The Federal Information Security Modernization Act of 2014 (FISMA) defines incident as an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Notification Requirement

Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the NCCIC/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In some cases, it may not be feasible to have complete and validated information for the section below (Submitting Incident Notifications) prior to reporting. Agencies should provide their best estimate at the time of notification and report updated information as it becomes available. Events that have been found by the reporting agency not to impact confidentiality, integrity or availability may be reported voluntarily to US-CERT; however, they may not be included in the FISMA Annual Report to Congress.

In 1986, theUnited States Congress enacted the Computer Fraud and Abuse Act (CFAA), as an amendment to18 U.S.C. 1030. The CFAA has since been amended multiple times to address advancements in technologyand cybercrime. The CFAA criminalizes knowingly accessing a computer without authorization, obtainingprotected information, with the intent to defraud, intentionally causing unauthorized damage to a protectedcomputer, knowingly and with intent to defraud trafficking in passwords or access information, and extortioninvolving computers.

Managing cyber risks requires building a Culture of Cyber Readiness. The Culture of Cyber Readiness has six Essential Elements:

Yourself

You, as leader of your organization are an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to drive cybersecurity strategy, investment and culture.

Actions For Leaders

• Lead investment in basic cybersecurity.
• Determine how much of your organization's operations are dependent on IT.
• Build a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
• Approach cyber as a business risk.

Action to Take in Consultation with IT

• Lead development of cybersecurity policies.

To learn more about how you can drive cybersecurity strategy, investment and culture, explore the Cyber Essentials Toolkit on this element.

Your Staff

As users of your organization’s digital equipment and systems, your staff are essential elements of your organization’s Culture of Cyber Readiness. Your task for this element is to develop cybersecurity awareness and vigilance.

Actions For Leaders

• Develop a culture of awareness to encourage employees to make good choices online.
• Learn about risks like phishing and business email compromise.
• Maintain awareness of current events related to cybersecurity, using lessons-learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.

Actions to Take in Consultation with IT

• Leverage basic cybersecurity training to improve exposure to cybersecurity concepts, terminology and activities associated with implementing cybersecurity best practices.
• Identify available training resources through professional associations, academic institutions, private sector and government sources.

Your Systems

As the infrastructure that makes your organization operational, your systems are an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications.

Action For Leaders

• Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack.

Actions to Take in Consultation with IT

• Leverage automatic updates for all operating systems and third-party software.
• Implement security configurations for all hardware and software assets.
• Remove unsupported or unauthorized hardware and software from systems.
• Leverage email and web browser security settings to protect against spoofed or modified emails and unsecured webpages.
• Create application integrity and whitelisting policies so that only approved software is allowed to load and operate on their systems.

Your Surroundings

As your organization’s digital workplace, this is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it.

Actions to Take in Consultation with IT

• Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).
• Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.
• Grant access and admin permissions based on need-to-know and least privilege.
• Leverage unique passwords for all user accounts.
• Develop IT policies and procedures addressing changes in user status (transfers, termination, etc.).

Your Data

Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations.

Action For Leaders

• Learn how your data is protected.

Actions to Take in Consultation with IT

• Learn what information resides on your network. Maintain inventories of critical or sensitive information.
• Learn what is happening on your network. manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.
• Domain name system protection.
• Leverage malware protection capabilities.
• Establish regular automated backups and redundancies of key systems.
• Leverage protections for backups, including physical security, encryption and offline copies.

Your Crisis Response

As your strategy for responding to and recovering from compromise, this is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations.

Actions For Leaders

• Lead development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often.
• Leverage business impact assessments to prioritize resources and identify which systems must be recovered first.
• Learn who to call for help (outside partners, vendors, government/industry responders, technical advisors and law enforcement).
• Lead development of an internal reporting structure to detect, communicate and contain attacks.

Action to Take in Consultation with IT

• Leverage in-house containment measures to limit the impact of cyber incidents when they occur.

Booting Up: Things to Do First

Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks.

Backup Data

Employ a backup solution that automatically and continuously backs up critical data and system configurations.

Multi-Factor Authentication

Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.

Patch &Update Management

Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware (replace network hardware like routers 3 years after purchase and computing devices 5 years after purchase). Test and deploy patches quickly.

Recommendations

Questions Every CEO Should Ask About Cyber Risks

As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key cybersecurity risk management topics with their leadership and implement cybersecurity best practices. The best practices listed in this document have been compiled from lessons learned from incident response activities and managing cyber risk.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

• How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
• What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
• How can my business create long-term resiliency to minimize our cybersecurity risks?
• What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
• What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

• What is the threshold for notifying executive leadership about cybersecurity threats?
• What is the current level of cybersecurity risk for our company?
• What is the possible business impact to our company from our current level of cybersecurity risk?
• What is our plan to address identified risks?
• What cybersecurity training is available for our workforce?
• What measures do we employ to mitigate insider threats?
• How does our cybersecurity program apply industry standards and best practices?
• Are our cybersecurity program metrics measureable and meaningful?
• How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?
• How often do we exercise our plans?
• Do our plans incorporate the whole company or are they limited to information technology (IT)?
• How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?

Recommended Organizational Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

• Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
  • CEO and senior company leadership engagement in defining an organization's risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan. The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company’s overall cyber risk. In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.
    • Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can hurt IT security.
• Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
  • Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure they are relevant for their specific use cases.
  • Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to put out fires.
  • Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.
• Evaluate and manage organization-specific cybersecurity risks.
  • Identify your organization’s critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.
  • Ask the questions that are necessary to understand your security planning, operations, and security-related goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security controls instead of inquiring about specific security controls, safeguards, and countermeasures.
  • Focus cyber enterprise risk discussions on what-if situations and resist the it can't happen here patterns of thinking.
  • Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional practice. Often, there are only a few employees with subject matter expertise in key areas.
• Ensure cybersecurity risk metrics are meaningful and measurable.
  • An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.
  • An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. There are too many variables in the number of alerts an SOC receives for this number to be consistently relevant.
• Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
  • It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents. Testing incident response plans and procedures can help prevent an incident from escalating.
  • Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.
• Retain a quality workforce.
  • Cybersecurity tools are only as good as the people reviewing the tools’ results. It is also important to have people who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex organization’s enterprise network, making retaining skilled personnel just as important as acquiring them. There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.
  • New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding to threats in a manner consistent with industry best practices.
  • Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity risks.
  • Cybersecurity is emerging as a formal discipline with task orientation that requires specific alignments to key knowledge, skills, and abilities. The National Initiative for Cybersecurity Careers and Studies (NICCS) is a useful resource for workforce planning.
• Maintain situational awareness of cybersecurity threats.
  • Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes). If possible, create a summary on the cybersecurity threats your organization has recently faced (e.g., phishing emails, malware, ransomware) for dissemination to personnel outside of your IT department to help reinforce their role in reducing cybersecurity risk.
  • Explore available communities of interest. These may include sector-specific Information Sharing and Analysis Centers, the Homeland Information Sharing Network, or other government and intelligence programs.

Refer to the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials page for recommendations on managing cybersecurity risks for small businesses.

Cybersecurity evolution should eventually lead to a zero-trust environment where devices, services and people will be required to continually request access to critical systems and data. Unless otherwise stated, all access is denied by default in a zero trust environment.

Fast Cybersecurity Policies for broke, time-starved small businesses. If you are a broke small business and do not have any money and little time to spend on making cybersecurity policies, use the US Federal Communications Commission (FCC) CyberPlanner to make policies fast. The FCC policies are somewhat out of date but it will be better to have these policies fast than no policies at all.

Cloud Computing Environment

Introduction

The Federal Government launched the Federal Risk and Authorization Management Program (FedRAMP) in June 2012 to account for the unique security requirements surrounding cloud computing. FedRAMP consists of a subset of NIST Special Publication (SP) 800-53 security controls targeted towards cloud provider and customer security requirements.

Based on NIST guidance, FedRAMP control baseline, industry best practices, and the Internal Revenue Service (IRS) Publication 1075, this guidance document provides agencies guidance for securing FTI in a cloud environment. These requirements are subject to change, based on updated standards or guidance. Agencies and their cloud providers should also review the requirements of FedRAMP and ensure overall compliance with these guidelines.

As defined by the National Institute of Standards and Technology (NIST), “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable, computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and consists of five essential characteristics, three service models and four deployment models.”

As agencies look to reduce costs and improve reliability of business operations, cloud computing offers an alternative to traditional data center models. Cloud solutions reduce direct hardware expenditures and may eliminate redundant operations and consolidate resources.

However, while cloud computing offers many potential benefits, it is not without risk. The primary security concerns with cloud computing are:

• Data is not stored in an agency-managed data center,

• The agency must rely on the provider’s security controls for protection,

• Data is not transferred securely between the Cloud provider and service consumer,

• Interfaces to access Federal Tax Information (FTI) in a cloud environment including authentication and authorization controls may not be secured per customer requirements and

• Data from multiple customers may be potentially commingled in the cloud environment.

Monitoring and addressing security issues that arise with FTI in a cloud environment remain in the purview of the agency. Limiting access to authorized individuals becomes a much greater challenge with the increased availability of data in the cloud, and agencies may have greater difficulties to identify FTI when segregated or commingled in the cloud environment. Agencies that utilize a public cloud model should have increased oversight and governance over the security controls implemented by their cloud provider.

Cloud Computing Definition

Five essential characteristics define a cloud computing environment and differentiate it from a traditional computing environment:

• On Demand Self Service – customer can provision computing resources without requiring interaction with the service provider. 
   

• Broad Network Access – computing resources are provided over the network and accessed through various platforms. 
   

• Resource Pooling – computing resources are pooled to serve multiple customers with resources dynamically assigned according to customer need. 
   

• Rapid Elasticity – resources can be rapidly provisioned to scale up or down based on real-time need. 
   

• Measured Service – resource usage can be monitored and controlled using a metering capability.

Service and Deployment Models

An agency’s cloud implementation is a combination of a service model and a deployment model.

Service Models

The resource stack provided as part of the cloud solution and the responsibilities which fall between the agency and the cloud provider define service models. NIST SP 800-145 outlines the possible service models that may be employed during a cloud implementation.

• Software as a Service (SaaS). The capability gives the customer  use of the provider’s applications running on the provider’s cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. The SaaS model provides the highest level of abstraction in which the provider is managing the facilities, the interaction between software and hardware and the software itself. The provider is responsible for the highest amount of security and data protection under this model, and the customer will negotiate into the service contract with the provider.  
   

• Platform as a Service (PaaS). The capability provides the customer the ability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider. PaaS adds a layer of integration with application development frameworks, middleware capabilities that allow developers to build applications on the platform with programming languages and tools supported by the stack. The customer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Security is a shared responsibility with the provider responsible for the underlying platform infrastructure, and the customer is responsible for securing the applications developed on the platform. 
   

• Infrastructure as a Service (IaaS). The capability provides  the customer  provision processing, storage, networks, and other fundamental computing resources where the customer is able to deploy and run arbitrary software, which can include operating systems and applications. The computing infrastructure is typically deployed as a virtual environment.  The customer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).  The customer is responsible for the highest amount of security and data protection under this model. 

Deployment Models

Organizations have several choices for deploying a cloud computing model, as defined by NIST in SP 800-145:

• Private cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party and may exist on premise or off premise. The private cloud model is typically considered the lowest risk out of the different deployment models because the organization retains the most control over the deployment of their data, and computing resources can be segregated or dedicated to a specific organization or business unit.  Ownership, operations and maintenance of the facilities, computer hardware and software may fall under the responsibilities of an organization directly associated with the customer (e.g. state government-wide, agency specific). However, some commercial cloud providers may also offer a private cloud service.
   

• Community cloud. Several organizations share the cloud infrastructure  and support a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third-party and may exist on premise or off premise.  A community cloud may contain multiple customers that share a similar purpose (e.g. a cloud environment may be established to serve only multiple Federal government customers).  The existence of multiple customer data sets may make it difficult to prevent commingling of data. Ownership, operations and maintenance of the facilities, computer hardware and software may fall with either the community or a cloud provider. 
   

• Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.  The public cloud model is typically considered the highest risk due to its wide-scale accessibility and limited segregation of services.  Customer data is comingled and difficult to identify for auditing purposes. Ownership, operations and maintenance of the facilities, computer hardware and software most often falls with the cloud provider. 
   

• Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). The evaluation of risk at the hybrid cloud model is unique to each deployment. 

The following table summarizes the four deployment models, and the relationship of system management, ownership and location for each model.  

Table 1: Cloud Deployment Models

The risk to data varies in each of the four deployment models, with of private cloud typically being the lowest risk model, and public cloud being the highest risk model. Depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements provided those compensating controls must provide the same level of protection as mandatory controls for safeguarding FTI.

Security Responsibility

The service and deployment model used in a cloud computing environment will determine the responsibility for security controls implementation between the agency and the cloud provider for the protection of FTI that is stored or processed cloud environment. The delineation of security control responsibility is heavily dependent on the service and deployment models of the solution the agency is adopting.  For example, if the solution is a SaaS e-mail solution, the agency may be responsible for a small subset of security control responsibilities including Access Controls.  If the agency is deploying their own applications to a PaaS or IaaS solution, they will have greater responsibility for securing the application layer, and potentially the platform and middleware; and may have responsibilities in almost all of the Publication 1075 (NIST 800-53) control families with the exception of possibly the personnel and physical security requirements. Figure 1 is a notional illustration of the differences in scope between the cloud consumer (agency) and cloud provider for each of the service models discussed above.

Figure 1. Security Control Responsibility

Figure 1 is a notional illustration of the differences in scope between the cloud consumer (agency) and cloud provider for each of the service models discussed above.

Defining a Cloud within the context of the Office of Safeguards

The above definitions, largely created by NIST, define cloud computing for the industry at large. Due to the nature of relationships between IRS, partner agencies, consolidated data centers and third-party providers, there are certain circumstances to consider when determining whether FTI resides in a cloud environment:

Examples of Cloud Environments (non-comprehensive) where Safeguards would require a 45-day Notification and would subsequently assess the solution using the Safeguards Cloud Computing Safeguards Computer Security Evaluation Matrix (SCSEM) during an onsite review:

• Traditional Cloud Services: Instances where an agency has contracted with well-known cloud vendors for supporting/implementing FTI systems. Examples include, but are not limited to and are not endorsed by the Office of Safeguards.

  • Google Docs/Email/Applications for Government

  • MS365, MS Azure
     

• Data Storage Solutions: Instances where an agency uses third-party provided data storage and movement systems which meet cloud definition (multi-tenant, multiple facilities, etc.). Examples include, but are not limited to and are not endorsed by the Office of Safeguards.

  • Box.com

  • Dropbox

Specific examples where Safeguards would not consider an agency solution to be a cloud environment requiring 45-day notification and use of the Cloud Computing SCSEM during an on-site review.

• Contracted Third-Party Services: Instances where an agency has contracted a specific business process which a third-party implements using their own technology. Examples include (but not limited to):

  • Collections Agencies

  • Call Centers

  • Field offices
     

• Hosted Solutions/Systems: Instances where an agency maintains the ownership and configuration of technologies located in a third-party managed facility.

  • Agency only relies on the third-party for rack space, power, and cooling

  • Agency maintains root-level controls of its technologies
     

• Contractor-managed Consolidated Data Centers: Instances where a state has outsourced the management of a consolidated data center (CDC) to a third-party contractor.

  • Safeguards still must assess these data centers consistent with existing methodologies
    Note: There may be contractor access issues to certain data types
     

• Agency-managed Virtual Environments: Instances where an agency and/or state information technology (IT) division have provisioned a virtual environment which hosts FTI systems. The virtual environment is on-premises or at a CDC.

  • Assessment can be performed using the appropriate virtualization SCSEM

  • Agency may use the word “cloud” to describe their own systems but will not be assessed as such

Mandatory Requirements for FTI in a Cloud Environment

The following mandatory controls are applicable for all cloud service and deployment models. However, as stated earlier, depending on the deployment model, compensating controls can be accepted in place of the mandatory requirements provided those compensating controls afford the same level of protection as mandatory controls for safeguarding FTI. Potential compensating controls will be evaluated by the IRS Office of Safeguards as part of the cloud computing notification (see requirement below).

To utilize a cloud computing model to receive, transmit, store or process FTI, the agency must be in compliance with all Publication 1075 requirements. The following mandatory requirements are in effect for introducing FTI to a cloud environment:

Note: IRS Office of Safeguards will test agency-managed security controls during onsite reviews using the appropriate SCSEM for applications, operating systems, database management systems, etc. This determination will be made based on the cloud service model (i.e., PaaS, IaaS, SaaS) used to process FTI and will be discussed prior to any onsite review. The Office of Safeguards onsite review team will leverage the Cloud Computing SCSEM to assess many of the service provider security control implementations.

Use the FTI Cloud Notification Form DOCX to submit a 45 Day Notification to the Office of Safeguards.

Resources

Additional information can be obtained through the following resources:

• Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies Safeguards for Protecting  Federal Tax Returns and Return Information PDF
   

• Federal Risk and Authorization Management Program (FedRAMP)
   

• NIST SP 800-125, Guide to Security for Full Virtualization Technologies
   

• SP 800-145, The NIST Definition of Cloud Computing
   

• SP 800-146, Cloud Computing Synopsis and Recommendations
   

• SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing
   

• CSA Security Guidance for Critical Areas of Focus in Cloud Computing

Fast Cyber Security checklist:

(1) (Policies): FCC Cyberplanner , https://www.fcc.gov/cyberplanner(SANS.org also has nuerous, pre-written cybersecurity policies for small/medium businesses)

(2) (Assessment): NIST CSF (Cyber Security Framework): Cybersecurity Framework | NIST

(3) (Risk Mgmt, Incident Response): Cyber Insurance, The Cyber Risk Pressure Test - Travelers Insurance

Cybercheck all Staff, Devices and Sevices (including all company generated and external APIs (use Salt Security to find and cybercheck APIs)

CISA resources:

https://us-cert.cisa.gov/resources/ncats (National Cybersecurity Assessments and Technical Services)

https://us-cert.cisa.gov/resources/assessments  (CISA Cyber Resilience Review 40 page checklist)

https://www.sba.gov/business-guide/manage-your-business/stay-safe-cybersecurity-threats

fastcyber.herewire.com

fastcyberss.herewire.com

Fast Incident Response Plan for 1-person business storing all sensitive data on payment processor Square:

If you suspect unauthorized access to your Square account (squareup.com) such as by  receiving a message, email or notification from Square indicating your account was accessed when you did not access your account, perform the following incident response steps:

(1) Immediately change your account access information (username, password, authenticator app, biometric settings).

(2) Contact Square (squareup) immediately to report suspicious activity at https://squareup.com/help/contact?prefill=unrecognized_account_activity

when logged into your Square account. Square support link, https://squareup.com/help/us/en/contact?panel=99BFD8B89324 (search for suspicious activity)

(2a) Report confirmed data breaches and exposures to:

--Local law enforcement (Police or Sheriff)

--Local FBI office (https://www.fbi.gov/contact-us/field-offices)

--Local US Secret Service office (https://www.secretservice.gov/contact/field-offices)

(3) Notify any customers with credit cards saved on file to change their credit card information if it is confirmed that credit card information was obtained. Recommend changing credit card information if unauthorized access occurred but loss of credit card information was not confirmed. (For CA, any CA resident must be notified of a breach, see https://oag.ca.gov/privacy/databreach/reporting)

(4) Report to applicable state and federal agencies if the number of breached records exceeds applicable thresholds for each industry. For CA, report a data breach to the State of CA OAG if the number of breached records (# of CA residents) exceeds 500 (https://oag.ca.gov/privacy/databreach/report-a-breach ). 

References (FTC):

https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business

https://identitytheft.gov/Steps

https://identitytheft.gov/databreach

Square references:

https://www.sellercommunity.com/t5/General-Discussion/If-my-Square-account-is-hacked-and-bank-details-are-changed-and/td-p/86918

https://www.sellercommunity.com/t5/Seller-Community-Events/Live-Q-amp-A-Ask-us-anything-about-Square-and-Security/td-p/87134