Sign In  |  Register  |  About San Anselmo  |  Contact Us

San Anselmo, CA
September 01, 2020 1:33pm
7-Day Forecast | Traffic
  • Search Hotels in San Anselmo

  • CHECK-IN:
  • CHECK-OUT:
  • ROOMS:

ComplianceForge Releases Unified Scoping Guide (USG) Update To Efficiently Scope Cybersecurity Compliance Assessment Boundaries

Cybersecurity Scoping Guide Clarifies Control Applicability For CMMC 2.0 Compliance Efforts With Controlled Unclassified Information (CUI)

SHERIDAN, WY / ACCESSWIRE / November 22, 2024 / ComplianceForge, an industry leader in cybersecurity documentation templates, released an updated version of the Unified Scoping Guide (USG) to help clarify control applicability for a wide range of cybersecurity and data protection laws, regulations and frameworks. This updated version of the USG includes recent guidance from 32 CFR Part 170 that is applicable to the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program.

This free resource is intended to help organizations define the assessment scope boundary(ies) of the sensitive/regulated data where it is processed, stored and/or transmitted. This approach is applicable to the following sensitive/regulated data types:

  • Controlled Unclassified Information (CUI)

  • Federal Contract Information (FCI)

  • Personally Identifiable Information (PD)

  • Protected Health Information (PHI)

  • Cardholder Data (CHD)

  • Intellectual Property (IP)

  • Attorney-Client Privilege Information (ACPI)

  • Student Educational Records (FERPA)

  • Export-Controlled Data (ITAR/EAR)

  • Critical Infrastructure Information (CII)

This cybersecurity and data protection scoping guidance is data-centric, where it:

  • Utilizes nine (9) zones to categorize system components, based on the interaction with sensitive/regulated data;

  • Highlights the different types of risks associated with each zone; and

  • Makes it evident which systems, applications and services must be appropriately protected, due to the risk posed to sensitive/regulated data.

The USG categorizes system components according to several factors:

  • Whether sensitive/regulated data is processed, stored and/or transmitted;

  • The functionality that the system component provides (e.g., access control, logging, antimalware, etc.); and

  • The connectivity between the system and the sensitive/regulated data environment.

Speaking about the cybersecurity control scoping, Tom Cornelius, Senior Partner at ComplianceForge, said:

"Control scoping does not mean every cybersecurity control apply uniformly to every person, process, technology, type of data or facility. This misunderstanding of applicability vs scoping is one of the biggest hurdles that organizations face, since there is a common misconception that if something is ‘in scope' then every control is applicable across the entire boundary of the assessment. This is an incorrect assumption, since cybersecurity controls are primarily administrative, technical or physical, in nature. This means that there may be controls that are not applicable to certain systems, applications and/or processes."

Examples of this concept of applicability for cybersecurity and data protection controls include:

  • Network devices. A network firewall is a technical control, where certain other controls would be applicable, such as Multi-Factor Authentication (MFA), access control, secure baseline configurations and patch management. Since a network firewall is a device, it not capable of having end user training, completing a Non-Disclosure Agreement (NDA) or conducting incident response exercises.

  • Security awareness training. User awareness training is focused on personnel, such as employees and applicable third-parties who will be interacting with the organization's systems and data. NDAs, threat intelligence awareness, acceptable use notifications are all applicable to individuals. Since an individual is not a device, an individual is not capable of having a secure baseline configuration applied, be scanned by a vulnerability assessment tool, or have missing patches installed.

  • Incident Response Plan (IRP). An IRP is a documented process that is a tool to be used to guide incident response operations. Since an IRP is a not an individual or technology, it cannot sign an NDA, have MFA or be patched.

About ComplianceForge

ComplianceForge specializes in cybersecurity and data protection documentation templates. ComplianceForge is an industry leader in providing affordable, editable and scalable documentation solutions to support cybersecurity and data privacy compliance efforts. Their products serve as a business accelerator, where ComplianceForge does the heavy lifting for its clients by providing the necessary policies, standards, procedures and other documentation they need to address their cybersecurity and data privacy compliance obligations in the most efficient manner possible. ComplianceForge leverages industry-recognized secure practices so their solutions can scale from Fortune 100 multinationals with complex compliance requirements, all the way down to micro-small companies that just need single solutions, such as PCI DSS or CMMC compliance.

Contact Information

ComplianceForge
support@complianceforge.com

SOURCE: ComplianceForge



View the original press release on accesswire.com

Data & News supplied by www.cloudquote.io
Stock quotes supplied by Barchart
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.
 
 
Copyright © 2010-2020 SanAnselmo.com & California Media Partners, LLC. All rights reserved.