The COVID-19 event, obviously, has had a wide-reaching negative impact for the entire country. Despite this, even in the face of the trauma linked to the loss of loved ones, we will eventually prevail and see the other side of this event. When that happens, a return to more normalized business operations will closely follow (if not already underway). There is a unique, somewhat limited, opportunity to position your organization for a far better response to this kind of event in the future. The primary method to achieve this is from an investigative effort, or what is more commonly referred to as a “lessons learned” exercise. In this case, the focus will be on the organization’s continuity planning, or contingency planning, approach and execution.

One way of viewing this exercise is from the phrase “Those who do not learn from history are condemned to repeat it.” Essentially, when mistakes happen, learn from them or you’ll be likely to encounter the same failures. The approach of a “lessons learned” exercise is a method of continuous improvement that is based on a singular event (COVID-19) or similarly related events. The entire goal should be to find areas where business unit operations or actions had difficulty or issues with the event under review. Generally speaking, a “lessons learned” exercise should be applied to all projects and, where it makes sense, to any smaller efforts made by an individual or handful of staff. This goes to its general principle of increasing efficiency and effectiveness in similar future events.

Lessons Learned Steps

For guidance, here are some suggested steps for carrying out a “lessons learned” exercise:

  1. Establish a person and team (tiger team) to manage the exercise. Dedicate time for meetings (and hold them, with an agenda)
  2. Ask questions, request feedback from business units and meet with managers to get direct feedback as to challenges encountered
  3. Consolidate feedback and information within documentation – have a dedicated role for maintaining minutes and records
  4. Based on data gathered and tiger team determinations, make recommendations for changes to existing plans or launch initiatives for new plans as needed, via a Plan of Action and Milestones (POAM). Ensure completion of the POAM
  5. The team should look to move to a quarterly or annual meeting to track progress on POAMs and provide historical knowledge to the exercise outcome. Store plans for future reference and use as a guideline for any other areas needing improvement

As with most things that address improvement, the first step is to set aside dedicated time to organize and focus on the effort. This will involve identifying the staff and lead manager that will be needed for the team that tackles this important undertaking. The staff will need to dedicate time to focus on the task at hand – this may not be very not easy depending on how recovery efforts are running. A notable challenge can be the need for accurate recall, in the absence of on-going issue tracking during the event. Regarding how much time to dedicate, have as many sessions as needed, but be aware of scope creep. A good method to guard against scope creep is for the team to set specific goals at the outset of the exercise. If other more significant issues arise, it may be best to have a separate investigation, so that proper focus and resources can be dedicated to each. A primary goal at this first stage should be the understanding that these meetings are to be kept (take attendance if needed) to get things kicked off and so the team can leverage the time-frame where staff still can readily recall details of their issues. Hopefully, some of the issues were already being noted during the crisis. If not already part of your contingency procedures, consider adding an “active event issues” list, as well as coordinating that data via check-ins with higher management. For the lessons learned, gather that information and data. The entire organization should understand that this exercise is underway and to provide any assistance needed to help the company be more successful in the future.

Key Questions

Once meetings have been established and are running, the effort will involve information gathering, where feedback should be openly asked for. Consider soliciting information from the entire organization, if appropriate and acceptable. In general, be sure to capture the following:

  1. What worked? These are things that you wish you had more of, that provided some level of assistance (even if small) and were successful, even if only deployed right before the end of the event.
  2. What didn’t work? Obviously, this goes to areas where weakness was seen. What gaps were noted? And are any currently being worked on for a solution? Assess the potential need for that solution in the future and be sure to keep it moving forward to closure.
    • If this step results in long lists of issues being presented, consider asking for a “top 3” or “If you had to pick only 1 item, what were you most frustrated with during the crisis?”

Once the information has been gathered, it will need to be organized, condensed and reviewed for actionable issues. The staff to conduct those reviews should follow the business unit structure, where finance issues are reviewed by the finance department, technology issues reviewed by the Information Technology department, and so on. The information learned from these issue reviews must be captured in documentation and then collected for the group and team lead to review. Therefore, there is a need for a recognized keeper of documentation, including meeting minutes. All those on the team will coordinate with the records keeper to ensure full and accurate data is maintained on the issues being addressed. The minutes are generally distributed to the team for review and coordination of efforts on any “asks” from those meetings.

After there is confidence from the team that pertinent issues have been identified, start the hunt for solutions. Some problems will be easier than others and don’t forget to leverage the organization for ideas on how to address those problems. In the case of COVID-19, everyone has been impacted and likely will have some general idea as to what potential solutions could address the myriad of identified issues or gaps. Take those ideas and formulate a plan to address the issue and review solutions to ensure that they will indeed address the problem identified. A recognized method for implementing a fix is the Plan of Action and Milestones (POAM), which can be found in great detail within the National Institute of Standards and Technology (NIST) publications. After that, take corrective action following the POAM to resolve the gaps, adjusting as needed along the way.

Wrap up

Finally, keep an archive of the lessons learned activities for review and tracking. At the end of the exercise, it will be apparent that focused effort was expended to obtain results and the successful methods used should be repeated. Conducting this exercise will bring forward skill sets that can be re-engaged to address problems that trouble the organization elsewhere. As a last step, if not already part of the overall exercise, a summary report should be assembled to show the results from the team’s efforts. Send the report up the management tree for review, including executive management. Given the scope and impact of this event, and in order to prevent history from repeating itself, this should be a report of interest.

We will next look at the outline for a pandemic response and what should be considered for contingency planning, in the event that COVID-19, or something similar, comes knocking again.

From a quick assessment on what has been published thus far on the CMMC regulation and its overall goal, it appears that contractors lack of information security will no longer be tolerated by the DoD. Beginning with the introduction of the new regulation to the public in January of 2020, it is expected that new contractual requirements will include CMMC starting in June of 2020, and enforcement for current contractors starting in September of 2020. The current proposed structure for achieving the CMMC level of security is somewhat advanced, but not unprecedented.  One the more significant moves for this effort is the requirement that entities will be audited by an independent 3rd party, prior to any certification being awarded. The audit will likely require evidence to be presented to show that the correct level security controls are present and functioning as required.  Despite this regulation being new, it will likely be comprised of current NIST controls, as chosen by the DoD.

Given the nature of the Federal Information Security Modernization Act (FISMA), which is to protect all federal data, by means of the NIST controls, it is hard to conceive of any other security framework being used to meet the goals of CMMC. Even here, at the assurance level for the security controls, we find an interesting item for auditors, as they will be required to attest to the accuracy of their findings.  This step is likely in place to link auditors directly to an organization in the event of control failure or data breach. As such, it appears that the audit process will be evidence intensive, with audit artifacts and audit trails being required to demonstrate compliance with the selected controls.

So, how did we get here?  After a review by the DoD, it was determined that only 1% of contractors actually have some form of proper data protection in place, which naturally gives rise to concerns over the military’s highly sensitive data being secured against other nation-states that wish to obtain it.  These nation states and their activities are collectively known as the ‘advanced persistent threat’ (APT), as they are looking to obtain the targeted data, at almost any cost, including working to infiltrate systems for years. Additionally, there is the threat from criminal actors who are pursuing this data so that it can be sold on the black market to the highest bidder.  Either of these attackers represent a significant threat to military contractors, mainly due to the lack of appropriate information security controls being put in place.

Recently, the Department of Defense (DoD) announced a new initiative for the information security component of defense contractors, sub-contractors and the supply chain for DoD projects. This regulation is coming forward with the goal of securing the complete supply chain for the DoD which has had historical issues with keeping sensitive data secure.  Currently, DoD contractors and subcontractors are under obligations to protect the data they are entrusted with by having an information security program in place which deploys the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security controls. Despite those obligations, contractors have consistently had issues with protecting the military data entrusted to them, resulting in data exposure and breaches.

The concerns over data security materialized in stark reality when a civilian contactor was breached early in 2018, resulting in the exposure of more than 600 gigabytes of highly sensitive information to China by their cyberattack efforts. This breach significantly impacted the US Navy’s Sea Dragon project for the submarine fleet and the overall capability for conducting subsurface warfare operations. The exposure also included the breach of the electronic warfare library for that project, which contains a notable amount of highly classified data, as the name implies. What cannot be understated is the value of that data loss, as it represents untold years of accumulated United States hard won knowledge and expertise in several matters of science, research, and advancement from associated discoveries. It appears that, due to this breach and others like it, and the assessment of the poor computer security posture of DoD contractors, the DoD has been forced to take a stance of “no tolerance” for gaps within information security programs.

This breach and other incidents like it demonstrate that civilian contactors have not taken appropriate actions to properly deploy information security controls to protect DoD data. This is not a defense sector or DoD only issue, as the loss of intellectual property (IP) across the nation has been an ongoing event for a number of years, with the public only recently gaining a small insight to this major issue. What needs to be understood is the impact of the loss of the country’s IP to the rest of the globe, due to the apparent complete lack of concern regarding securing company owned systems and data. For some, the idea of IP loss is difficult to grasp or to put in easy-to-understand terms, however we can put some measurement to it over the past several years. From reports, the loss of IP has a measurable financial impact, with estimates placing the financial cost from stolen IP at $600 billion in lost revenue for the United States. That includes several billions of dollars being lost to counterfeit goods that compete on not only the domestic market, but the international market as well.

As we move forward in the digital age, the critical nature of having secured IT systems is becoming more and more glaring.  It seems clear that the information security factor will continue to have a large impact on all business sectors, with the military industry being the first to be called on to fully secure their systems. It is very likely this trend will expand outward, as people continue to express overwhelming concern over their personal data and how systems and applications are collecting and monitoring actions and activities. Companies that decide to get ahead of this significant problem are showing a commitment to long-term investment that should have positive impact on not only profit, but also revenue in the years to come.

Once full details on CMMC are made available, we will look to post a blog that gives a clearer definition as to what the CMMC requirements entail.

Medical community challenge:

In a business environment where resources are limited, compliance requirements abound, and budgets are constantly struggling to meet cost containment targets, the complexity of the regulations your business is required to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and all of the supporting elements of the medical profession. Of course, these efforts are for the critical actions for life saving procedures for the focal point of the medical community - the patient. However, the digital age that we have moved in to over the past 20 years, despite the convenience it offers, comes with risks.  Patients have suffered the compromise of personal information, resulting in the patient population expressing considerable concerns regarding how their medical data is handled.

These concerns are not without due cause, given the sensitive business of life support that medical organizations have chosen to engage in, and the information involved with any medical procedure or activity.  Those concerns are partly expressed in the Health Insurance Portability and Accountability Act (HIPAA), which compels medical business to treat the data they possess with certain protections.  We will break down the predominant components of the HIPAA regulation as a basis for gaining a clear understanding of the drivers behind this law. In later postings on this topic, we will explore a strategy to align your organization to the information security requirements defined within HIPAA, HITECH, and the Omnibus rule.

The Health Insurance Portability and Accountability Act of 1996 establishes requirements for healthcare organizations with respect to ensuring security and privacy of protected healthcare information (PHI) and electronic protected healthcare information (ePHI). Broadly speaking, the overarching HIPAA principle for this type of data is that it is to remain private. Only people who have a definitive need for that data should be able to access it.  Of course, it should go without saying, that the only way to provide any kind of privacy is through the effective deployment of security measures to restrict access and exposure of the data.  The principles of privacy and security are irrefutably linked, as you cannot have one without the other, which gives the logic to the two more well-known rules of HIPAA that we will cover below.

There are a number of rules that are recognized within HIPAA, or what most people come to call HIPAA, which usually encompass other healthcare data regulations (e.g., HITECH and the Omnibus Final Rule).  Some of the rules are more well-known than others. Due to their history as the being first established with HIPAA, the best known are probably the Privacy Rule and the Security Rule. However, that’s not where the rules stop. There have been regulation updates to HIPAA as the issues around the handling of medical data have become better understood. It can be a challenge to keep track of all of these rules:

Now that you have a base-line understanding of what HIPAA is comprised of, we can move on to another primary component of HIPAA, which is understanding the criteria for PHI and ePHI, as well as understanding if you and your organization fall under the HIPAA regulation.
NEXT UP: What is PHI or ePHI and who has to abide by HIPAA?

GDPR has been in place since May 25th, 2018 and has already been used in legal actions against companies, with over 200,000 cases reported within this first year. The law is expected to make a notable impact on companies, as it has considerable fines and penalties. Even when compared to HIPAA and FISMA, GDPR has the most threatening teeth of any law to date. Even without GDPR being in full force, information security infractions have been getting more attention from multiple angles.  There have been some examples of how expensive this can get, as seen with Alphabet and its $9.4bn in fines, over the past 3 years. It would appear by these recent historical events that information security is rising to a point of serious contemplation for businesses world-wide.

However, this should not be a news flash by any means. The implementation of a serious data protection law by the European Union has been in development for some time now (starting in 1995). Most notably, the now infamous “Right to be forgotten” was generating news and conversation on this very topic.  Even still, as noted above, companies seem to be caught flat footed and have had to pay dearly for infractions.

GDPR drives the idea, at least in part, that information is a business asset, and as such, businesses are obligated to manage that asset in a manner that will not bring harm to its customers and employees. The public has voiced its concerns numerous times, indicating that loss of privacy has a legitimate ability to cause harm to an individual. GDPR gives those voices traction to hold organizations accountable for lack of proper management, security, and ultimately privacy of their Personally Identifiable Information (PII).

So, how can a company successfully meet the requirements of GDPR? Let’s take a look to explore the best viable answer to that question.

As a general principle of information security, evidence is the best method to prove how an organization deploys security controls.  GDPR is no exception, as it calls out repeatedly, the requirement to be able to “demonstrate compliance”, as seen in Chapter 2, Article 5 of the regulation, where the principles of processing personal data are addressed. To be clear, evidence, also known as ‘audit artifacts’ or ‘audit trails’ within other compliance frameworks and in general among the audit community.  Not surprisingly, within the United States, the requirement for audit artifacts is also seen in regulation, namely HIPAA and FISMA, both of which use the NIST standards to achieve security. The HIPAA focused security controls are seen in NIST SP 800-66, with FISMA using NIST SP 800-53, tying in the NIST Cyber Security framework to round out an information security program. Both regulations then use the NIST security control base, which in turn, supports privacy for IT systems and data.

Which brings us to the next important question, “What about privacy, isn’t that part of the GDPR?” Excellent point. Here again, NIST shows strength as a framework, as SP 800-53, rev 4, includes privacy controls, in appendix J.  When held up against the extensive GDPR requirements, it is clear that these privacy controls can easily be leveraged to support the goals of GDPR.  Some examples from NIST:

Naturally, this leads our conversation to “where do I need to apply these controls?” The data that is identified to be protected by GDPR and NIST is broadly understood as Personally Identifiable Information (PII) and both regulations have similar descriptions, only GDPR calls it “Personal Data”.  GDPR appears to be the broader of the two definitions, as seen below:

GDPR PII:  ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

GDPR (article 4, Definitions, paragraph 1)

NIST PII: (Personally Identifiable Information): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).

For any company system, these are the data sets that you want to ‘tag’ or search for to ensure that the proper protections are in place. Once that footprint is well understood, you now have the starting point for deploying not only your security controls, but also to check to be sure the privacy controls are in place.  In the case of GDPR, the privacy controls repeat the requirement that signed consent be obtained from the data subject (much like HIPAA), with a number of notable exceptions – so be certain to review them for a full understanding. When considering how to tackle the requirements of not only GDPR, but FISMA, HIPAA or any other information security law or concern, the best place to look is NIST, in my opinion.  NIST not only offers the most complete, thorough and well researched controls, it is also the framework recognized by the US government and federal courts. Putting NIST controls in place puts any company in an advantageous position, not only for the potential of being able to understand the requirements of a government contract, but for also showing the positive actions that a company takes regarding information security if ever questioned in court.

GDPR can offer some insight on how the overall public is viewing information security, and how that scope is more expansive than one might initially think. Interestingly, GDPR addresses an area that came as a surprise to me, which is centered around the use of ‘junk mail’ and spam.  Both are addressed within the regulation, which in turn, will reduce the amount of unwanted traffic across your inbox, as well as your mailbox (if you reside in the EU).

Overall, from not only review of the regulation and associated writings on the subject, but from knowledge of the federal level protections, GDPR is very much in line with the principles of FISMA, if not directly in line with some of its stated requirements.  To date, there is no officially identified framework to address the GDPR requirements, and based on my assessment, it makes the most sense to look to the NIST framework to address this shark-toothed law. Not to mention, if you have any federally sourced data on your system, FISMA is in play within your organization already, which requires NIST protections be in place. As an added bonus, if you have no other data privacy or security concerns past GDPR, and you are based within the U.S., deploying NIST puts you in alignment for the only law within the country (currently).  As several people have already stated, the introduction of GDPR will most likely result in some sort of similar, if not more robust, new regulation within the United States.  So, if you’re based in the U.S., buckle up, the ride is most likely not over.

In the end, the ability to address GDPR is not insurmountable – it simply is an area that requires a well thought-out, managed, approach and plan; as is true for many areas in business.  Consider these items to start that process:

  1. Review the GDPR regulation and/or gain knowledge on where it applies to your company, possibly accomplished via a mapping exercise
  2. Review the security and privacy controls from NIST and determine where significant gaps exist in your current security and privacy posture
  3. Begin remediation of the gaps, tracking your progress to understand (and start to limit) your companies’ exposure to GDPR infractions

SynerComm can assist you with assessing your security or privacy controls status to address any framework, including PCI-DSS, FISMA or HIPAA. Contact us today for assistance on your information security needs!

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram