Klever Compliance

Admit it. That binder of documents is sitting on top of some shelf ???????????????????? ???????? ?????. Or maybe the documents are in some ???????????? ???????????? ?? on some drive you haven't accessed in years. And what's with signing off on all of those useless documents anyways?! Most people have ???? ???????? ?????? they have to do this once a year. Most companies don't like to force their folks to sign it once a year either ??. What we know of this formality lines up with checkbox compliance but there's ???????? ??????????. Our published documents are supposed to be helpful enablers for us to do our jobs better. They're to ?????????????? ???????????????? for how our operations function??. Instead they're full of vague, ethereal, and nebulous words that are????????????????????? ???????????????????? ??. Someone, decades ago, thought that if ??????-?????????????????? ?????????? are used (occasionally, periodically, frequently, sometimes...) then the #???????????????? ??????'?? ?????? ???????????????? ???? ???????? ??. Now we're all suffering for this by not leveraging published documents as the incredibly useful tools that they're actually supposed to be, which is the ???????? ?????????????? ???????????????????? ?????? ????????????????????. Here are some tips if you're able to focus on this critical area... ?? 1???????????? ?????? ???????????????? ??????????. Are you #patching monthly? Use the word "monthly", not "occasionally". Do you fully #backup weekly? Use the word "weekly", not "periodically". Do you practice #incremental or #differential backup on a daily basis? Use the word "daily", not "frequently" or "sometimes". These are auditable statements you're already doing! Get credit for them and move onto the next! ? You're also providing instructions for ?????????????? ???? ???? #???????????????????? by letting them know when these things need to happen. Not only do subjective words ???????? ???????????????? ???? ???? ??????????????????????????????????, they also make it impossible to ???????????????? ?????????????? ???????????????? ?????????????????? in the future. ?? 2??Always ?????????? ?????? ???????????????? in your document to the regulations & frameworks that influence your operations by detailing out the ???????????????? ?????????????? ?????????????? in a lower section of your document ??. 3??#?????????????????????? ???????? ???????????????? ?????? by giving it *????’?? ?????? ????????????????*, to include escalation??& exception handling protocols. We are your #CMaaS (Compliance Management as a Service) leader - contact us today to achieve a ???????? ?????????????????? ???????????????????? ?????????????? ???? ?????? ?????????? ???? ?????? ???????? & ????????. How much are the documents in your company leveraged for daily operations? Be real. #GRC #Documents #ControlAlignment #ComplianceProgram #RiskManagement #LMS #SecurityAwareness #KleverCompliance

Leverage ?????????????? ???????????????? ???????????????????? to baseline your GRC Program??. If you have event identification, response management, or automation tools (#scanning, #PatchManagement, #SIEM, #XDR or #SOAR) these can actually generate evidence as part of governance oversight of your #IncidentManagement program. Even if you ?????????????????? any of these functions it's important to show how the vendor is lining up to regulations and frameworks that satisfy governance requirements. There are a few short steps to execute on this?? 1?? Understand the influences for your ???????? ???????????????? ?????????????? considering industry, maturity and size ??. 2???Identify what applies to you specifically using ??(??) methodology. You do *??????* have to adhere to the many-thousand row spreadsheets ???????? ???? ???????????????????? ?????????????? ?????????? ???????????????? ????????????????. This generates eons of unnecessary busywork & spin. Focus on what you're #accomplishing already. Define #targets ??. It's even ok to exclude controls irrelevant to you. 3?????????????? ???????????????? generate risk registry items. These risk items will actually align to ???????? ???????????????????? ????????????????????, so you can focus on fixing real problems in your company. These may become more important than ethereal risk statements about something that may or may not happen ???. 4????????????????? ???????????????? ?????????????????? over time makes audit readiness, or certification readiness, or cyber insurance readiness, so so so much #easier! How easy is it for you to connect GRC to your actual operations? We are your #?????????? (Compliance Management as a Service) leader - contact us today to achieve a ???????? ?????????????????? ???????????????????? ?????????????? ???? ?????? ?????????? ???? ?????? ???????? & ????????. #GRCProgram #GRCFlowOfWork #Control #AuditReadiness #CyberInsurance #ITOperations #ITTools #SecurityControls #CyberSecurity #KleverCompliance

Let's meet in the middle: ?????????? ?????????????? don't always know what to ask when it comes to GRC & the ?????????????? ?????????????????? ???? ?????? don't always have the whole picture to report on due to the silo'd environments at our companies. Here are a few recommendations on how to ?????????? ?????? ???????? GRC's purpose goes ???????????? just cyber security or just IT. GRC Programs are to be reflective of the ???????????????? ???? ?????? ?????????????? operations and should also include real measurable controls within the #HR, #Finance and #Legal groups. 1?? Always start with defining ??????'?? ?????????? ???????????? ?????? ??????????????. Remember how the foot bone is connected to the leg bone and the leg bone is?connected to the knee bone..... ?? ?? ?? 2?????????????????? #?????????????????? for measuring controls that are actually reflective of true operations, not ethereal controls. Don't get stuck in ? checkbox compliance madness ? that never ever ends (sometimes, by design ??) 3??Failed ???????? controls generate #???????? ?????????? and make it easier to understand what ???????? ?????????????????????? ???????? is, compared to ??? ethereal risk statements ??? 4??Start reporting on the ???????? ?????????????????????? areas you're able to #measure. Identify target controls and measurements for the future and start measuring the progress towards those ?? 5??Make a habit of tying to the business & reporting on the ???????????? ?????? ???????????????? of the program regularly, ???????????? ?????? ?????????????? ??*???? What are some of the areas that you track and measure at your company? #RiskManagement #GRCprogram #BoardReporting #Maturity #RealMeasurement #KleverCompliance

Poor ???????????? ???????????????? account for an exorbitant amount of ????????????????. Do you know how many ???????????? ?????????? ?????? ???????? ?????? ????????????? Customized levels of access are unnecessarily burdensome and create unseen ???????????????? ??????????????????????????????. Here are some quick things that you can immediately do to strengthen your posture?? 1?? Think ????????: Role Based Access Control. Give workers access based on their functions, department, title or role. ?????????? ?????????????????? ??????????????????????. 2?? Elevated privileges??always??????????????? ???? ???????????????? - This becomes easier to track when roles are standardized (see RBAC, above). The more admin users you have, the larger your ???????????? ?????????????? is, opening you up for greater vulnerabilities and making attacks more impactful. Ask for a listing of ????????????????????????????-?????????? ?????????????today, and start asking "WHY does this person have elevated permissions?" Pinky promise you'll be surprised ?? ?3?? It's not just ?????????????? ????????????, don't forget about ???????????????? ????????????, or system:system access (????????). This latter area is one of the riskiest in our industry. Most APIs are ?????? ???????????????????? ?????? ???????????????? ?????????????????????? do not occur regularly. Calendar these in proactively?? 4?? Leverage Data Classification, Data Mapping, and good Vendor Management principles for all of this. If you don't know which data is where it's ???????????????????? to manage access appropriately across the company (not just infrastructure) ?? What are some good access management practices that you follow? #AccessManagement #IAM #RBAC #RoleBasedAccess #Admin #PrivilegedUser #LogicalAccess #APIs #PhysicalAccess #Vulnerabilities #AttackSurface #GRC #Breach #UniqueUsers #KleverCompliance

Addressing ???????????????????? related to cyber governance risk and compliance, especially for small- & mid-tier companies is so important! The risk may be more than the business can sustain ?? should an??????????????????????? ?????????? occur. Here are some pointers for having that conversation ?? 1?? Get a handle on what the ???????????????? ???????? would be. Seeing business come to a screeching halt as a result of the recent LA wildfires resurfaced the criticality for ????/??????. The document you thought was in place, usually wasn't. ?????????? ???????????????????????? ???????????? ????????, ?????? ?????? ?????????? ?? 2???Study your cyber insurance policy. Remember ???????????????? ?????? ?????????? ???? ?????? ?????????????? ?????? ????????????????. If that questionnaire was answered only to provide a "YES" opposed to validating an actual control in your environment, there's a good chance your claim may get ? ???????????????? ? 3?? Know the data your #vendors are processing, storing, or transporting (#NIST v2). Understand the ????????????????????????if they lose/breach it themselves, or at their downstream vendor. Tighten your Vendor Mgmt Program. 4?? Never forget ???????? ???????????????????????????? & ???????? ?????????????? to really understand where your golden egg data is. Data loss can be ?????????????????????????????? ?????????????????? ?????? What are some tips you would provide as part of this conversation? #VendorManagement #Liability #BusinessContinuity #DisasterRecovery #DataClassification #DataMapping #DataLoss #GRC #KleverCompliance

Challenge for today. Take a guess at ?????? ???????? ?????????? are spent on "#GRC Stuff" as part of your operations. Document updates. Checking regulations & frameworks for updates that may relate to you. Controls execution. Evidence gathering. Audit readiness ??. Take the lowballed hours per week/month/year & multiply per a low all-in rate. It should surprise you ????! Now, add how much you're spending on that silver bullet unicorn GRC tool that isn't doing much more than introducing ???????????????????????? to the point of you wanting to go back to #spreadsheets.??? 1?? Most importantly, remember that *??????* every nebulously written vague control on those long 10,000+ row spreadsheets will apply to your company - This is where ?????????????????????????? ?????? ???????????????? that apply to your company becomes a critical step?? 2?? When you????????????????? ???????those thousands of rows and focus on the areas that you’re doing now, you save money on spinning unnecessarily on ethereally written controls that ??????’?? ?????????? ???? ??????. Use ??(??) ??. There are exceptions for some use cases, like needing to adhere to all 110 Level 2 NIST 800-171 controls for #CMMC?? 3?? Baseline ???????? ?????????????? and honestly count up how many human hours go into the activities associated to your ?????? ??????????????, then add the platform costs. How do you rationalize excessive human costs that go into GRC controls which do not apply to your actual operations? #GRC #Controls #GRCTools #GRCCosts #ComplianceCosts #AppropriateControls #SaveMoney #SaveTime #KleverCompliance

Know exactly what your ?????????? ?????????????????? ???????????? covers before you think it will make you whole again ?? after an event. If you're considering getting a policy, be careful with how you answer the ???????????????????? ????????????????????????????. We receive complaints of outright declines or fractional payments frequently - Do yourself a favor and ???????????????????? #?????????????????????? before you actually need to file a claim. 1?? Most importantly, ???? ???????????? with how that #questionnaire is answered. The dept working on the policy usually forwards the questionnaire to the IT dept with the instructions of "make sure this all says *YES*" ??. The IT dept follows directions, but when an unfortunate event happens, proof for those *YES* answers can't be provided, so the claim is ?????????????? 2???Establish, enforce & focus on ?????????????????? ???????????????? like continuous monitoring, worker training ??, and regular security audits to minimize risks. Cyber insurance is just one part of a ?????????????????????????? #?????????????????????????? ???????????????? and is *NOT* to be used to compensate for your lack of GRC adoption! ?? ?? ?? ?3???Once you have your policy, ???????? ????. Really read it ??. Some common exclusions include your data you've passed onto your vendors ??. Vendor leaks are one of the leading ???????? ???????????? ????????????. If dealing with a #???????????????????? ????????????, be prepared to show how well/frequently your workers are trained ?? How do you supplement your operations with your cyber insurance policy? #CyberInsurance #VendorManagement #TPRM #RiskManagement #Coverage #SecurityAwareness #DataBreach #GRC #KleverCompliance

Start classifying your data today & stop doing silly things like encrypting publicly available data! The more data you hoard, the less secure you are, so "we keep everything" is not good business practice. Here are some tips on how to start classifying your data because we've lost the art of data classification in our unnecessarily excessively large data sets to the point where we don't even know what data we have. ?? 1?? Data needs to be ?????????????? ???? ????????????????????????????, so make sure your documentation describes how this occurs ??. Start with exploring your own data and lining it up to regulations & frameworks such as #PCI or #HIPAA or #SOX or #NIST. 2???Detail ???????????????????????? ?????? ?????????? for that data - Align to business functions and flag the most important data. This is important for the success of various downstream competency areas such as #incidentmanagement, #riskmanagement, #changemanagement, and so on. Don't forget consumer #privacy right request fulfillment! ?? 3?? Specify ???????? ???????????????? ????????????????????! It's likely that the most important data requires stringent #storage, #backup & #destruction principles. When you identify and align your practices with your *???????????? ??????* then the #protection & #retention practices can be more easily aligned to support #purposefulness & #minimization ?? What's your approach to classifying your data? #dataclassification #GRC #KleverCompliance

Don't be afraid to have a serious discussion about ???????????? ????????????????????????. Although we absolutely adore them ??, are grateful for them, and really don't want to anger them with our questions - They are one of the ?????????????? ?????????? we have, if not managed correctly. Keep #NISTv2 in mind & be able to confidently satisfy these three controls not only in your own organization via ???????? ??????????????, but also show how these controls are being satisfied at your vendors ?? ?? ????.????-???? (storage/at rest) ?? ????.????-???? (transport/in transit) ?? ????.????-???? (processing/in use) Know if *????????* first-line vendor is leveraging *??????????* vendors to store, process, or transport *????????* data. This is one of the most important conversations to have. Demand clear answers and know that - even if you get a #SOC2 from your first-line vendor - their subservice organizations (vendors!) will be ???????????????? ???????? ???????? ???????????? ?! Perform your data mapping exercise to include all vendors! Some other highlights to demand are... ? ?????????? ???????????? ???????????????????????? ?????????????????????? that specify hours or days, to include your vendor's vendor (& etcetera vendor) breaches. ? Exact detail of where physically (US? EU?) ???????? ???????? ??????????????, this may be important based on your business. ? Request that vendors providing insurance, healthcare, or financial services ?????????????? ??????-?????? ???????? ?????????? from their marketing efforts. ? Include ???????????????????? ?????????????????????? for the duration of the engagement. Do you know how your data is being handled at your vendors? #VendorManagement #RiskManagement #GRC #BreachNotification #DataHandling #VendorsVendors #TierNVendor #KleverCompliance

Don't be ??????????????-???????????????? when it comes to an AI Policy ?? ?? ?? When you don't provide guidance to your workers it's a free-for-all. Unfortunately, recommended AI usage protocols still hasn't made it into ???????????????????? ???????????????????? & ???????????????????? - so in the meantime, provide your own workers parameters for acceptable use.??? 1?? Make sure your ???????? ???????????????????????????? & ???????? ?????????????? aligns to the policy/processes/procedures being written. This reinforces a definition for what exactly your ???????? ?????????????????? ???????? is (financial data? customer data? personally identifiable/health information?).??? 2???Specify ???????? ???? ?????????????? ? ?????? ???????? ???? ?????? ?????????????? ? to enter into AI platforms, with a focus on expected data handling for your most important data, supplemented by clear instructions of what is never allowed. 3???In-house platforms must have strong ?????????????????? ???????????????? ???????????????? ??and well detailed behavioral descriptors & disclosures for learning and algorithms. 4?? Make sure that the technical team knows how to identify & ?????????? ?????????????????? ????????????????????/activity ??. There are some known extensions out there that are actually siphoning personally identifiable information right now. It's important to protect & manage company owned assets from these threats. Tell us what your AI Policies contain ... if, you have them! #AIPolicy #AIUsage #AI #AISecurity #DataClassification #PII #PHI #SPI #ClientData #PerimeterControls #GRC #KleverCompliance