Third Party Risk ManagementTPRM Tuesday

TPRM Tuesday #2: Recent significant changes in the Infosec and Compliance domains

Its Tuesday, and it’s time for another TPRM Tuesday posting! Today we will be presenting a quick roundup of recent significant changes in the infosec and compliance domain.

🔐 PCI v4.0 was published in March 2022

✅ Two-year transition period. PCI v3.2.1 will be retired on March 31, 2024.

✅ 64 new requirements added: 51 new requirements are “best practice until March 31, 2025” and 13 new requirements are “effective immediately for all v4.0 assessments”.

✅ Two validation methods are introduced: “Defined Approach” and “Customized Approach”.

👉🏼 Defined Approach: Need to follow the traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard. In the defined approach, the entity implements security controls to meet the stated requirements, and the assessor follows the defined testing procedures to verify that the requirements have been met.

👉🏼 Customized Approach: Needs to focus on the Objective of each PCI DSS requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. Because each customized implementation will be different, there are no defined testing procedures. Therefore, the assessor is required to derive testing procedures that are appropriate to the specific implementation to validate that the implemented controls meet the stated Objective.

🔐 ISO 27002 was updated to the 2022 version in February 2022

✅ Controls are categorized as Organizational, People, Physical, and Technological.

✅ Attributes tied to controls: Controls Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities, Security Domains.

✅ Control number reduced to 93 from the existing 114.

✅ 11 new controls were added, 24 controls were merged, and 58 controls were reviewed and revised.

✅ Transition period is being determined.

✅ ISO 27001:2013 will be updated accordingly within the near future to reference ISO 27002:2022.

🔐 HITRUST released Version 9.6 and new assessment options in December 2021:

✅ Version 9.6 includes revisions of the NIST 800-53 r4 mapping, updates to requirements for the new i1 option, and various updates to the CSF.

✅ Three Assessment Options: “bC Assessment”, “i1 Validated Assessment”, “r2 Validated Assessment”.

👉🏼 Basic, Current-state (bC) Assessment: The bC is a “good hygiene” self-assessment that offers higher reliability than other self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine (AI Engine) to identify errors, omissions, and deceit.

👉🏼 1-Year (i1) Validated Assessment: The i1 is a “best practices” assessment recommended for situations that present moderate risk. The i1 is a new class of information security assessment that is threat-adaptive with a control set that evolves over time to deliver continuous cyber relevance. The i1 is designed to keep pace with the latest cyberattack threats, including ransomware and phishing.

👉🏼 2-Year (r2) Validated Assessment: Formerly named the HITRUST CSF Validated Assessment, the r2 remains the industry gold standard as a risk-based and tailorable assessment that continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors.

🔐 SOC2 attestations must follow SSAE No. 21, effective for reports dated on or after June 15, 2022:

✅ Updated AT-C section 205:  This update force CPA firms to add a statement to the report indicating that the CPA firm is required to be independent and to meet the CPA’s other ethical responsibilities in accordance with relevant ethical requirements related to the examination engagement.

✅ Additional update to AT-C section 206, AT-C section 105.

✅ SOC 2 TSC will not be updated.

🔐 CMMC 2.0 was announced in November 2021:

✅ Changes will be implemented through the rulemaking process.

✅ DoD is exploring opportunities to incentivize contractors to voluntarily obtain a certification in the interim period.

👉🏼 Level 1 will be an annual self-assessment of 17 practices.

👉🏼 Level 2 will either be a triennial C3PAO assessment or an annual self-assessment of the 110 NIST 800-171 controls.

👉🏼 Level 3 will be a triennial government-led assessment of the NIST 800-171 controls + TBD selected NIST 800-172 controls.

🔐 SEC proposed rules in March 2022 for disclosure of the following by public companies: 

✅ Information about a cybersecurity incident within four business days after determining if they have experienced a material cybersecurity incident

✅ Policies and procedures, if any, for identifying and managing cybersecurity risks.

✅ Cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks.

✅ Management’s role, and relevant expertise, in assessing and managing cybersecurity-related risks and implementing related policies, procedures, and strategies.

We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.