HITRUST | December 18, 2021
HITRUST today announced it is addressing the need for a continuously-relevant cybersecurity assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware. The design and selection of the controls for the HITRUST Implemented 1-year (i1) Assessment puts it in a new class of information security assessment that is threat-adaptive – designed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material.
Most existing assessment approaches are not designed to keep pace with current and emerging threats; those that do, rely heavily on broad control requirements that raise questions about suitability of control and consistency of review that ultimately impact reliability of results. In contrast, HITRUST identifies information security controls relevant to mitigating known risks and leverages cyber threat intelligence data to influence the selection – and where necessary, updating – of technically-focused HITRUST CSF requirements included in the HITRUST i1 Assessment. As a result, the HITRUST i1 Assessment includes controls selected to address emerging cyber threats active today.
“The HITRUST i1 Assessment is unique in both selection of controls and the design of its assurance program. Effort towards completion is comparable to other moderate assurance vehicles while delivering a higher level of reliability,”
Jeremy Huval, HITRUST Chief Innovation Officer
The HITRUST i1 Assessment is the first information security assessment of its kind with attributes not available through other assurance programs:
Designed to maintain relevant control requirements to mitigate existing and emerging threats and provide updates as new threats are identified (It is threat-adaptive, prescriptive, and focused on controls relevant to risk)
Designed to sunset controls that have lost relevance and have limited assurance value based on effort required to comply or assess
Its unique controls selection and assurance program design deliver a higher level of reliability than other moderate assurance options
The level of time and effort to complete is comparable to other moderate assurance options in the market
Offers a forward-looking, 1-year certification
As the HITRUST i1 was designed around relevant information security risks and emerging cyber threats, it is not surprising it provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP).
HITRUST will evaluate security controls and review threat intelligence data no less than quarterly, and for each subsequent major and minor release of the HITRUST CSF, to ensure the HITRUST i1 Assessment requirement selection remains relevant over time. Guidance documents will also drive enhancements to the HITRUST CSF and HITRUST i1 Assessment control sets as needed. While the HITRUST i1 Assessment is intended to adapt and evolve to maintain relevance, it’s important to note that HITRUST i1 Assessment certified organizations will not be impacted by changes to the HITRUST i1 Assessment control requirements until their next HITRUST assessment cycle.
HITRUST is hosting a webinar at 11 a.m. CT on Thursday, February 3, 2022, to discuss the HITRUST Implemented 1-year (i1) Assessment in more detail. To register, and for more information, click here: Next Generation HITRUST Information Security Assessment Focuses on Continuous Cyber Relevance
Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security, and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks as well as related assessment and assurance methodologies.
Veracode | March 30, 2022
Veracode, a leading global provider of application security testing solutions, has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors. Analysis of data collected from 20 million scans across half a million applications revealed these sector-specific findings as part of Veracode’s annual report on the State of Software Security (SOSS).
"Public sector policy makers and leaders recognize that dated technology and vast troves of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance. In the wake of May 2021's Executive Order to improve the nation's cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense and the White House have issued four memos addressing the need to adopt zero trust cybersecurity principles and strengthen the security of the software supply chain. Our research confirms this need.”
Chris Eng, Chief Research Officer at Veracode
No Time to Waste: Fix More Flaws Faster
Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average—roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical state, local, and educational applications.
Eng continued, “Organizations in this sector must act with urgency. They can improve their secure DevOps practices significantly by using multiple types of scanning—static, dynamic, and software composition analysis—to get a more complete picture of an application’s security, which in turn will help them to improve remediation times, comply with industry regulations, and make the case for increasing application security budgets.”
High Severity Flaws Are Priority One
Demonstrating a positive trend, the public sector ranks highly when it comes to addressing high severity flaws. The research reveals that government entities have made great strides to address high severity flaws, which appear in only 16 percent of applications. In fact, the number of high severity flaws has decreased by 30 percent in the last year alone, suggesting that developers in the sector increasingly recognize the importance of prioritizing flaws that present the greatest risks. This is encouraging and may reflect growing understanding of new software security guidelines, such as those outlined in the U.S. Executive Order on Cybersecurity and the U.K. Government Cyber Security Strategy 2022 – 2030.
Eng closed, "Recognizing that time is of the essence, public sector leaders are beginning to set timelines. For example, in “Moving the US Government Toward Zero Trust Cybersecurity Principles”, Shalanda Young has set a deadline of September 30, 2024 for all US federal agencies to meet specific cybersecurity standards. We think that the progress made against high security flaws is a great starting point and support all public sector agencies who seek to gain better control over their software supply chains."
About the State of Software Security Report
The twelfth volume of Veracode’s annual report on the State of Software Security (SOSS) examines historical trends shaping the software landscape and how security practices are evolving along with those trends. This year’s findings are based on the full historical data available from Veracode services and customers and represent a cross-section of large and mid-sized companies, commercial software suppliers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform.
Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.
HUB Security | December 22, 2021
HUB Security, a secure computing solutions provider, announced it has signed a strategic partnership with global integration and Smart Space IoT leader, Getronics, to offer secure compute protection to hundreds of banks and organizations in the EU, LATAM, and APAC. HUB Security will be Getronics' cyber security partner and its cyber automation platform to enhance current offerings including Secure-by-Design iOT & Smart Spaces, Ransomware & IR, and SOC.
Getronics' clients in 23 countries and in its Global Workspace Alliance will use HUB's confidential computing platform and additional innovative cybersecurity services to receive unparalleled protection.
"With organizations facing increasing cyber challenges, we see great value in partnering with Getronics, a leader in digital transformation and integration,With a global reach and over 3700 experts, both companies can enhance cyber security protection for their clients and partners. "
Eyal Moshe, CEO and co-founder of HUB Security
"The global businesses we help support require the most advanced security platforms to maintain their operations," said Harsha Gowda Siddaveere, CTO Getronics. "HUB Security's offerings will allow our partners and customers a new level of cyber readiness facing new digital challenges in 2022."
"Both parties in this partnership complement and enhance each other's global offering to be cyber resilient and prepared for the future," said Joseph Souren, VP Sales EMEA, Comsec, a HUB Security Group.
About HUB Security
HUB Security was established in 2017 by veterans of the 8200 and 81 elite intelligence units of the Israeli Defense Forces. The company specializes in unique Cyber Security solutions protecting sensitive commercial and government information. The company debuted an advanced encrypted computing solution aimed at preventing hostile intrusions at the hardware level while introducing a novel set of data theft prevention solutions. HUB operates in over 30 countries and provides innovative cybersecurity computing appliances as well as a wide range of cybersecurity professional services worldwide.
Getronics is a global ICT integrator with an extensive history that extends over 130 years. With over 3,700 colleagues across Europe, Asia Pacific, and Latin America, Getronics' vision is to reimagine the digital future, one customer at a time. We do this by leveraging an integrated and secure-by-design portfolio around Digital Workplace, Business Applications, Smart Spaces, Multi-Cloud, Field & Onsite Support, Service Desk, Network Infrastructure, and Security & Compliance to serve our more than 1,800 customers in both public and private sector.
Atakama | February 16, 2022
Atakama, the leading encryption company, has partnered with BigID, the leading data intelligence platform, to provide organizations with an integrated, automated approach to discovering and protecting sensitive and critical data.
The integration of Atakama's file encryption solution with BigID's data discovery and classification ensures that organizations can automate well-defined policies to discover, classify, and protect their data. Together, BigID and Atakama make it easy for customers to accelerate governance, reduce risk, protect their sensitive data with advanced encryption, and achieve continuous data compliance.
BigID enables customers to automatically discover, catalog, and classify all types of data and metadata, structured and unstructured. This includes PII, PHI, NPI, IP, and other sensitive, critical, and regulated data. Once the data has been identified, BigID can label and tag data in accordance with the organization's policies. Atakama can read the labels and immediately encrypt files in whichever location the files are stored. The integration of BigID and Atakama provides a powerful and scalable approach to sensitive data discovery and protection across the entire enterprise.
"BigID together with Atakama provides our customers with a seamless, but multi-faceted approach to data security,This partnership takes data protection to another level and will immediately strengthen an organization's security posture through unmatched visibility and control. We're thrilled to have Atakama be an integral technology partner via the BigID App Marketplace as we continue helping organizations meet their data management and security objectives."
Marc DeGaetano, CRO at BigID
"Partnering with BigID is a natural fit given their industry-leading capabilities across discovery and classification," said Scott Glazer, CRO at Atakama. "The ability to discover and protect sensitive data is the cornerstone of a successful cybersecurity program. We're thrilled to be able to work with BigID to deliver the combined solution to our customers via the BigID App Marketplace, who can trust that their data has been properly identified and securely protected."
BigID's data intelligence platform enables organizations to know their enterprise data and take action for privacy, protection, and perspective. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, a Business Insider 2020 AI Startup to Watch, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.
Atakama is a distributed key management solution that enables granular, file-level encryption without the need for passwords, identity and access controls, centralized servers, or HSMs. Attackers are prevented from accessing any data encrypted by Atakama even when the network or systems are breached. Atakama's distributed architecture has no single point of attack or failure, a security breakthrough that vastly exceeds the status quo for information security. By using Atakama, organizations can prevent file exfiltration, enhance regulatory compliance, secure sensitive information, and enable the cornerstone of a full-fledged zero trust infrastructure.