Companies that gather and process large quantities of consumer data have increasingly become the target of state regulators. Especially as we’ve seen an uptick in data loss due to cyberattacks. California is the latest state to propose new cybersecurity regulations aimed at helping organizations improve their cybersecurity resilience.
The California Privacy Protection Agency (CPPA), an agency that enforces the California Consumer Privacy Act (CCPA), introduced two new draft regulations. Should the drafts become law, they would require cybersecurity audits and risk assessments for businesses whose processing of consumers’ personal information “presents a significant risk to consumers’ privacy or security.”
If the rules are passed, companies will need to conduct annual cybersecurity audits to identify gaps or weaknesses in their security program. According to the CPPA, some components that will be required for assessment include multi-factor authentication, Zero Trust architecture, privilege restrictions, secure configuration, patch management, logging, and more.
While these regulations are still in draft form, understanding how to conduct an effective cybersecurity audit is essential as governments continually – and for good reason – become more strict about cybersecurity efforts.
Here’s how Axonius can help.
What does the cybersecurity audit requirement entail?
Cybersecurity Audit Key Takeaways
- Businesses subject to the CCPA that process certain types of consumer information must complete an annual cybersecurity audit.
- An initial cybersecurity audit will need to be conducted by 24 months after the rules go into effect. Thereafter, businesses which meet the thresholds defined by the CPPA will need to conduct an annual audit..
- Cybersecurity audits must be conducted by a qualified, objective, and independent auditor (can be internal or external with reporting requirements for internal auditors).
- Businesses will be required to present a certification to the CPPA or written acknowledgment of non-completion.
How to meet the CPPA cybersecurity audit requirements
The auditing process can be one of the most time consuming and tedious activities an IT or security team can undertake, especially when gathering data from disparate data sources and manually navigating massive spreadsheets. Cybersecurity asset management solutions like Axonius make the auditing process easier by automating data aggregation and correlation so teams can understand what’s going on in their digital environment. Based on the CPPA’s draft, Axonius can specifically help with the following components:
Multi-factor Authentication
Multi-factor authentication (MFA) must be applied across an organization’s systems and services, and employees, service providers, and contractors will be required to use at least two authentication factors. Examples include strong passwords or passphrases, tokens, or biometric distinctions resistant to phishing attacks.
Multi-factor authentication adds a fundamental layer of evidence to verify identities. Provided the customer has the right adapters connected, Axonius can continuously identify users not enrolled in identity access management, create controls that adhere to MFA policies, and identify internal security policy lapses, like users with outdated passwords or unauthorized access.
Zero Trust Architecture
Per the CPPA, Zero Trust architecture will be required across an organization’s digital infrastructure and systems, such as ensuring connections within the organization’s information system are authenticated and ensure users have least privilege access.
As organizations increase their endpoints and device diversity, cybersecurity asset management offers organizations the first step to implementing a Zero Trust architecture. Remember, you can only protect what you can see, and Axonius gives IT and security teams comprehensive visibility into all devices and users – and the security products that cover them – to validate security policies.
Account Management and Access Controls
The CPPA’s draft rule underscores strict measures to restrict, limit, and monitor employee, service provider, contractor, and third-party access to sensitive information and revoke privilege and access when it’s no longer required.
Axonius helps security teams establish and control internal and remote system access by correlating user privileges associated with hardware and software assets. Security teams can report on abuse and misuse of administrative credentials and surface tools that should only be on administrator machines. A user-inventory can help IT and security teams view and monitor privilege control while also automatically enforcing policies to revoke permissions for terminated employees or those who no longer need access.
Inventory Management
Understanding the digital environment is a prerequisite to securing it. Organizations will be required to maintain and manage hardware and software asset inventories across their infrastructure to prevent unauthorized access or usage.
Axonius provides an always up-to-date, unified, and comprehensive view of all assets so they can be identified, categorized, and secured properly. Identifying an organization’s hardware, devices, software, user accounts, cloud instances, SaaS applications, networks, and more, Axonius protects devices from misconfigurations, missing or malfunctioning agents, or security gaps. Teams can also monitor software for vulnerabilities, networks for rogue devices, users for over permissioning, or SaaS applications for shadow SaaS.
Secure Configuration
Organizations will also have to maintain secure configurations for hardware and software assets. According to the CPPA cybersecurity audit draft, this includes software updates and upgrades, securing cloud-based environments, masking sensitive personal information by default in web applications, security patch management, and change management.
Axonius ensures that security controls are working properly and that all assets, new and old, are covered by security solutions in dynamic IT environments. Users can automate vulnerability management tasks to increase effectiveness, and with reduced resource allocation. By identifying vulnerabilities and correlating them to assets, IT and security professionals can gather context that helps them prioritize vulnerability importance based on asset criticality – helping expedite patching and remediation processes.
Organizations should prepare for audits now
Enforcement of the new regulations under the CPPA is paused until March 29, 2024, but organizations should begin to assess their current cybersecurity strategies and posture to determine any gaps early on. Though the CPPA’s cybersecurity audit requirements may only affect organizations in California, other organizations across the country should pay attention as it may fall under “The California Effect” – the idea that when California promulgates regulations, other jurisdictions follow.
The rigors of the CPPA’s draft cybersecurity audit requirements may seem daunting, but understanding which requirements your organization already meets and those that don’t can help begin the process. While organizations will have 24 months after the rules go into effect to conduct the first cybersecurity audit, audits are laborious and implementing the right tools will save time and increase readiness.
To help simplify your auditing process, Axonius provides a unified, comprehensive view into all assets and their security state and enforces remediation actions quickly and easily, making it an essential first step when beginning an audit.
