Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

June 2023

The Nasty MOVEit Zero-Day Vulnerability: How to Respond

The zero-day vulnerability in Progress Software's MOVEit Transfer product is being exploited by the Clop ransomware gang and other copycat cybercriminal groups to expedite the theft of sensitive data from customer databases. To protect your organization from compromise, follow the recommended response actions in this blog. Learn how UpGuard streamlines Vendor Risk Management >

Free CCPA Vendor Questionnaire Template (2023 Edition)

Often regarded as the Californian version of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) aims to protect the personal information rights of Californian-based employees, contractors, customers, and vendors. The inclusion of third-party vendors means your Vendor Risk Management program needs to be updated to include CCPA compliance tracking, not only during due diligence but through the entire vendor security posture management process.

Preparing for CMMC Compliance: Tips and Best Practices

‍The Cybersecurity Maturity Model Certification (CMMC) is a cyber program and security framework used by the US Department of Defense (DoD) to measure firms’ cybersecurity maturity. All DoD contractors working with the federal government must comply with this program by 2025. CMMC compliance demands that DOD contractors pass an external CMMC assessment carried out by an approved CMMC Third Party Assessment Organization (C3PAO) for all but the lowest level of CMMC certification.

What is a Third-Party Breach? Definition & Tips for Reducing Risk

A third-party data breach refers to a data breach that has occurred through a third-party company. In a third-party data breach, the vendor or supplier’s system has been compromised and used to steal data that belongs to you. A third party can be defined as an organization with which your organization has entered into a business relationship to provide goods, access, or services for your use.

You Just Completed Your ISO 27001 Audit, Now What?

After completing an ISO 27001 audit, there may be some critical responses you must undertake based on the recommendation in your audit report. This step-by-step guide will ensure you don’t miss any of the outstanding follow-up tasks that need to be addressed after the audit process is over. Learn how UpGuard simplifies Vendor Risk Management >

Free NIST CSF Vendor Questionnaire Template

This NIST CSF questionnaire template will help you understand the degree of each vendor’s alignment with the high-level function of the NIST CSF framework - Identity, Protect, Detect, Respond, and Recover. Though this assessment only offers a superficial understanding of compliance, it’s sufficient for getting a sense of a prospective vendor’s security posture, especially when coupled with an external attack surface scanning solution.

You Just Completed Your SOC 2 Audit, Now What?

So, now what? On the other side of this considerable investment of time and money, it helps to have a structured, checklist-style post guiding you through the post-SOC 2 audit process. This article addresses all of the due diligence requirements after receiving a SOC 2 audit, and clarifies some of the common misunderstandings cybersecurity teams have when it comes to SOC 2 reports.

Adopting a Cyber Threat Exposure Management Approach in 2023

The cause of most data breaches can be mapped to limited attack surface visibility. Inverting this statement reveals a tactic for reducing your data breach risks - increase attack surface visibility. Cyber Threat Exposure Management presents an advanced security risk management approach by prioritizing attack surface visibility. To learn how to adopt a CTEM mindset and reduce your data breach risks, read on.

UpGuard Summit May 2023 - Panel Discussion

Join Zindzi Speede, our Technical Customer Success Manager, as she and a panel of cyber security experts delve into topics such as best practices, compliance, and the implications of AI on cyber security. Guests Jacques Van Zyl - Cyber Security Analyst at Youi Insurance Alen Zenicanin - Information Security Officer at Law in Order Michael Viney - Head of IT at Square Peg Capital.

Free ISO 27001 Vendor Questionnaire Template (2023 Edition)

ISO 27001 is commonly used for assessing supply chain and data breach risks during due diligence. This post provides a free ISO 27001 vendor questionnaire template for a high-level evaluation of vendor information security standards. Though this security assessment template only broadly covers Supply Chain Risk Management aspects of ISO 27001, it should still be sufficient for identifying potential deficiencies in a vendor’s security control strategy requiring further investigation.

How To Communicate Attack Surface Management to the Board

With digital transformation rapidly multiplying attack vectors across the cloud, remote work environments, and Shadow IT endpoints, mapping your digital footprint, let alone implementing an effective attack surface management strategy, is not as easy as it once was. As a result, communicating the value and progress of Attack Surface Management (ASM) to the board is becoming a considerable challenge that must be addressed before threat landscapes evolve beyond the reach of mitigation capabilities.

My Vendor Doesn't Have a SOC Report, How Do I Assess Them?

Though very helpful in representing the efficacy of a service provider’s third-party risk management program, SOC reports aren’t always available. Some service providers either don’t have the budget for a SOC report or are unwilling to undergo the laborious process of an SSAE-18 audit. While a lack of a SOC report should raise alarm bells during the due diligence process, it shouldn’t necessarily result in the disqualification of a prospective vendor.

Understanding FedRAMP: What Federal Agencies Need to Know

FedRAMP refers to the Federal Risk and Authorization Management Program, a US government-created program to smooth the connection between its federal agencies and cloud service providers. The General Services Administration (GSA) established FedRAMP Program Management Office (FedRAMP PMO) to help achieve the following goals: This post will examine the benefits of using FedRAMP and will provide an overview of the system and its requirements for cloud service offerings (CSOs).