The European Union Parliament adopted the Digital Operational Resilience Act (DORA) on November 10, 2022. Set to be enshrined into law at the end of 2022, DORA will introduce a comprehensive set of rules for financial organizations to strengthen their digital operational resilience and prevent and mitigate cyber threats.
With this new regulation in mind, along with others in North America such as the New York Department of Financial Services’ (NYDFS) upcoming amendments on their cybersecurity regulation, cybersecurity monitoring firm Panaseer launched its first guidance on security controls for organizations across all sectors in November.
“As these new regulations are coming to fruition next year, there is going to be a lot more accountability needed from security teams in the firms involved and it made sense for us to provide them with some recommendations ahead of it,” Charlotte Jupp, Panaseer’s head of security performance management, told Infosecurity.
The guidance provides a set of benchmarks with recommendations on how to reach 18 security objectives across six categories: controls coverage, vulnerability and patch, endpoint, user awareness, application security and identity and access management.
For each objective, the guidance offers two levels of recommendations, one initial measurement standard and one mature measurement standard.
“We wanted this guidance to be used by CISOs in smaller organizations, who don’t necessarily have massive security teams and who could be starting their journey in stepping up their security posture, as well as people across different security teams such as vulnerability management team leaders, or governance, risk, and compliance (GRC) managers, who are looking at their particular policies and how they can mature those over time,” Jupp said.
For instance, on the first objective of the controls coverage category, the ‘expected endpoint detection and response (EDR) coverage’, which accounts for how many devices are covered by EDR tools, Panaseer recommends less-mature organizations to report into the EDR console every seven days, and up to every day for those who are looking to get more mature.
“We have been doing similar work behind the scenes for a long time. But we wanted something organizations could use on their own. That’s why we used terminology from the Compliance Forge Reference Model, commonly referred to as the Hierarchical Cybersecurity Governance Framework (HCGF) to offer a common language. We have also based our guidance on existing security standards from the US’ National Institute of Standards and Technology (NIST) and our partner, the Center for Internet Security (CIS),” Jupp described.
The next step, Jupp added, will be to work with certification bodies across Europe and North America, where Panaseer is operating, to align the firm’s recommendations with security certifications.