OTX Partners

OTX Roundtable GRC News

January 2024

Recent Events Highlight the Danger of Lax Employee Termination Processes

Two recent cases involving the actions of disgruntled employees after their terminations act as reminders to us all that employee termination processes are critical to the protection of data.

In a case settled in December, a former cloud engineer for First Republic Bank in San Francisco was sentenced to two years in prison and fined over $500,000 after pleading guilty to violations of the Computer Fraud and Abuse Act. In 2020, he was terminated for violating company policy by using his company issued laptop for non-business purposes, including plugging in an external drive and moving files. At the time of termination the company failed to retrieve the employee’s laptop or terminate his external access. The employee subsequently logged into the network and deployed malware onto the corporate network, deleted code, and locked employees out.

In a separate case a former IT Manager of a New Jersey public high school pled guilty to one count of violations of the Computer Fraud and Abuse Act. After his termination the employee accessed the network and deleted hundreds of Apple IDs from the school’s School Manager account, deactivated administrative accounts, and sabotaged the school’s phone system. This was the result of the school district’s failure to revoke the employees access to the system at the time of termination. The former employee could face up to 10 years in prison and a fine of $250,000.

Organizations must have strong and consistent employee termination processes regardless of whether an employee leaves on positive or negative terms. Failure to do so can result in significant losses.

CMMC 2.0 Proposed Rule Published to Public Register

The CMMC program took one more step toward becoming reality last week. On December 26 the proposed rule for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program was published to the Federal Register. What follows next is a the 60-day comment period ending February 26. Based on the current timeline the requirement to be CMMC compliant will begin showing up on contracts in Q1 of 2025.

As discussed in this month’s featured blog, the rule clarifies the role of MSPs with regard to CMMC requirement. Under the updated rule, MSPs are considered External Service Providers (ESP). In the new rule, ESPs providing services within an Organization Seeking Assessment’s (OSA) CMMC 2.0 Level 2 scope is required to be fully CMMC Level 2 Accredited.

The published rule also provides estimates regarding the costs of a CMMC Level 2 Assessment. For small entities, for which most MSPs offer their services, the cost of a Level 2 Assessment is estimated to cost $105,000. Assessments must be completed every three years.

The requirement for CMMC in DoD contracts is expected to be rolled out in a phased manner, perhaps focusing on specific highly sensitive programs at first. However, it is expected to be included in all contracts by late 2026.

Those MSPs looking to provide services to contractors in the DIB should already be on their way to achieving CMMC compliance.

Clock is Ticking on PCI DSS 4.0

The first phase of PCI DSS 4.0 goes into effect March 31, 2024. This is the first major update to the PCI DSS since 2018. Compliance requirements for PCI DSS vary depending on the level for which the assessed organization qualifies. This is based on the total number of financial transactions per year the organization processes. Only the highest level requires a formal assessment through a Qualified Security Assessor (QSA). All others are performed as self-assessments by filling out a Self-Assessment Questionnaire (SAQ).

Most of the changes going into effect at the end of March involve methods and responsibilities rather than technical details. As a new requirement, within each control, organizations must declare the individual roles and responsibilities for meeting the control. This includes the roles and responsibilities of Third Party Service Providers (TPSP) such as MSP/MSSPs. Organizations must declare the use of third party service providers and identify their role in meeting controls. This is most commonly achieved by creating a “shared responsibility matrix” between the organization and the TPSP. Any services provided by the TPSP involving the storage, transmission, or processing of sensitive customer data becomes part of the scope of the assessment. Organizations assessing their compliance are required to perform due diligence assessments of their TPSPs to ensure their practices meet compliance requirements. Ultimately, compliance is the responsibility of the organization being assessed. Third party service providers are not required to prove complete compliance with PCI standards, however those services they provide to customers must be implemented in a way to meet the requirements of the associated controls. Services provided that do not meet the requirements put the organization at risk of being out of compliance.

If they have not already done so, MSPs and MSSPs, should be working with their clients required to meet PCI and filling out a shared responsibility matrix. They need to be prepared to provide evidence of how their services meet PCI requirements.

Featured Live Event

OTX Partners and KnowledgeWave Presents

Mitigating Risk in the MSP Industry

Wednesday January 24, 2024

12:00 PM ET

Featured Blog

Updated: CMMC and the Role of MSPs

The sands of CMMC continue to shift. I stated back in the summer of 2022 that it was unlikely that MSPs would have to fully certify on CMMC in order to offer their services to contractors in the DIB that had to certify themselves. This was not just speculation but was based on comments from Stacy Bostjanick, Senior Program Director of CMMC at the DoD, during a briefing in June of 2022. In July 2023 the DoD passed the final rule on to the Office of Information and Regulatory Affairs (OIRA) for review. The rule was accidently published to the OIRA website for about 24 hours but that was long enough for people in the industry to get a good look at it. In the final rule which will be released for comment very soon, it is expected to clearly define the role of “External Service Providers”. Under the definition MSPs would qualify as an ESP and thus be required to fully certify under CMMC Level 2. Read More…

Next OTX Roundtable Meeting

Thursday January 18, 2024 1:30 PM ET

(Virtual)

OTX Partners LLC

OTX Roundtable GRC is a peer group helping MSPs build and maintain a security and compliance-focused culture. Find out more here

 © 2024 OTX Roundtable, Inc. all rights reserved. Designated trademarks, brands, logos, and service marks are the property of their respective owners.