Managed Continuous Compliance
BMCC - Bitstream Managed Continuous Compliance
Bitstream Managed Continuous Compliance is a fully-managed set of tools and procedures used to continuously monitor the state of an IT environment against the specifications of a required security standard, and to store an auditable archive of all changes made to the environment, from which reports may be generated.
Our Managed Continuous Compliance service uses automated systems to perform the following ongoing analysis of client IT assets and information systems:
- IT Asset Patch Monitoring - monitors the patch state of IT assets like computers, servers, and mobile devices and creates alerts for out of compliance assets; results are stored in a database
- Change Management - monitors and creates an historical archive of changes made to the configuration of information systems - a database of exactly what happened and when it happened - this database is both offsite from the client environment and in a distinct security context
- User Rights Assessment - performs access reviews for Active Directory and Microsoft 365 to easily document who has access to what resources
- Generates reports for all the above items, which may be submitted to insurers or regulatory agencies as proof of compliance
Managed Continuous Compliance is our newest managed service, and was created to fulfill needs of our clients that arose in 2022 regarding the handling of customer information. It has become a requirement for some businesses because:
- The rising costs of cyberattacks have made it increasingly difficult for businesses to acquire or renew cybersecurity insurance policies. Continuous monitoring is now a common prerequisite for obtaining coverage.
- The Federal Trade Commission (FTC), a rulemaking government agency, is now mandating that certain institutions adhere to tighter cybersecurity standards for information systems.
But which institutions? Who needs Continuous Compliance?
The new rules apply to institutions subject to The Code of Federal Regulations Title 16 Chapter I Subchapter C Part 3141; in general, "financial institutions". An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k); activities such as:
- lending, exchanging, transferring, investing for others, or safeguarding money or securities
- insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death
- providing financial, investment, or economic advisory services; issuing or selling instruments representing interests in pools of assets permissible for a bank to hold directly
Automobile dealerships and accounting firms are two common examples; the FTC provides examples of subject institutions in Section 16 CFR 314.2(h)(2).
The Code of Federal Regulations Title 16 Chapter I Subchapter C Part 314, titled Standards For Safeguarding Customer Information1, was updated by the FTC on December 9, 2021 and Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are effective as of December 9, 2022. For a PDF copy of the text click here.
In section 16 CFR 314.3(a), institutions are directed:
You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
The stated objectives are to:
- Insure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Who does not need Continuous Compliance?
Continuous Compliance may not be needed by businesses that are not considered "financial institutions" over which the Federal Trade Commission (FTC) has rulemaking authority pursuant to section 501(b) of the Gramm-Leach-Bliley Act.
The FTC provides examples of institutions that are not subject to the new rules in Sections 16 CFR 314.2(h)(3) and 16 CFR 314.2(h)(4).
How To Become Compliant
Bitstream Managed Continuous Compliance will satisfy many of the requirements set forth by the updated Standards For Safeguarding Customer Information (as they apply to systems under our management) including subsections:
Applicability date: The provisions set forth in § 314.5 are applicable beginning December 9, 2022.
Ready to get started?
United States, Federal Trade Commission. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION. 16 CFR Part 314, U.S. Government Publishing Office (GPO), December 9, 2021, https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314 ↩↩