Industries

Industries and Audit-Readiness Supported

"Cybersecurity" is a nebulous word and an ambiguous label. Navigating the "cybersecurity" requirements and needs of your business is detail-oriented, confusing, and takes a high degree of expertise. If you are a subcontractor or third-party service provider, navigating that well can mean the difference between landing a contract with a Federal provider or being overlooked.

The fact is at Singular Security, we're very good at navigating that exact process. Some cybersecurity companies break down the services they provide by the industries they serve. But in our 20 years of experience, we have learned that can lead to an impression that good cybersecurity means checking off a pre-determined list and that if those items aren't mentioned, some other expertise is needed.

That couldn't be further from the truth. Cybersecurity is about vigilance and diligence. It requires understanding how secure your devices, information, policies and procedures are now, what is needed to reach a desired level of security, implementing those steps, and then showing all of that work in an ongoing manner to anyone with the authority to ask your company about it.

So when we say we "do it all", we're not just blowing smoke. We are experts at figuring out what your business needs; all you need to do is tell us your cybersecurity goals, and we can guide you the whole way.

We specialize in tailoring our tools, programs, and protocols to your company’s requirements. Every time a new regulation, statute, program, or mandate arises, we’re on the frontlines to learn best-in-class practices for their implementation.

Whether you’re facing an audit or simply need to prove compliance and diligence to compete for a bid, we can build a program that guarantees your success. No guesswork, no ambiguous documentation “requests”, only purpose-fit tools and the data you need to run your business securely under the mandates and regulations that apply to your specific industry.

Below are a list of the general steps necessary to achieve compliance, the compliance regulations we most frequently address, and the industries they concern. As you read, keep in mind that many of these requirements are industry specific, and while some may not be legally mandated through government oversight, self-governed compliance goes a long way in setting yourself apart from your competition. If this sounds confusing, fret not - navigating this labyrinth of overlapping standards, regulations, and best practices is our specialty.

Whether you simply need a “spot-check” to determine compliance or want a full program tailored to your needs, contact us at Singular Security and let us help.

Steps Toward a Healthy Cybersecurity State

  1. Take stock: also called baselining, this step determines what is your current cybersecurity status?
    1. Goalsetting: what do you need to achieve in your cybersecurity program? Is an audit looming? Are you entering a new practice area with unfamiliar regulatory
    2. Vulnerability Scanning determines what exploits or weaknesses exist in your entire digital ecosystem.
    3. Penetration Testing can reveal what problems can arise if those exploits or weaknesses were to be used against your business.
    4. Analysis of your security posture to establish what is needed to reach your compliance and audit goals.
  2. Implement the plan
    1. This is where the details lie. Your specific industry, needs, goals, security baseline, and budget need to be considered and planned for within the ecosystem of available cybersecurity strategies and solutions.
    2. Singular Security is an industry-leader in creating tailored programs that work for your individual business's specific details.
  3. Maintain the health state
    1. Continuous monitoring and life-cycle maintenance of all your organizations devices, software, webapps, endpoints, networks, and other IT infrastructure is essential to maintaining a good cybersecurity positioning.
    2. This shows up in nearly every applicable control, standard, or regulation across nearly every industry with a cybersecurity oversight.
    3. Whether you just need a strategy - procedures and tools - or want a full-bodied solution, Singular Security can recommend, provide, or even offer as a managed service:
      1. Threat Hunting
      2. Security Incident and Crisis Support
      3. Managed Endpoint Detection & Remediation
      4. Email Security-as-a-Service

Common Sources of Cybersecurity Requirements

Cybersecurity requirements have no central legal basis; instead, your company may face compliance and regulatory requirements from a variety of sources.

  1. Government entities may enact legally binding, statutory requirements.
    1. Gramm-Leach-Blilely Act is an example of a law passed by Congress that specifically imposes statutory requirements on financial institutions.
  2. Government agencies may enact regulations or rules under statutes that either create those agencies or enable those agencies to create those rules
    1. The Health Insurance Portability and Accountability Act (HIPAA) created a legal requirement for the Department of Health and Human (HHS) to establish rules and procedures in the spirit of HIPAA. This meant Congress did not pass the specifics of the Security Rule or Privacy Rule, for example, but enable HHS to craft them through an administrative rule-setting process.
  3. Industry groups may agree to self-regulate rules or best practices across their entire industry.
    1. These rules can vary greatly in their  regulatory overhead - some are published as "aspirational" rules (i.e. as suggestions for good practices with little enforcement) where others are heavily monitored and can come with heavy enforcement within your industry.
    2. The Payment Card Industry Data Security Standard is an example of a self-imposed security standard that is heavily enforced internally by the major payment processing companies. Failure to comply with their internal interpretations of the rules could result in your company being unable to use that company's payment cards for processing payments.
  4. Nonprofit groups often create and promulgate standards that are offered as best practices with an eye toward the goals of that nonprofit group.
    1. Statement on Standards for Attestation Engagements 18 (SSAE 18) is a standard from the American Institute of Certified Public Accountants (AICPA). The organization's Auditing Standards Board (ASB) created these regulations to evaluate service companies. Any company that provides outsourced services that affect another company's financial statements can request an audit.
    2. Sometimes these are directly implemented by governmental bodies or industry-level organizations. Other times, they can serve as a strong signal that you take cybersecurity very seriously and while compliance isn't legally mandated by any authority, compliance can be the fact that seals a contract for your business.
  5. Private contracts between businesses often contain data security and cybersecurity requirements.
    1. Ranging from nondisclosure and confidentiality restrictions to full-fledged cybersecurity programs, private businesses are increasingly adopting language into their own business dealings that create and impose cybersecurity obligations.
    2. Similarly and related, many major Federal prime contractors are required to "flowdown" the terms of their cybersecurity requirements on Federal contracts to their own subcontractors.
      1. In many cases, even if those prime contractors are not legally required to flowdown those terms, they choose to do so anyway through their contracts with the subcontractors in order to showcase their commitment to data security - because it makes them more competitive for large contracted jobs.

Common Cybersecurity Requirements

  • NIST SP 800-171
    • NIST SP800-171 - sometimes called just 800-171 - is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.  It is pulled together by the National Institute of Standards and Technology or NIST.
    • The exact requirements for NIST SP 800-171 revision 2 can be found at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
    • While 800-171 applies to any public organization that handles CUI, NIST SP 800-171 compliance is currently required by some Department of Defense contracts via DFARS clause 252.204-7012.
  • FISMA
    • The Federal Information Security Management Act applies to all government agencies that handle classified information. Where NIST SP 800-171 focuses on Controlled unclassified information, FISMA compliance requires an eye toward NIST SP 800-53, NIST SP 800-171, FIPS 199, and FIPS 200 which provide government rules on the controls required for handling Classified information.
    • Private companies can bolster their competitiveness for contracts by maintaining FISMA compliance.
  • CIS
    • The Center for Internet Security is a non-profit organization focused on establishing the standards for a safe, future-oriented internet ecosystem. In pursuit of this goal, CIS has published a list of 18 Controls that provide an excellent framework for creating an organizational cybersecurity plan.
    • CIS benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks. Used by thousands of businesses, they offer prescriptive guidance for establishing a secure baseline configuration.
    • Used as a guideline and flexible starting point, the CIS Controls are a useful barometer for assessing your current security posture and building a roadmap for elevated security controls in anticipation of NIST or other governmental oversight.
  • PCI DSS
    • Any organization that accepts, handles, stores, transmits, or processes payment cardholder data is subject to the requirements of the Payment Card Industry Data Security Standard.
    • This standard is created by the PCI Council and enforced by the various payment card brands internally. Compliance means never having to turn away a customer regardless of their payment choices.
  • HIPAA
    • If you are a Covered Entity or a Business Associates under HIPAA and handle and/or store patients’ Personally Identifiable Information (PII), your compliance with the Privacy and Security Rules are essential.
  • HITECH
    • The HITECH Act drives “meaningful use” of electronic health records (EHR) technology by U.S.-based healthcare providers and their business associates. Meaningful use means healthcare providers need to show that they are using certified EHR technology in a way that can be measured in both quantity and quality.
    • The HITECH Act also set the stage for stricter enforcement of the Privacy and Security Rules of HIPAA by mandating security audits of all healthcare providers. These audits are used to investigate and determine whether providers meet minimum specified standards and are therefore in compliance with the HIPAA’s Privacy Rule and Security Rule.
  • SSAE18
    • Statement on Standards for Attestation Engagements 18 (SSAE 18) is a standard from the American Institute of Certified Public Accountants (AICPA). The organization's Auditing Standards Board (ASB) created these regulations to evaluate service companies. Any company that provides outsourced services that affect another company's financial statements can request an audit. SSAE 18 includes three types of reports that review different aspects of a company's operations. The Service and Organization Controls (SOC) 2 report focuses on security and privacy.
  • GLBA
    • Applying to financial institutions, the Gramm-Leach-Blilely Act is enforced by the FTC, the federal banking boards, and state insurance authorities. 
    • To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
    • The primary data protection implications of the GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Financial Privacy Rule,
  • SOX
    • Like many cybersecurity regulations, the Sarbanes-Oxley Act was created in response to several high-profile financial scandals, including Enron and Tyco. SOX establishes a stricter protocol for internal controls on financial reporting within publicly traded companies.
    • To this end, while SOX governs the financial operations and disclosures of corporate entities and any of their financial service providers, the regulations pertain to a breadth of departments, and a few to IT. SOX reporting specifically involves IT departments because adequate SOX internal controls require complete file safety and full visibility into financial record history.
  • FERPA
    • If you’re a school that receives any federal funding from programs administered and overseen by the Department of Education, then the Family Educational Rights and Privacy Act applies to your business. This means nearly all public and charter schools, as well as many private and parochial programs, fall under the umbrella of FERPA.