Be safe, well organized, and insurable.
We get it, compliance and regulation can be a complex and challenging task to undertake. There are over 30 regulatory standards now and the number just keeps growing! How do you even know which standard you should follow? Who’s enforcing these standards and what does it mean to be compliant? Why should you even care about compliance or regulation in the first place? By understanding the benefits, you'll understand why it's worth the effort. With a portfolio of clients in the healthcare, financial, and government sectors, Umbrella has the tools and experience to guide you on your compliance journey. Let us help you achieve compliance with confidence.
Technical controls are everywhere. The three main categories are: Physical, Procedural, and Techinical. We review all aspects of the business to validate whether or not controls within these three categories align with the standards set by regulatory bodies, and provide guidance on the most important and impactful aspects. As we are working through the review, we are documenting and either creating your first WISP, or updating it since last year. See Next section for what is a WISP.
As we are reviewing technical controls, we are creating a Written Information Security Plan document (WISP, or otherwise known as an SSP - Systems Security Plan. We will refer to it as the WISP, but they are synonymous). The WISP contains all of the technical, procedural , and physical controls, including assets, contacts, vendors, and much more. This document serves as a “current status” of the organization and is updated at least once a year when certain technical aspects or standards of the organization change. Some of the most important procedures of a WISP include:
Incident Response Plan
Disaster Recovery Plan
Risk Assesments
Lists of Vendors, Partners and Assets
There will always be items which come up that need to be addressed by either company leadership, technical staff, or C-Level decision makers. Umbrella can help with all of it, including running projects to implement desired technical controls, or even help advise in making critical business decisions.
As your IT company, we cannot be an independent validating source. However, as we prepare you for and guide you on this compliance journey, we bring in a trusted third-party to validate our results and verify all procedures. You are more than welcome to bring in your own auditing team at any time as well!
Because we work closely with our third-party validation company and do a lot of business with them, we have options and packages to minimize costs and perform more frequent assessments than just once a year. Contact us to learn more about the auditioning and assessment process.
Congratulations on completing your first compliance review and assessment! If you also completed any major projects to implement controls, even better! You should now have a great outlook on how this process works and a lot of pride for what you and your staff can achieve. Security is a mindset, and this process gives us milestones and achievable goals to meet. Next year, we’ll review any changes to the WISP, set a target on new controls to implement, and run another assessment to validate the results. The journey continues!
We understand that not every small business has the resources to hire dedicated c-suite IT expertise, and we offer 45 years of combined experience in IT advisory roles. Through our tailor-made vCIO offering, we provide the expertise to align your technology with your business goals. From crafting strategic IT roadmaps, short and long-term budget management, and the implementation of cutting-edge technology solutions, Umbrella IT Solutions helps streamline your IT program so that you can focus on core business objectives.
Outsourcing your cybersecurity needs to a VCSO service offers a myriad of benefits. With seasoned professionals at the helm, you gain access to comprehensive risk assessment, proactive threat detection, and swift incident response, all tailored to your specific business requirements. This means you can enjoy the peace of mind that comes from knowing your digital assets are fortified against evolving cyber threats. At the same time, you can free up internal resources to focus on core business objectives. Embrace the power of outsourcing and elevate your cybersecurity posture to new heights with our trusted VCSO service.
It may become harder to gain insurance due to lack of competition in the space and market limitations. For example, it’s more difficult right now as a Florida business, homeowner, or even the hobbyist airplane industry.
When insurance providers pull out of the industry or the competition is tight, insurance companies can be much pickier with their policy holders. Being compliant ensures you have the best chances to secure a policy.
When you apply for cyber insurance showing that your organization uses modern security controls and a Written Information Security Program (WISP), carriers will offer the lowest rates possible.
There is a difference between checking 'yes' on the self-assessment questionnaire for the "Are all your endpoints secured with anti-virus?", versus providing a document with each endpoint under your management, with the exact version of protection it has installed. Having a living and breathing WISP, loads of documentation, supporting evidence, and documented procedures for various scenarios, makes all the difference.
When everything is documented in the WISP, it’s difficult to deny a claim when a policy was written based on all the evidence provided.
Most common reasons for claims getting denied:
Failure to provide evidence
Absence of an incident response plan and practice
Insufficient security on endpoints
Inadequate security on vendors
Lack of education and awareness (Not just phishing)
Carries are looking more and more for their policyholder's knowledge on controls and documentation.
Having well-documented security controls and a WISP (Written Information Security Process) allows us to Provide Evidence instead of just submitting Yes or No answers on Cyber Insurance self-assessments. Attaching evidence for every single question, submitting a list of devices, backup data, etc. nets us the best possible outcomes with Cyber Insurance underwriters.
Insurance companies and other entities are suing their policyholders and vendors for non-compliance. In case of an incident, some carriers are more than just denying the claim, but are actually pressing charges on the insured because of fraudulent, misrepresented, or falsified applications. Vendors may sue for damages due to negligence or misrepresentation in case of an incident that indirectly affects them.
When you implement technical controls, a WISP is used to document and retain all evidence of the said control, remediation, or rule set. The WISP contains all the technical proof that everything is as it should be, and the journey is ever-evolving.
More businesses are starting to make decisions on who to work with based solely on Insurance and Compliance regulations. Would you ever hire a roofer for a major project without verifying their business liability insurance, OSHA compliance and reputation? More and more companies today want to verify that their partners have Cyber insurance before doing business with them, especially when sharing private and confidential information with them.
Businesses are more likely to trust you when you show that you comply with regulation standards. When you can present evidence of regulatory compliance, third-party assessment results, and have documented processes, it shows that your business is worthy of trust with private, personal and confidential information.
Meeting multiple regulatory compliance standards is not something that is taken lightly and is certainly no small feat! It’s like giving your business multiple prestigious degrees and accreditations. Not all organizations you encounter may recognize what these are, or even care about them--but those that do will be exactly the ones you want to work with, because they can sense the value and care you place in your company. It’s likely that they hold their own company to the same standard as well!
Email: [email protected]
Sales: 904-930-4261
Copyright © 2024. Umbrella IT Group. All rights reserved.
Privacy Policy and Terms. Powered by Loomo.