As technology continues to expand and become more complex (and the more it begins to connect all our critical data) the need for compliance and regulation will continue to expand right along with It — and as it should! Compliance is meant to be an ally… but without proper management it can quickly become the enemy. While many see compliance as more red tape, the truth is failure to comply with regulations can lead to expensive fees and fines. Managed Solution can help boost your compliance and help your business get closer to you compliance goal.
What is Compliance & Security Management?
In the IT world, compliance management around governance, risk and compliance is the process of ensuring a company or organization consistently complies with federal and state laws, industry requirements, vendor best practices, cyber insurance policies as well as post-breach protocol when it comes to their technology and data management.
In many ways when someone says “compliance,” what they really mean is documentation… and lots of it. Compliance is a big, complex collection of paperwork and data of all kinds, and compliance management is making sure all of that is organized, and more importantly, up to industry standard.
Why Automate Compliance Management?
Because the world of compliance is so complex (and continues to evolve) it’s critical to make sure your organization has its T’s crossed and I’s dotted. Like it or not, there’s a cost to compliance. BUT, research has shown it’s much more expensive not to follow the mandated industry regulations… in fact, up to 2.71 times more costly. The bottom line: compliance can be a headache, but implementing a consistent, effective solution saves money.
The good news is you don’t have to try to tackle compliance alone. That’s where Compliance Manager and Managed Solution comes into play. Compliance Manager is a cloud-based solution that automates the data gathering and reporting required to order to meet the necessary internal and external auditor expectations.
It’s a one-stop shop for:
In-product compliance guidance
Automated data collection
Brandable report, worksheet, and auditor checklist generation
Centralized workflow management and task notification
Tracking compliance activity
Key Compliance Manager Features
Compliance Manager is a robust tool that reduces risk by simplifying and streamlining your IT security documentation. And more than that, it makes sure everyone on your team is onboard and has one, easy-to-use platform to store, access and manage their part of the process.
Here are some of the key features:
Customizable Documentation & Processes. Compliance Manager is a role-based solution, meaning you can tailor it to meet your specific IT compliance needs and workflows. So, whether you’ve created your own company-specific standards or need help complying with industry regulations, each report and process can be adjusted accordingly, giving you the flexibility to simultaneously manage multiple compliance standards and information security protocols from one centralized location.
Centralized Management. Because compliance involves many different data points and stakeholders, centralizing the information and access is key to successful management. An automated solution provides self-serve portals for both employees and vendors, allowing you to automate a variety of tasks and collect necessary data and documentation for compliance verification.
Employee-Focused Tracking. Organize employee-specific training courses, assignments, and policy acknowledgements, upload policy documents and track employee compliance and reporting. All of this is accessible from an easy-to-use IT admin access dashboards which allows you to access and manage your employee’s compliance requirements and activity quickly and easily.
Vendor Risk Assessment & Tracking. House and manage both permanent employee and vendor details all within a single solution and with the option to provide a unique vendor login, vendor assessments, status tracking, surveys, and more.
Compliance Manager can integrate with IT Glue, VulScan, VSA, and Bullphish among other separate technologies to leverage an even more distinct degree of control and customization.
Automated Reporting. Compliance Manager automatically generates custom plans, procedures, risk analyses, milestone reports, auditor checklists, supporting documents and more which update based on data and information supplied to the program.
Compliance Templates. As compliance grows, so does Compliance Manager’s compliance template database, meaning you don’t have to start from scratch. Some of the most popular templates to-date include:
HIPAA (all 3 rules)
NIST (CSF & 800-171)
CMMC (Levels 1 &2)
GDPR (UK & EU)
Leveraging a Managed Solution
A tool alone is not enough to reach compliance. Let Managed Solution’s compliance team help your business through the lengthy process. Our compliance team will ensure progress and work hand in hand with you to integrate Compliance Manager into your existing ecosystem.
Interested in learning more? Schedule a call today and learn how Managed Solution can help boost your compliance and help your business get closer to you compliance goal. Not ready for a direct call? We are hosting a webinar on July 28th, click here to register. Attendees will receive a FREE 30 minute consultation with our vCIO to see if our Compliance as a Service tool can work for you!
Every time a new Windows device is deployed, custom images need to be built, maintained, and applied to make it ready for new users, despite already having a perfectly good operating system installed.
After that, IT department members need to follow up with hours of manual app setups, drivers, policies, settings, etc. All of this, mind you, needs to be done for every repurposed device found in an organization, which implies a lot of time, energy, and resources being spent that could be used elsewhere. This is where Windows AutoPilot comes into play.
What is Windows AutoPilot?
Windows AutoPilot is a collection of technologies specifically created to remove all of the issues mentioned above. Its purpose is to set up and pre-configure new devices and get them ready for use. You can also use the AutoPilot to reset, repurpose, or recover old devices, allowing the IT department to do these tasks with little to no infrastructure.
The AutoPilot tool was designed to simplify the entire lifecycle of Windows devices, going from the initial deployment to the eventual end of the life cycle. In short, using cloud-based services, such as Windows AutoPilot, will help organizations by reducing their overall costs in terms of deployment, management, and even retiring old devices.
This is done primarily by reducing the total time spent on these processes, as well as the amount of infrastructure needed for maintenance, which will not only make life easier for the IT department but also the end-users.
That said, here are the main benefits of using Windows AutoPilot.
No More OS Re-Imaging
Traditionally, IT members had to manually install apps and drivers, manage the infrastructure, and set policies. With AutoPilot, however, all of this is done automatically. With a smart and easy pre-configuration, you will set all of these once, set up an AutoPilot profile in Microsoft Intune, and have all settings applied to all of your Windows devices under that profile.
The Self-Deployment Mode
Windows AutoPilot's Self-Deploying mode takes streamlining one step beyond by enabling any new Windows 10 device, which has been pre-enrolled in the AutoPilot program to be ready without any additional interaction from the IT department. In other words, your new device will automatically get all the settings configured the moment you power it on and connect it to the internet.
Stay on Top of Security and Compliance
AutoPilot’s Enrollment Status Page will ensure that your devices are fully configured, secured, and compliant with all requirements before users access it. Your system managers will be able to check the status of each device in real-time, allowing them to keep the equipment in out-of-box experience (OBE) until all policies and configurations are provisioned. They can then choose actions that users can perform in the event of failures and set up custom messages.
The Windows AutoPilot Reset Feature
Windows Autopilot Reset allows you to prepare devices for re-use by removing personal files, settings, and apps, reapplying the device's original settings. This is done while also maintaining the device's identity connection to Azure AD and its management connection to Intune. The Reset feature takes the device back to a business-ready state, allowing the next user to utilize the device at a moment's notice.
5 Ways to Prepare for California Consumer Privacy Act
With the European Union's General Data Protection Regulation (GDPR) implementation on May 25, 2018, a somewhat similar type of regulation will shortly be introduced in the United States, as well. Known as the California Consumer Privacy Act (CCPA) is expected to come into effect on January 1st, 2020, adding several new regulations regarding consumers' data.
Among these regulations, we can expect things like the rights of consumers to know what data about themselves is being collected, the right to deny the sale of that information, as well as the right to delete that data. They are also entitled to know the commercial purpose of their information, to know which third-parties will have access to it, as well as the private right of action when companies breach that data.
For companies to prepare themselves for the upcoming implementation of the CCPA, they need to be aware of the regulations and assess the business risks that may come attached. Below are several ways for your company to prepare for the California Consumer Privacy Act.
One of the many new requirements of the CCPA is for every business having to deal with California residents is to update their privacy policies so that they include the residents' rights. You will need to have this ready before the act goes into effect on January 1st, 2020.
Leverage the GDPR
With many similarities between the GDPR and CCPA like subject data rights of access, portability, or erasure, companies can leverage their GDPR program now to prepare themselves for the upcoming CCPA better. To do this, you can use a Compliance Manager to ensure that you are up to code for both the GDPR and CCPA.
Mapping Your Data and Sources
One critical aspect that needs special consideration is your data inventories. You will need to map every piece of personal information about your customers, gathered by either your marketing or sales teams. Once this is complete, you will have to make sure that it's prepared for access, portability, and deletion requests from your clients. You will also need to make sure that your marketing software vendors are also able to fulfill these obligations. If not, it would be wise to switch to more privacy-oriented vendors.
Use Encryption to Protect Sensitive Information
The CCPA will impose penalties for data breaches of consumers personal information. When it comes to the GDPR and CCPA, encryption is seen as a useful and effective method of protecting such personal information from unauthorized parties in the event of a data breach.
Verify Your Third-Party Data Sources
Companies will also need to reevaluate those from who they buy customer data. These third parties need to be legitimate; otherwise, you may be subject to hefty fines since this is considered as operating on breached or stolen data.
To comply with the California Consumer Privacy Act, it's best that you find a partner that will help you navigate the path forward. Managed Solution will help ensure that you are in compliance with all the requirements of CCPA. Contact us today!
What Are Some Best Practices for Compliance Management?
Being compliant with all the industry rules and regulations will help your financial or healthcare organization stay on top of the situation and reduce the risk of sales losses, legal fees, and fines, brand reputation and more. It is for this reason why compliance management should be a top priority for all IT executives.
It will grant better internal control, allowing you to determine which employees will have access to company data and what they can do with it. Similarly, it will tell them who they can share that data with internally or externally.
Also, by maintaining compliance, you will also be taking the necessary security measures to protect yourself, your organization, and your clients from security breaches. But when it comes to the healthcare and finance industries, and being compliant with all the rules and regulations, it can be somewhat of a daunting challenge.
Things like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI DSS), as well as the General Data Protection Regulation (GDPR), and the future California Consumer Privacy Act (CCPA), just to name several, organizations need some best practices to keep them in line with everything. Here are several examples.
Involve Colleagues and Employees in the Process
Any compliance program, regardless of its thoroughness, will not be effective unless staff members are fully aware of the regulations and the impact they have on your organization. You should make it a company-wide effort to identify any gaps within the program as well as how they should be addressed.
Auditing and Monitoring
To have a successful compliance program, you need to perform internal monitoring and verification regularly. These are essential in identifying and correcting any errors that may exist or will occur. An audit may be performed once per year to look at the overall effectiveness of your compliance program. Monitoring the program, on the other hand, should be performed more frequently, such as weekly or monthly to confirm that everything is working as it should.
Automating Key Tasks and Processes
Wherever possible, tasks and processes need to be automated. Automation is a driving force across all industries as IT teams are striving to bring more agility, quality, and speed to, otherwise, manual tasks. When it comes to regulation compliance, automation will be able to accelerate this delivery significantly.
Microsoft Connected Health Platform (CHP)
The Microsoft Connected Health Platform (CHP) is a tool that provides a host of best practices and guidelines for organizations in the healthcare industry to provide many efficient, flexible, scalable and secure e-health solutions for patient engagement. Based on the principles of the Connected Health Framework (CHF), Microsoft CHP will provide many offerings for optimizing health information and communication technology.
It includes deployment guidance, prescriptive architecture, design, as well as solution accelerators. Tailored specifically for the health environment and Microsoft infrastructure models and tools, the CHP will be able to deliver and manage on-premises or cloud solutions, as part of your compliance management program.
Complying with all the rules and regulations is not something that should be taken lightly. Nevertheless, it's not something that cannot be achieved. Together with Managed Solution, you can make it happen.
Our Shadow IT Assessment allows you to uncover applications and tools installed on your network, and ultimately allows you to discover which of these were intentional versus accidental and authorized versus unauthorized. Our tools allow us to determine if these tools and applications are compliant and take the right next steps based on our findings. Learn more about our assessment.
Being Compliant with Data Privacy Laws
Despite their importance, not everyone knows what data privacy laws are. In short, data privacy laws are all about prohibiting the disclosure or misuse of information of private individuals, and being compliant with data privacy laws is extremely important.
To date, there are over 80 countries that have varying degrees of data security laws in place. Most noteworthy is the European Union's recent enactment of the General Data Protection Regulation (GDPR). The United States, on the other hand, is somewhat notorious for not having a similar, comprehensive set of data privacy laws, but instead, some limited sectoral laws in some areas, based on the Fair Information Practice.
Basic Principles of Data Privacy
Despite the differences that may occur, some basic principles apply everywhere in the US.
There needs to be a stated purpose for all data collected.
The data collected cannot be disclosed to other individuals or organizations unless authorized by law or by consent.
Record keeping should be accurate and up-to-date.
There need to be specific mechanisms that will allow private individuals to review their data to ensure its accuracy.
When the stated purpose is no longer relevant or needed; delete all the collected data.
It is prohibited to send data where the same data privacy laws do not apply.
Except for some extreme circumstances, data such as religion or sexual orientation cannot be collected.
Special Conditions for SMEs
SMEs are concerned whether they are, in fact protecting their client's data and whether they are in compliance with Data Privacy Laws. Here are several other conditions/reasons why SMEs are concerned.
Their IT budgets may not be big enough or may be lacking the specialized workforce to implement sophisticated security solutions correctly.
SMEs may be using cloud-based services
Even if the cloud provider may handle the data, the responsibility to provide security still falls on the SME.
What's more, many of these businesses may not even be aware that they use cloud-based services - in which case they need to comply with these regulations. If you are using Gmail or Outlook.com, you are using the cloud.
All of the requirements presented above will only become more binding and rigorous with time, right alongside the seriousness of the data breaches, themselves.
It is also important to remember that a data breach can also cause more damage to a business than the direct value of the loss. First, there are the personnel costs related to the recovery. Then, we have others such as post-incident costs used for improving customer relations, the brand image, the investigation, plus the many years needed to protect your customer's credit.
The legal costs involved, such as fines, fees, and civil suits should also be mentioned here. Also, let's not forget about the value of lost customers which can quickly send an SME out of business.
Going forward, SMEs need to remember that there are many clearly defined requirements, both legal and financial, for providing adequate protection for your clients' data. As times goes on and digital threats become more and more prevalent, security measures will become more stringent, while providing data security will become another cost of doing business.
If you want to keep yourself up-to-date, please feel free to check out our website. Our IT professionals and engineers have 23 years of combined experience and are more than qualified to find solutions to all of your security concerns. Contact us today to schedule an assessment.
Data Loss and Privacy Laws
In today’s modern interconnected world, it’s almost impossible to work with computers and have an IT department without having to think about data loss and privacy laws. This is due to the large and continually increasing number of cyber-attacks which breach hundreds and thousands of businesses each year.
Any business or company operating today have some form of online presence, be it more visible, more global, or more discreet and local. However, no matter the online notoriety your business possesses, online threats and cyber-attacks are always around the corner.
So what exactly are Data Loss and Privacy Laws?
Data loss is something that can happen from both internal and external reasons. Employees can cause internal data loss due to a variety of factors. They may not have saved some files or might have accessed an e-mail and accidentally installed a virus on the company’s IT network.
It can lead to severe data loss. If your company doesn’t have specialized people in charge of managing the backup of files, your entire business can be in jeopardy. Imagine losing the financial data belonging to some significant clients, and not being able to retrieve the data (due to lack of a backup.) Also, you may not be able to tell your customers where their private data even is.
Worst case scenario
Based on today’s online privacy laws, your company can easily be sued. Depending on the importance of the lost data, it could turn into a pretty expensive lawsuit, leaving your company and your company’s reputation tarnished.
How can I prevent Data Loss and be sure to respect Privacy Laws?
Data Loss can easily be prevented by having specialized IT security people handling your entire network. It can be done by creating an entirely new department as part of your IT team. Better yet, you can hire a specialized company which will take care of, and be held responsible, for the entire safe storage, protection and data backup.
It would help you focus on running your business while being sure that all the sensitive and private data is being taken care of by specialized professionals in the field of IT security, all while following the latest Privacy Laws.
Another way you can safely backup your company’s data and be sure that everything is safe and secured, is by creating a Disaster Recovery Plan. Of course, it is not something any IT specialist can build.
Qualified personnel is needed in case of any cyber-attack that leads to the loss of essential data belonging to your company or private data of your clients. In these situations, contracting an outside company is recommended due to their experience obtained by creating several disaster recovery plans for many other companies.
Most affected industries
Industries such as healthcare, biotech, and finance are most likely to be targeted by a cyber-threat, which also makes them the sectors that mostly need a Disaster Recovery Plan. Nobody would like to have their financial or medical data being leaked online, or have their biotech blueprints stolen. It is the worst thing that can happen to a company that handles clients’ data, and it could even lead to losing clients and eventually, the entire business.
If you’re interested in more information about Data Loss and Privacy Laws, be sure to contact our specialized consultants. Here at Managed Solution, we are ready to answer your questions and offer you any additional information you require.
Recent updates for security and compliance include enhancements to Microsoft Defender, eDiscovery, Advanced Data Governance, Advanced Security Management and expanded support for Windows Information Protection. Read on to learn more about these updates.
Enhancements to threat protection visibility and controls
Office 365 Exchange Online Protection (EOP) and Microsoft Defender were designed to keep your organization protected against cyber-attacks while supporting end-user productivity. The Office 365 team continues to enhance both EOP and Defender by offering deeper insights and more flexible controls. This month, we are introducing the following new capabilities:
Threat Protection status report—New reporting for Defender and EOP that adds visibility into malicious emails detected and blocked for your organization. This supplements the recently introduced reports in the Security & Compliance Center for Defender Safe Attachments.
Enhanced quarantine capabilities—Now all emails classified as malware from both EOP and Defender are quarantined. This builds upon the existing quarantine experience by allowing administrators to review and delete emails from quarantine.
New Defender Safe Links Policy features—Four new features build upon the Safe Link policies.
Per-tenant block list—Provides the administrator the ability to block specific URLs.
Email wildcarding for domains and handles—Enables you to save time by writing partial domain/handle names.
Split Safe Links policies—Allows Safe Links policies to be customized for specific user lists in the organization, including groups, individuals and divisions.
Expanded character limit for URLs—Enables blocking/allowing URLs with longer character lengths.
Additional details on these new features can be found in the Microsoft Tech Community, as well as on the EOP and Defender product pages. EOP is offered across our enterprise E1, E3 and E5 suites. Defender is offered as both a standalone SKU or as part of E5.
New features streamline your compliance process using Office 365
Businesses around the world must be able to keep and protect important information and quickly find what’s relevant to continue to meet legal, business and regulatory compliance requirements. At Microsoft, we know how demanding and complex compliance can be and have recently released several new eDiscovery and Data Governance features in Office 365 to support your compliance needs. These features include:
Optical character recognition in Advanced eDiscovery—Extracts text from image files or objects within the files, significantly reducing the amount of manual remediation work required to analyze image files.
Rights management (RMS) decryptionin Office 365 eDiscovery—Automatically decrypts RMS-encrypted email messages at export time when you choose the MSG Export option.
Unified case management—Provides a consistent user interface spanning the eDiscovery capabilities in Office 365, from core to advanced, which helps to reduce potential human errors by streamlining eDiscovery case definition and eliminating several steps in the process.
Visit the Microsoft Tech Community for more details about the new eDiscovery features. Unified case management and RMS decryption are included with Office 365 E3. Optical character recognition is included with Advanced eDiscovery in E5.
Announcing general availability of Supervision capabilities in Office 365 Advanced Data Governance
Many organizations have the need to perform supervision of employee communications. This need stems from internal security and compliance guidelines, or from regulatory bodies such as the Financial Industry Regulatory Authority (FINRA). In both cases, failure to have a demonstrable supervision process in place could potentially expose organizations to liability or severe penalties.
To address this need, we’ve released the new Supervision feature in Office 365 Advanced Data Governance. Supervision covers not only email communications, but also third-party communications streams, such as Facebook, Twitter, Bloomberg and many more. Visit the Microsoft Tech Community for more details about the general availability of Supervision.
Supervision is part of Office 365 Advanced Data Governance, which is available as part of Office 365 E5 or the Office 365 Advanced Compliance SKU.
Windows Information Protection now supports Office desktop applications
In August, we announced our support of Windows Information Protection (WIP) for Office mobile apps on Windows tablets and phones, to help prevent accidental business data leaks while letting users maintain control over their personal data by designating content as “work” or “personal.” We’re pleased to announce we have expanded support for WIP to include the Office 365 ProPlus desktop versions of Word, Excel, PowerPoint, Outlook, OneNote and Skype for Business. This will help provide more comprehensive protection of your business data on Windows 10 devices. To read more about WIP, check out our Microsoft Tech Community blog.
SIEM connector—now available for Office 365 Advanced Security Management
A year ago, we announced a way for you to get greater visibility and control over Office 365 with Advanced Security Management (ASM). Since then, we have added new features to help you better determine shadow IT activity. We also enhanced control over third-party appsconnected to Office 365. After these updates, we started hearing that some of you were looking for a way to export alerts to other systems that are integrated into your existing workflows. Today, we are releasing a solution that supports centralized monitoring of ASM alerts with your security information and event management (SIEM) software. Integrating with an SIEM allows you to better protect Office 365 while maintaining your organization’s security workflow, automate your security procedures and correlate between your cloud-based and on-premises events.
We are pleased to announce the addition of Azure Resource Manager, Automation, Azure Batch, Log Analytics, Azure Media Services, Policy Administration Service/RBAC, Redis Cache, and Scheduler to certification scope in Microsoft Azure Government.
Each of these service offerings has received Joint Authorization Board (JAB) approval for addition to Azure Government’s P-ATO at the High Impact Level. With the addition of these eight offerings, the total number of Azure Government offerings that meet the FedRAMP High baseline grows to 26 services; 20 more services than AWS GovCloud.
These services may be used by Federal, DoD and state and local government customers and partners building solutions on Azure Government who are required to meet rigorous compliance standards such as FedRAMP High, DISA L4, CJIS, ITAR, and IRS 1075. The Azure Blueprint program is designed to facilitate the secure and compliant use of these and other Azure Government service offerings by providing solution accelerators and guidance concerning customer security responsibilities when architecting solutions in Azure.
About these services
Azure Resource Manager –Azure Resource Manager (ARM) enables you to repeatedly deploy your app and have confidence your resources are deployed in a consistent state. You define the infrastructure and dependencies for your app in a single declarative template. This template is flexible enough to use for all of your environments such as test, staging or production.
You put resources with a common lifecycle into a resource group that can be deployed or deleted in a single action. You can see which resources are linked by a dependency. You can apply tags to resources to categorize them for management tasks, such as billing as well as control who in the organization can perform actions on the resources by defining roles for users and groups. ARM logs all user actions so you can audit those actions.
Automation –Azure Automation uses Windows PowerShell scripts and workflows – known as runbooks – to handle the creation, deployment, monitoring, and maintenance of Azure resources and third-party applications. Automation runbooks work with Web Apps in Azure App Service, Azure Virtual Machines (Windows or Linux), Azure Storage, Azure SQL Database, and any service that offers public Internet APIs.
Azure Batch –Azure Batch makes it easy to run large-scale parallel and high-performance computing (HPC) workloads in Azure. Use Batch to scale out parallel workloads, manage the execution of tasks in a queue, and cloud-enable applications to offload compute jobs to the cloud.
Log Analytics –Log Analytics is a service in Operations Management Suite that helps you collect and analyze data generated by resources in your cloud and on-premises environments. It gives you real-time insights using integrated search and custom dashboards to readily analyze millions of records across all of your workloads and servers regardless of their physical location.
Azure Media Services – Azure Media Services offers broadcast-quality video streaming services to reach larger audiences on today’s most popular mobile devices. With features that enhance accessibility, distribution, and scalability, Media Services makes it easy and cost-effective to stream and protect your content to audiences both local and worldwide.
Policy Administration Service/RBAC – Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs.
Redis Cache – Based on the popular open source Redis cache—Redis Cache gives you access to a secure, dedicated cache for your Azure application usage. It leverages the low-latency, high-throughput capabilities of the Redis engine. This separate, distributed cache layer allows your data tier to scale independently for more efficient use of compute resources in your application layer.
Scheduler – Azure Scheduler lets you invoke actions that call HTTP/S endpoints or post messages to a storage queue on any schedule. You can use Scheduler to create jobs that reliably call services either inside or outside of Azure and run those jobs on demand, on a regular or irregular schedule, or at a future date.
Azure is dedicated to expanding the number of offerings available to government customers and will continue to provide updates through our blog as well as adding covered offerings to the Microsoft Trust Center.