State of California Data Security Breach Reporting
California Attorney General Confirms Center for Information Security (CIS) Checklists as a Mandated Requirement
California Attorney General Kamala D. Harris recently released a Data Breach Report, delving into the 657 data breaches that have been reported to her office since 2012- the same year that the state of California began requiring businesses and government agencies alike to notify the office of breaches affecting more than 500 California residents.
But most significantly, in the report, the Attorney General recommends the Center for Internet Security’s Critical Security Controls (CIS) as the baseline for implementing ‘reasonable security’ measures under California law. Furthermore, Harris claims that “failure to implement all the CIS Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
But why is this ‘recommendation’ so significant? Let’s not forget- in 2003, California was the first state to enact a state data breach notification law, and since then 47 states and the District of Columbia have followed their lead and passed some sort of data breach notification law to protect its citizens. This leads many to believe it’s rather likely that other states may adopt the California Attorney General’s recommendation to implement the CIS Controls as a baseline for security.
What is the Center for Internet Security?
The Center for Internet Security is a non-profit organization whose goal is to promote cyber security readiness by identifying, developing, and validating best security practices. The Controls are a list of the best protective controls to detect, prevent, respond to, and mitigate damage from cyber-attacks. These controls are continuously updated to stay ahead of the latest threats as well as rapidly advancing technologies.
Why Should Your Organization Implement the CIS Controls?
Gartner reports that 99.999% of breaches in 2015 exploited known configurable vulnerabilities. Implementing a secure policy for all IT systems ensuring that known configuration vulnerabilities are eradicated has to be the first place to start when securing the IT estate. As the Attorney General recommends, the set of 20 Controls are the priority actions that should be taken care of first and foremost in order to provide reasonable security within an organization.
These controls are scalable and are designed to apply to organizations of all sizes. Each CIS Benchmark provides specific guidance for establishing a secure configuration posture for your IT infrastructure, including a detailed description and rationale of potential vulnerabilities together with clear auditing and remediation steps.
While implementing these Controls may not prevent every cyber-attack, they will significantly reduce your organizations risk and the impact commonly associated with falling victim to a breach.
NNT and the Center for Information Security
As one of a handful of CIS Certified Vendors, NNT has access to security configuration benchmarks, software, metrics, and discussion forums where NNT is an essential stakeholder in collaborating on security best practices. NNT has leveraged these best practices and resources in our products to measure and improve the security posture of our customers.
NNT provides a full range of CIS Benchmark reports that can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build standard, to ensure systems stay within compliance 24/7.
Since 2014, NNT Change Tracker has been awarded the CIS Security Software Certification for CIS Security Benchmarks across all Linux and Windows platforms, UNIX and Database Systems, Applications and Web Servers.
Read the full California Data Breach Report here