provide an overview of the Operational Technology on your network
(Including: number of facilities deployed, a description of main OT use cases, etc.)

Do you employ a dedicated OT cybersecurity professional?

Please provide an overview of the team responsible for OT and their reporting
structure. (Include how they interact with other technology teams like corporate IT.)

Are OT networks segmented from your other networks? (If yes, please select the methods used below)

question-image8

Air-gap (no connectivity to any other network)

  • Logically (VLANS with restrictive ACLs)
  • Logically (Firewalls)
  • Not segmented
  • Other
    If you answered Other, please describe:

If you selected Logically for question #4, please describe the degree to which traffic is restricted and what technical control is used to enforce segmentation

Are OT networks segmented from each other? (If yes, please select the methods used below)

  • Air-gap (no connectivity to any other network)
  • Logically (VLANS with restrictive ACLs)
  • Logically (Firewalls)
  • Not segmented
  • Other

If you selected Logically for question #6, please describe the degree to which traffic is restricted and what technical control is used to enforce segmentation

Do you use the same patching process and cadence for OT environments? If you answered No, please describe the difference:

Are non-privileged users on your main network segment prevented from pinging any of your OT environments?

Are all OT assets segmented from the public internet? If you answered no, please provide explanation and any compensating controls.

Do you prevent remote access to your OT environment? If No, is this remote access secured with MFA?

Select all the controls below that apply to securing physical access to your OT environment:

  • Keycards/Locked entrances
  • Guards 24/7
  • Cameras
  • Mantraps
  • If you answered Other, please describe:

Has all OT which is no longer supported by its provider been removed from the network?

  • If you answered no, please describe:
    • Why these systems are still in place,
    • Any compensating controls to mitigate the risk, and
    • Any plans to upgrade or remove these systems.

Do you provide annual cybersecurity training to employees in the OT environment?

  • If yes, is it tailored for industrial security?

Do you use application whitelisting on industrial systems?

Do you prevent browsing the internet allowed on industrial systems?

question-image9

Do you prevent checking email allowed on industrial systems?

  • Is an endpoint security solution in use on industrial systems?
  • Signature-based
  • Behavior-based
  • EDR or similar

What percentage of your OT environment is covered by your endpoint security solution? Please provide any additional notes on use of endpoint security in the OT environment (i.e., solutions only partially deployed, using different solutions at different sites)

Is there an Intrusion Detection and Prevention System (IDS/IPS) deployed in OT environments? Please provide any additional notes on use of IDS / IPS in OT environments

Are OT environments scanned for vulnerabilities? If yes, please describe cadence:

Are third-party penetration tests targeting the OT environment conducted at least annually?

Do you maintain an up-to-date inventory of all IT and OT assets identifying 100% of your assets. Does your asset inventory identify your most critical assets? If not 100%, please provide estimated percentage of OT assets inventories as well as any compensating controls for non-inventoried assets:

Is OT continuity explicitly addressed in your Business Continuity plan?

How long can you continue to operate your business without your OT environments?

Is OT restoration explicitly addressed in your Disaster Recovery plan?

Are your OT environments included in your backup strategy? Describe any difference between how they are stored and other backups:

Is OT Considered in your Incident Response plan? Has OT ever been a focus of a tabletop exercise?