销售软件的公司, 制造零件或法律服务是非常不同的业务类型, 然而，他们都有一些共同点. 他们都面临着越来越需要证明他们正在保护他们收集的数据的问题, 使用和储存. Sometimes the need for security compliance comes from legal regulations 但 for an increasing number of organizations, 对安全遵从性的需求来自他们的客户或供应商.

在本文中, we’re going to explore how cybersecurity compliance requirements are extending into industries that haven’t traditionally been regulated and present an overview of the compliance process.

以下是你将学到的:

• 什么是澳门赌场网址大全合规性?
• 安全遵从的驱动程序
• 框架和安全遵从性
• 安全框架示例
• 选择要遵循的框架
• 在不需要遵从性时使用框架
• 遵从性流程
• 获得与安全框架的遵从性
• 保持合规
• 合规的成本

什么是澳门赌场网址大全合规?

澳门赌场网址大全 compliance is the process of assuring that a set of standards are met for securing data and access to IT systems.

今天, there’s a realization that organizations in regulated industries aren’t the only ones that need to protect data and IT systems. 与您做生意的公司希望确保他们拥有和您使用的数据是安全的. 同样的, your employees want the personal identifiable information (PII) that you store about them (like their social security numbers) to be protected from cyber-attackers.

安全遵从的驱动因素

澳门赌场网址大全合规是关于管理风险. 具体来说，就是利用技术和互联网做生意的风险. 网络上的威胁广泛存在，而且数量和复杂程度都在不断增加. Every company is a target for cyber bad guys who work together in a large underworld ecosystem to monetize the online accounts they infiltrate and the information they steal.

我们已经提到，客户和供应商正在降低安全性需求, 但 网络保险公司 是否也驱动着安全性遵从性的需求. A time may be coming when qualifying for cyber insurance will mean that you need to be compliant with a specific security framework.

框架和安全遵从性

A 合规框架 is a set of 政策和程序 that establish the technical controls and behaviors that secure data and IT systems. 遵循框架并不一定意味着组织是合规的. 可以将框架看作是为遵从性提供构建块. 事实上，一个遵从性计划可以建立在多个框架之上.

安全框架的例子

在合规性法规的创建中有几种不同的安全框架. 有些是行业特有的，有些则不是. 即使框架可能特定于某个行业, 这并不意味着该行业以外的实体不能使用它.

NIST 800 - 53年

这个框架, 由美国国家标准与技术研究院(NIST)建立, 是为了保护联邦机构和他们的供应商利用. NIST 800 - 53年 separates security controls into different families based on the level of impact that would be sustained in the event of a breach.

NIST 800 - 171

这个框架 is designed for vendors of government entities that store and use Controlled Unclassified Information (CUI). 该框架包括110个需求, 分为包含组织技术的14个家族, 政策和程序.

ISO 27001和27002

This ISO certification attests to an organization’s best-practice approach to managing their information security management system (ISMS). The certification is recognized globally and includes regular security risk assessments to determine effectiveness. ISO 27002 supplements 27001 by listing security controls that may be included in an organization’s security plan.

CMMC

澳门赌场网址大全 Maturity Model Certification (CMMC) is a multi-tiered certification for companies that do business with the Department of Defense. 第一层通过自我评估认证，第二层和第三层需要第三方审核. CMMC框架中的要求包括NIST 171和

SOC 2 Type 2

最初由美国注册会计师协会(AICPA)开发。, SOC (Systems and Organization Controls) compliance is a procedure to third-party verify an organization’s security processes. 审计涵盖信任原则的五个方面:安全性, 可用性, 处理完整性, 保密及私隐. 类型1表示审计代表时间快照. 类型2表明在较长一段时间内对流程的有效性进行了审计.

你如何知道应该遵循什么框架?

如果您的客户或供应商要求您遵循遵从性需求, 它们将指定您应该遵循的框架. 事实上, 他们可能从多个框架中提取需求，以传达他们的安全期望.

你的公司也很有可能有一个实体告诉你要遵循一个特定的框架, 另一个实体需要不同的框架. 您通常可以设置同时满足两个框架的控件. 从一个开始, 然后设置另一个应该是一个更容易的过程，因为部分工作已经完成.

如果您从CMMC 2级或NIST 171开始, then you’ll likely be in good shape for just about any other 合规框架 that your customers or vendors require.

如果不需要遵从性，框架有用吗?

即使客户或供应商还没有要求您遵守他们的安全需求, 采用框架作为您的 安全策略 是个好主意. A framework gives a way to create and document your 安全策略 and put your organization in a good place when you are faced with compliance requirements.

CMMC 1级框架对于没有遵从性经验的组织来说是一个很好的第一步. 在这个级别上，您可以对您的安全流程和程序进行自我评估. 自我评估并不意味着它很容易. 如果你发现了以前不知道的差距，不要感到惊讶, 包括安全控制和安全专业知识.

合规流程

遵从安全法规所涉及的不仅仅是在列表上勾选复选框. Compliance is about making your operations secure so sometimes you’re going to have to change your processes and that takes time.

让你知道你需要什么样的时间框架, 考虑用12 -18个月的时间来达到ISO 27001标准, 符合NIST 171或CMMC 2级标准. SOC 2 Type 1可能需要6个月，SOC 2 Type 2可能需要一年或更长时间.

获得与安全框架的遵从性

The plan that is needed to attain compliance with a security framework is going to be as unique as each organization. 游戏中会有一些很容易实现的控制，所以先把它们打出来. 比如 MFA, 适当的端点保护、日志记录和定期评估.

The more difficult or complex measures will take more time and often have to do with changing employees’ habits and how they go about their tasks on their computer. 例如, 如果他们还没有, 计算机用户将需要对所有东西使用多因素身份验证(MFA).

安全流程包含技术和非技术组件, 所以你的过程的一个主要部分将是记录, 培训, 以及执行人们访问数据和IT系统的政策.

编写安全策略的过程既耗时又复杂，但却是必要的. 如果你发现你的公司远没有在公司内部运作，这也是很有启发的 最小特权原则. 您不仅需要审计所有角色以找出它们拥有的权限, 但 you may need to back up and establish new permission profiles to get a handle on data access going forward.

保持合规

Maintaining your organization’s compliance with a security framework actually begins before you get every component in place. 因此，如果您的差距分析表明您已经设置了一些适当的安全控制, 确保这些都被监控和管理. 同样，在添加每个新的安全层时开始管理它.

A big part of managing compliance has to do with making sure that employees know about security policies and are equipped to follow them. 只要可能，您可以并且应该使用技术措施自动执行策略. 然而，你需要制定一个计划来审核员工的行为，并提供持续的培训.

除了培训员工如何访问数据和IT系统之外, 澳门赌场网址大全意识培训应包括在您的计划中，以保持合规性. This type of 培训 teaches people how to recognize potential cyber-attacks and what to do when they come across something suspicious.

安全合规的成本

You should expect your level of investment in security to increase when you start down the road towards compliance. 但是当你考虑到合规的成本, you also have to consider the cost of non-compliance which can mean the loss of customers or limits to who will work with you as a vendor.

此外，变得合规可以降低你的网络风险. That can translate into better rates on cyber insurance not to mention peace of mind that your business will be resilient in the event of a cyber-attack.

即使你与澳门赌场网址大全服务提供商合作, 让某人充当您的合规经理是个好主意. That means you’ll need to devote resources for that person to become trained so they can coordinate your efforts with all of the parties involved.

澳门网赌大全网址如何与客户合作以达到并保持合规

除非你的公司内部有高级的安全专家, 您可能需要与澳门赌场网址大全服务提供商合作，帮助您完成合规流程. 我们不能为您的组织创建和实施定制的合规计划, 但 we’ll work with your company to ensure that everyone involved in the process stays on top of their compliance responsibilities. 此外，Bellwether合规分析师将参与每次审计，从而促进审计过程.

了解Bellwether团队如何帮助您获得和维护安全合规性.