Critical Fault的动态

A little late, but here's the next #cmmc entry for level 2: https://lnkd.in/gKpkbpBp This one was a bit more difficult to decide what to write, as I did not want it to be a long boring read. There are almost 100 additional requirements above level 1, so I just tried to give some highlights by sections. Level 2 is where you start seeing more technical requirements that will be much more likely to start requiring outside assistance, but it also will likely greatly enhance most company's security postures.

Ask the CCP: GROUP B There is a current period for public comment on the 48 rule which ends on 15 October. That means that it only will take as long as it takes for the DoD rule editors to respond and update. That could possibly put things in motion as soon as the end of October. Previous episodes Have described that there are Groups or that there are domains/families that should be considered together or at least closely. This is a topic discussed in the CMMC curriculum; that curriculum has a suggestion of groups. However, I have a much better arrangements of domains/families into groups: A.??Cybers Security Oversight and Management B.??Identification And Access Management IAM ·???????AC-Access Control [3.1] ·???????IA-Identification and Authentication [3.5] This group is comprised of Access Control and Identity and Authentication domain families. Here, They are combined under the group title of Identification and Access Management or IAM. You may consider this grouping Because there is a lot of overlap between creating accounts, Managing lists of users, and so forth, as well as all of the mechanisms including identities and identifiers, Multi factor authentication (MFA) and so forth. So, there is a lot of overlap between the two families from 800-171. It Is possible that you may consider Also incorporating Personnel Security here Because you’re dealing with persons for the most part. But I will discuss that in following posts. The groups align closely with as the departments or role and responsible for that topic. More GROUPS to follow . . . #CMMCv2 ?#controls #groups #cmmc-domains #Access #Identity I Prepare and Evaluate Organizational Readiness for CMMCv2. So if you have any questions. . . . Since I am both CCP and Certified Instructor, I am a CUI expert Or at least I know where to find the specifications and details :0 Tap Me/DM here on LinkedIn or email

Embrace the use of ready-made responses when handling incidents. Pre-established response plans can save valuable time and effort during a crisis. ? By relying on proven and tested procedures, your team can respond swiftly and efficiently, minimizing the impact of incidents and ensuring a consistent approach to resolving security breaches. >> https://lnkd.in/gZgNiuAq #SecurityIncidentManagementProgram #SecurityAwareness #SecurityProgram #IncidentResponse #IncidentManagement

Microsoft Security Exposure Management is the new product we've been working on. The birth of a new product is an exciting moment. A moment to reflect on a journey from vision to customers. We just went public! Details in the comment. #msem #exposuremanagement #microsoftsecurity

?? We are excited to announce the addition of three crucial factors to our prioritization process in Microsoft Defender Vulnerability Management, aimed at improving accuracy and efficiency. These factors include: ??Information about critical assets (defined in Microsoft Security Exposure Management) ??Information about internet-facing device ??Exploit Prediction Scoring System (EPSS) score #mdvm #vulnerabilitymanagement #vulnerabilitypriorization #microsoftsecurity

Preparing for a SOC 2 audit can be daunting, but it doesn't have to be. This detailed guide breaks down everything you need to know to get your MSP is ready. From understanding the criteria to actionable steps for compliance, this should be your go-to resource for audit success ?? https://lnkd.in/gpeSKA-H #Compliance #Security

A question of compliance semantics: what is the practical difference between a "vulnerability in an organizational system" and a "system flaw"? #NIST SP #800-171 control 3.11.2 states that we must "scan for vulnerabilities in organizational systems..." and control 3.11.3 goes on to require the remediation of those vulnerabilities. Control 3.14.1 requires us to "identify, report, and correct system flaws..." Expansion of 3.14.1 includes this: "Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws..." Expansion of 3.11.2 includes this: "Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms." NIST's definition of a flaw is an "imperfection or defect." Their definition of a vulnerability is a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." Domain 11 in NIST SP 800-171 is about risk, and domain 14 is about integrity. So, my interpretation about the difference between a vulnerability and a flaw in this context is: -A vulnerability happens when the organization fails to maintain their own information system environment in a secure state, such as leaving ports open, not patching, etc. The onus is on the organization. -A system flaw happens when a misconfiguration or error is introduced into the organization's environment through the use of a vendor's / third-party's product, through which the organization must rely on that vendor for a remediation (or cease to use the product). Onus is on the vendor. Thoughts? #infosec #cmmc #riskmanagement #vulnerabilitymanagement #compliance

DORA's obligations for IT service providers set a high bar. The expectations require a significant and ongoing effort. This is no longer a check-box security questionnaire... Check out our article for more details https://lnkd.in/eCRwMYAd

Scrambling to understand SOC 2 requirements? ?? Our complete guide breaks down everything from Trust Service Criteria to audit readiness, so you can get compliant without the stress. Start here ?? https://lnkd.in/dQEHw6Bg #SOC2Compliance #CybersecurityAwarenessMonth

My favourite feature again... Custom Registers Breaches and security incidents happen. The Wizard Platform with it's amazing no-code Register Builder (well done to the development team!) can help with mitigation and respose. You build the registers in the style your organisation needs, so that incidents can be recorded and responses can be automated If you’re looking for a solution that fits seamlessly into your existing tech stack, look no further. DM me or visit 3be.global/contact to see how Wizard can support your compliance strategy. #IncidentResponse #ComplianceTech #ITLeadership #DevCommunity