Webinar Six Best Practices to Help with Your Regulatory Compliance Program

Show video

[MUSIC PLAYING] Hello, everyone. And welcome to our webinar, Six Best Practices to Help with Your Regulatory Compliance Program. Before we get started, let me go through the housekeeping items. You can join the audio of this webinar through your computer, or by dialing any of the numbers on your email invitation.

During the webinar, a Q&A chat box will be available for you to leave your questions at any time. Brendan, Matthew, and Sofia will answer as many of them as they can during the webinar, but we'll make sure to compile those they don't get to and reach out with the answers. We really want to hear from you, so ask as many questions as you have. This webinar is being recorded and will be shared with you in the following days. And last but not least, you will earn CPE credits by attending this webinar.

That's all for my side. Now, let's meet the speakers. All right. Thank you, Liz.

I'm Brendan Patterson, VP of product management at WatchGuard. And I'm the host and the lead speaker on the webinar today. But I'm joined by a couple of subject matter experts at WatchGuard. And Matthew Terry is a product manager on my team.

Matthew has been at WatchGuard a long time. He's worked in both our support and QA organizations prior to product management. And Matthew has a lot of expertise in the wireless area.

And when it comes to regulatory compliance, he's kind of a go to guy for PCI compliance at WatchGuard. We're thrilled to have Sofia Kovach join us. And Sofia is from the legal team at WatchGuard. And she is our a data privacy expert that gives us a lot of great counsel and advice as we work a lot on GDPR privacy implications, European privacy regulation we'll talk more about. So Matthew and Sophia are going to join in and help on some of those specific regulations as we go through the webinar and help me out with questions too. So let's get going.

Today's topic, we're talking about regulatory compliance. And that is such a broad topic. There are so many regulations out there depending on where you're based, whether you're in Europe, worldwide. Some of the common ones we hear a lot about, PCI, data security standard for retailers, credit card information, GDPR, privacy, and the European Union. HIPAA is for health care in the US. And then we have others.

CMMC is the Cybersecurity Maturity Model Certification. I'll talk more about that in a few minutes. But that is getting a lot of attention here in the United States for any companies that need to comply with the Department of Defense. We have a couple of education specific ones I've referenced here, like Keeping Children Safe In Education and CIPA, which really actually education impacts schools libraries here in the United States as well. So that is such a broad topic.

We just wanted to kind of kick off with the polling question, get an idea from the attendees on the webinar, which specific regulations are you interested in that may help us guide the conversation a little here? And as we're talking and looking at that, one thing I will highlight pretty much as a theme in this webinar that there is a lot of commonality between the different regulations. And we'll discuss that as we go through it. OK. So the poll results, just share them on my screen. Liz, if you can confirm people can see that, a lot of people are concerned with HIPAA here, which is health care in the United States, and then kind of an even spread across some of the different things we see, like PCI, GDPR, or European privacy, and so on. So that's good to see.

Thanks for sharing your information there. One thing I would highlight and encouraged to everyone, and especially if you're a managed service provider, this webinar, we're talking a lot to people who act as MSPs, provide information security services to clients they manage. You may have to deal with different regulations, different verticals across your client base. And so we really encourage people to adopt some kind of information security management system, some kind of best practice control framework to really guide your cybersecurity posture, and then use that as your kind of go to reference whichever regulation you need to comply with depending on each customer. And a lot of what we'll show in this webinar is you can map different regulations to some common things in these cybersecurity frameworks.

ISO 27001 is a very popular and common one, used throughout industry as an information security management system. Very detailed, comprehensive. It's been around a long time. We have the Center for Internet Security has their CIS Control framework. At WatchGuard, we're hearing a lot about this one now. So we'll continue and use that as a reference throughout the webinar, in fact.

And we're going to publish more information, mapping WatchGuard solutions to the CIS Control framework and information like that. If you're dealing with CMMC and US federal-- US Department of Defense, the National Institute of Standards and Technology publishes SPs, which they called Special Publications that have some very detailed risk management framework. And 800-171 is the control framework that governs information around unclassified information. We also have, in Australia, the Cyber Security Essential Eight. So if you're, maybe not at this time of day, anyone from that part of the world, maybe people on the recording will be familiar with that. In the UK, there's also the Cyber Essentials that are really guiding a lot of what people are looking at there.

I wanted to provide a reference to what WatchGuard is doing. Here is a page from the Trust Center on the WatchGuard website. We have actually standard around the ISO 27001 information security management system. And you can see, we have published our certification against that for our WatchGuard cloud operations. There is an audit report certified by a company available publicly on our website there. So that's one we're familiar with internally.

I will talk a lot about CIS cybersecurity controls. But another example I want to highlight, since a lot of people on the poll referenced they were interested in CMMC, which is capability maturity for a Department of Defense. One thing you need to be aware of in regulations is they continue to evolve and update over time. So US federal, they came out with CMMC model one. About two or three years ago, maybe, we started hearing a lot about it. It had five different levels.

They referenced the NIST control framework for part of it. They added in some of their own specific controls. They wanted people to adopt as part of their audits.

We're now on CMMC model 2.0. It's going to be applied to certain Department of Defense contracts. So it's an example of how things evolve. Thankfully, they have simplified this.

They've kind of gone away with some of the CMMC specific controls they had. And if you look at level two, for example, which is a required third party assessment for critical national security infrastructure, that's all based around the NIST 800-171 set of controls. So it's an example of using a control framework like that one published by NIST is what guides you as you get audited for CMMC compliance.

And CMMC is about getting a third party audit to certify that you have sufficient controls in place to participate in the Department of Defense contracts. And so we'll reference some of that as we look at some of the best practices we've looked at. So again, Liz, let's take another poll. We've seen what regulations people are interested in.

What about any information security management system or control frameworks? Are you using any information security management or control framework? A lot of people using NIST, so we'll refer to that as well. CIS, some interest in that. And in fact, I've already seen a comment in chat asking for a mapping of CIS controls to WatchGuard technologies.

And in fact, I'll talk about it later. But that is something we have worked on, and I'd be happy to share that too. So we'll follow up on that. One thing I want to highlight is as an MSP, you need to think globally. You have customers.

You may be focused on customers in one geography. You could be a US MSP, working with customers just in the US. But you really need to ask yourself, do you have companies you work with outside your home country? Do you have customers that have customers themselves around the world? And what does that mean in terms of regulations they may be subject to? I had a WatchGuard partner in Australia, actually, contacted me a couple of weeks ago looking for detailed guidance or guidance around NIST.

They were working with the customer in Australia that was doing some business in the US. It was a regulation they didn't know anything about. So we were able to provide them some good guidance and control mapping around that.

Sofia, maybe you can comment a bit on how GDPR may impact people around the world. Yeah. Thank you, Brendan. So yeah, because of a GDPR extraterritorial applicability, you really have to think about not just where you are established but also where you provide services.

Another thing to think about here is about your subsidiaries and whether they themselves provide services to your customers. And another probably the trickiest part here is thinking, especially as MSPs, thinking about not only your customers but also where your end users are located. And just like Brendan said about Australian partner, we, in the privacy department, always have a lot of requests from Germany and throughout the Europe about different privacy and security assessments, probably at least once, or twice, or three times a week we reach out to our security teams and product management teams, so that's why Matthew is smiling right here, to help us fill out these security assessments. So definitely thinking globally helps in this regard. OK. Thanks, Sofia.

So we titled the webinar and talk about six information security best practices. And why six? Well, this is an hour webinar, and we could have talked forever about security best practices and what we want to do. I thought it would be interesting to pick just six, use those as an example or as a sample, and talk about how they apply to different regulations and things we may see happening in these areas. So I want to emphasize, what we're talking about today is not comprehensive, everything you should have in your cybersecurity controls. But we've picked six best practices.

And we're going to take a look at how they map and apply to different regulations around the world. So the six I've picked are what I call need to know, our access controls, multi-factor authentication, network segmentation. You can see by the graphic, we're a firewall company, so that's one we're always going to talk about.

But of course, MFA is important to us too. But things like only allowing authorized softwares and systems on your network, using encryption, run regular vulnerability assessments, some of the good cybersecurity hygiene best practices. And how does that help you with regulatory compliance? So I'm going to pick CIS kind of as a lead example. So if I look at access controls, CIS requirement three talks about the need to develop process and technical controls to identify and securely handle, retain, and dispose of data. And then when you dig into the detailed CIS has around that, they have data management process, establish a data inventory. But one thing you'll see common through these regulations, they'll talk about access control lists based on a user's need to know, apply data access control lists, access permissions, local file systems and databases.

Always apply need to know. And that's something you'll see through the different information. So for example, GDPR, you may be dealing with CIS as your control framework. If you have to work with some European customers and GDPR, the security measures there also talk about the need to know principal. If you're in retail, PCI data security standards requirement seven goes into a lot of the need to know access to data systems needs to be defined, assigned, and managed.

And again, NIST for people who are dealing with CMMC. Again, specific requirements 3.1 around access controls. They don't use the phrase need to know. They talk about least privilege, including for security functions. And it's the same concept. Only give access to data to people who really need to have the right to that.

And in fact, what we're seeing in the industry a lot now is the term zero trust. Regulations may not have caught up with that so much. They're using more old school terms, like need to know and at least privilege principle. But it's the idea that you only give access to data, deny everything, and then only give access to data to people who really need it as part of their job, as part of the role and function.

It's a good cybersecurity practice. You'll see it referenced all through the different regulations. And since that one specifically talks about privacy access to data, I thought this would be a good opportunity to bring Sofia and to maybe do a little deeper dive on GDPR and what that means.

Thank you, Brendan. So as Brendan already pointed out, there are a lot of different regulations, and they are very demanding in a lot of different frameworks. The good news is that, as Brendan said, they do overlap to a significant extent. And it is no different with GDPR. So when we think about GDPR, and when a lot of businesses think about GDPR, the first thing that comes to mind is, of course, privacy notices, and data subject rights, maybe security incidents.

But it is actually quite demanding from a security standpoint as well. And this is something to keep in mind. So when you think of GDPR, the thing that you need to refer to are GDPR security measures. As you know or as probably most of on this webinar, GDPR is an EU law that focuses on the protection of personal data. So the scope is a little bit limited here. However, most of the organizations that only deal with personal data.

So the first place to look for security measures and what GDPR says about security is the Article 5, principles relating to the processing of personal data. The other good place to look at is Article 32, that talks about security of processing. And if you are transferring data from Europe to third countries, you are probably relying on standard contractual clauses, which is a transfer mechanism that currently can be used by a lot of companies.

And WatchGuard relies on them as well. So there is an Annex II, standard contractual clauses that talks extensively about what security measures can be and should be implemented by the data importers. Another good place is Annex III, standard contractual clauses between controllers and processors.

So this would only apply if you rely-- if you actually rely on these standard perpetual clauses. But nevertheless, they provide a good list, which we will look into in the following slide. Another thing to keep in mind is that your data processing agreements, that would be your-- first of all, first and foremost, data processing agreements with your customers, and also data processing agreements with your service providers. You will see that sometimes, companies, even if GDPR does not apply directly to you, like we said, it can apply to your customers, and therefore you may have agreements that would force you to follow some of the-- and implement some of the security measures that your customers have to implement on their end. All of this, of course, GDPR does not-- and this is really worth pointing out.

GDPR does not refer to any kind of security certifications or frameworks. However, when we show our GDPR compliance, we often refer to a certifications like ISO 27001, SOC2, and so on. So all of these are good-- because they overlap, all of these are good to show your compliance with GDPR. So as I've said, GDPR principles is the first place to look at when you want to find out what GDPR says about security. The one that we are really-- that we really want to draw your attention to is data integrity and confidentiality.

So as you can see, data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, and so on. So this is-- since the GDPR is a principle based law, this is important to keep in mind. Next slide, please. Another one is Article 32.

Just like I've said, so here you can see that both controller and the processor. So regardless of your role under GDPR, you will need to implement the appropriate security measures. And some of what Article 32 refers to is, as you can see here, encryption of personal data, confidentiality. There goes your need to know basis or zero trust, right. Integrity, availability, and resilience of processing.

Also regular testing security measures and testing your systems, which Branden-- all of these will pop up throughout this presentation. You will see how they overlap with other regulations and frameworks. Next slide. So security measures as well is a good place to-- security measures within then standard contractual clauses is another good place to look at.

And I really want to point out that these are just the examples that a European Commission has drafted within these anti-corruption clauses. But nevertheless, this is a good reference list for the companies, and this is something that we refer to in RGB. And a lot of importers within US also refer referred to explain and to explain and show their compliance with the GDPR. So as you can see here, some of these are repeated from Article 32. But then in standard structure clauses, we actually got the expanded list of things. And as you can see here, we got the addition-- the first edition here was the user identification and authorization.

So there goes to the MFA, and Brendan we'll talk about this later on, is also data protection during transmission and during storage, a.k.a. encryption, which Brendan will also talk about and that overlaps with multiple frameworks and other requirements. And so going back, you need to access controls and data confidentiality.

Of course, there has to be an understanding that the data confidentiality, under GDPR, is much broader than need to know access controls. But nevertheless, need to know access controls are a part of-- probably the biggest part of data confidentiality. And here on this slide, you can just see some other examples of how data confidentiality under GDPR and under a lot of these other frameworks that Brendan will be talking about can be achieved. OK. Thank you, Sofia. And so great quick overview.

GDPR is such a huge concept. But I think the real takeaway there is maybe if you're not too familiar with it, all you need are kind of the same best security practices that you would use for other regulatory compliance. And that good programs you have in place, that for maybe PCI will help you with GDPR if you start working more with European customers or companies. One of those other good security practices, of course, we promote a lot at WatchGuard's multi-factor authentication.

And again, CIS requirement six talking about tools to manage and revoke access credentials and privileges for users. You get into the detail. One thing I like about this, and I've kind of used it as a lead reference here, I find it more accessible, and it uses less jargon, maybe, than some of the other regulations, like NIST or things like that. They basically spell it out, use MFA for externally exposed applications, require MFA for remote network access. And that's something you'll see in common across different regulations, not just that they're saying use MFA or the control frameworks but even calling out the level of where you should be using it. So PCI, when you get into credit cards, they talk about MFA implemented to secure access into the CDE.

If you're not familiar with that, that's the cardholder data environment. And Matthew will correct me if I get any of my acronyms wrong. He's more up to date and familiar with PCI than me.

Sofia covered GDPR. You can see the type of security controls they have. They talk about measures for user identification. And MFA is part of the security measures. HIPAA talks about procedures to verify a user, person, or entity. And again, of course, when you get into NIST 800-171, they specifically have controls that talk about MFA for both local and network access.

So regulations tend to really spell it out, not just use MFA but use it both for local applications and especially for any kind of remote access. Another one, I like to talk about network segmentation. Because you can do that with the firewall, of course.

But again, CIS 3.12. Segment data processing and storage based on sensitivity. This kind of follows on from what we talked about least privilege or need to know. Don't have important sensitive information on a part of a network that everyone can access if they don't need it. The CIS specifically calls about traffic filtering between network segments.

And of course, you can implement that with the firewall. PCI, we've always liked that because requirement one starts about the need for network controls, limiting network access into a cardholder environment. Make sure it's restricted and controlled. And there is aspects of NIST, where they get in and talk about implementing subnetworks for publicly accessible system components.

So it's an area we're very familiar with that WatchGuard. And of course, encourage people to know. And also, other aspects of these control frameworks will get into documenting your network configuration.

And controls and that's an area where we recommend people don't just have a firewall configuration but make sure it's documented, and everyone knows what each policy is far through some good documentation. Another good practice we like to talk about is encryption. CIS 3, data protection, processes and technical controls to securely handle, retain, dispose of data again. And like I said, I like the clear language, specifically encrypt both your sensitive data at rest, and encrypt sensitive data in transit. So again, they don't just say, encrypt data but call out at rest.

And also in transit, when it's traveling across networks. PCI, again, also has requirements three and four that, again, use that kind of breakdown between data at rest and data in transit again. HIPPA, I'll talk about in a minute. And like I said, NIST gets a bit more elaborate in the terms in 800-171, talking about cryptographic mechanisms. They'll get into detail of things like use FIPS certified cryptography for the transmission of data. But again, once you have a good security practice in place, where you're encrypting your data, both at rest and in transit, you can then map that and apply that to all of the different regulations that we'll mention there.

So for example, HIPAA was actually one people were most interested in our poll at the start. And HIPPA, actually, has been very stable and around for a long time. There are specific federal regulations for security controls around HIPPA.

We've mapped a couple of them here, specifically that talk about transmission security. If you go back to the '90s, where patient data in hospitals, health care was all on paper. As it moved electronically, there were a lot of concerns about the security, and privacy, and who has access to that data.

And out of that, HIPAA was born in terms of security controls to make sure things are restricted. So encryption is very important in the context of HIPAA, because you want to make sure sensitive, personal, private patient records are not exposed to people who don't need to see them. And one thing to be aware of with HIPAA, you may think it always just applies to health care.

But be aware of the companies you work with. Are they maintaining health benefits, personal health records if they're employees for any reason, if they have a health care plan? They need to be-- they need to be aware of some of the HIPAA requirements. But again, a good cybersecurity control framework and best practices will help them out. And again, they specifically call out mechanisms to encrypt and decrypt electronic protected health information. So that's a term you'll hear a lot in HIPAA.

Basically, it's every regulation has kind of their own kind of name of art for private information. In the case of health care, it's electronic protected health information. And of course, PCI is very much concerned about the credit cards and things like that. Another best practice, you'll see across all the different regulations is continuous vulnerability management.

That it's not just a matter of setting up and defining best practices, but you need to audit and test that on a regular basis. And so again, using CIS as a lead reference, automated vulnerability scans. And like other regulations, they'll call out specifically internal enterprise assets, but also externally exposed enterprise assets. So it's not enough just to be vulnerability scanning internally.

And PCI DSS, again, a lot of commonality across these things. We'll specifically call out both external and internal vulnerabilities should be regularly identified and addressed. And again, NITS, they say scan for vulnerabilities.

So you need a good regular vulnerability testing and scanning program as part of any compliance initiative. And this one, we specifically called out because it can maybe be a bit subtle what it means, only allowing authorized software and systems. And of course, CIS leads off with inventory and control. They break it into hardware assets and software assets. I've combined it here. But basically, they're asking people to address their unauthorized assets on a weekly basis even as a good practice.

And PCI DSS actually gets into the specifics of unauthorized wireless access points. And that's something we see in PCI. I've always found working with PCI going all the way back to 2004 that they've had a strong emphasis on Wi-Fi and wireless security. I think a lot of that came out because of the original TJ Maxx hack that was one of the first huge breaches that exposed a huge amount of credit card information started over wireless networks. They've always had a special emphasis on that. And of course, NIST talks about unauthorized software.

Make sure you're only using authorized software on your networks and systems. This is maybe a good opportunity to drill a bit more into PCI DSS. So Matthew, you want to tell us a little more about that? Absolutely. Thank you Brendan. So what is PCI DSS? The Payment Card Industry's Data Security Standard. Like was mentioned, Brendan mentioned just a moment ago, it started in around 2004.

It started in 2004 by the PCI Security Standards Council, comprised of a bunch-- a lot of the major credit card association. They make the guidelines around what is needed to be secure and what is needed to be fully compliant with their standards. So achieving the PCI compliance means that you have met those technical requirements of the PCI DSS standards. So you may be aware in March of last year, PCI launched their version 4.0.

And while this is their newest version, the 3.2.1 version is still applicable until March of next year, 2024. But this is the new standard. A lot of the compliance companies will be testing on the updated standards in PCI 4.0. Just to highlight what are some of the new things about the PCI DSS 4.0 standards, there's a lot of, of course, interest in maintaining the security needs of the payments industry, keeping up to date with latest technologies, keeping up to date with new things that can happen.

And let's see. Of course, one of their requirements is to promote a security as a continuous process, right, continuing to assess vulnerabilities to do external and internal scans or vulnerability scans and testing is all part of the PCI standards. Included, interestingly, as part of the new PCI standards, like Brendan mentioned-- Brendan mentioned, the PCI has always been very strong about the vulnerabilities around wireless, including the ability to detect rogue access points. In the PCI 4.0 standard, there was a very huge clarification around wireless scanning that means the new regulation is that even if a card network, a network that processes or holds card cardholder data doesn't use wireless itself, that network still has to be able to scan for rogue networks, rogue access points in the airspace, which is really important. And I think it's a very forward looking requirement for the PCI and for security in general.

So like I mentioned, rogue access points is really important. And so I'd like to take a moment, and of course, to talk about what is a rogue access point, right. A rogue access point is something an access point on your network, usually on your protected networks or your secure networks that's broadcasting an SSID that's not expected to be there. Rogue APs, of course, you can think about them. They're generally thought of as kind of two kinds. There might be one that people call, well, that's unintentional.

Somebody brought in their home router and plugged it into the network, and it's broadcasting an SSID so that they can connect their personal devices that might be at their desk or at the office. And then of course, there are malicious rogue access points, where somebody with the intent of intruding the network, trying to either collect data, steal data, or inject some kind of malicious malware or something into the network, puts an access point on the network so they can control their own internal access, like a backdoor. Both of these sorts, of course, we consider them to be severe threats. They're not good things to have on your network, even the unintentional one that somebody might bring their own AP into the office to connect their own devices. The reason that is a vulnerability is because-- and cause possible cause for non-compliance is that those devices often are set up with weaker connection protocols. They may still be set up with the default passwords for either connecting to or management of those systems.

So it's a huge vulnerability in the network even if somebody is doing this without kind of malicious intent. So thanks, Matthew. I really like the PCI emphasis. Because it's a good example of where a different control frameworks and regulations, really. We'll talk about make sure you don't have unauthorized software or network equipment. But PCI really drills into this concept of rogue access for Wi-Fi and scanning for that.

Just because of time, we couldn't cover everything related to cybersecurity in this webinar. But we wanted to pick these six examples to show people good cybersecurity practices are common across different regulations. Maybe there's some variations on a theme, like we just talked about PCI and the emphasis on Wi-Fi. But really, as an MSP, as a partner, pick a control framework.

I saw someone mentioned CIS. That's a great one. If that's your thing, use that as a guideline, and then map that to different regulations as you work with different verticals and customers. As you look at these control frameworks, there are many more areas than the six I picked.

After we put this webinar together, I actually thought, hey, for giggles, I'll just ask Chat GPT for six best practices. And four of them aligned with the answer. And what was funny, I asked again a day later, and I got a different six from Chat GPT.

But it still had the same core four ones. There's a lot of other things we tend at WatchGuard, of course, to emphasize the areas that we have solutions for. So for example, physical security, card readers, making sure your doors are locked, basic security practices like that.

Important. Not something we emphasize as much because we're a technology company and software and security. But different things, like account management, password complexity, incident response and management. Security awareness for your employees. Pen testing. Not just scanning for vulnerabilities, but having a good program in place to actually remediate patch and fix those vulnerabilities is important.

If you're writing code in a company, you need to have good code security practices, good backup and recovery, intrusion detection, anti-malware. Of course, areas we're interested in. As we talk about encryption, control frameworks, we'll get into other details, like how do you managed keys and things like that is important as part of any type of encryption. So a lot of other areas of emphasis. And we could go through all this and emphasize how different regulations have common themes and look for the same things.

But I think the six we pick will give a good example of that. Be aware that as you look at different verticals, things may get a bit more specific. For example, KCSIE, keeping children safe and education in the UK, actually has some requirements around keyword filtering for search engine searches. So some regulations and specific verticals, we'll go deep in a specific areas. So that's something to be aware of and look at as you get into that. How do WatchGuard products help? We have our unified security platform, where we have four different core product areas at WatchGuard.

I mentioned network segmentation. Felicia kindly pointed out, I should highlight isolation as part of that too. And of course, with our network security solutions, our firewalls, you can really implement segmentation, isolation of networks. Matthew, secure Wi-Fi. Can we help with rogue access scanning? Absolutely. We can.

Right now, with our access points managed by WatchGuard cloud, we do have a beta feature for our airspace monitoring and a new firmware to help the APs be able to scan for rogue APs and evil twin access points in the network. Actually, that feature will be going live later today as GA. So we really recommend upgrading the firmware to the latest on these APs and then enabling this feature for airspace monitoring to take advantage of the security features that are available with scanning. I can go into a lot more detail, of course, how we're going to be using the data from that in our threat sync to help process, to help use other components, other WatchGuard devices and products in the network to help mitigate against it rather than relying on only the Wi-Fi alone. But I'll go ahead and stop there for time's sake.

OK. I like that Matthew sliding in a little product announcement there. But it's great to see that rogue access scanning capability coming to our Wi-Fi six access points.

What about multi-factor authentication? WatchGuard have anything for that? Of course, we do. We have our AuthPoint. And I love using AuthPoint myself. I've used AuthPoint ever since we had it in beta.

And I love to show it off, how I can use it for not only my watch guard connection devices for VPN multi-factor authentication. But I use AuthPoint as my token keys for a lot of my other external social media or other kind of accounts as well. So absolutely, AuthPoint is one of my favorite tools that WatchGuard as well. Yeah.

And endpoint security kind of ticks the boxes for some of the obvious ones, where we talked about anti-malware, malware detection. But there are some capabilities in there that really help like where we talk about authorized software. The zero trust application service in our WatchGuard endpoint security suite will ensure that only approved software and applications are going to run on your system. Also, we have additional modules in our endpoint security suite that look at patch management. So that can really help with your vulnerability management system, addressing things like that.

So very comprehensive set of capabilities that go beyond just basic endpoint anti-malware detection that really can help you as part of a compliance program. So how do that can help? So a couple of people have asked, will slides be available? Absolutely. We'll make everything here available. We've put a few links in for people who want to do follow up research on things like CAS or some of the NIST standards PCI. When it comes to watch our resources, someone asked in the chat, what about mapping CIS to WatchGuard products? I actually have a draft of that available. So if anyone's interested in seeing that, put a comment in the chat or the questions, and we'll get a copy of that to you.

I'd be interested to hear some feedback on that. Felicia, I'm talking to you. And we also have a mapping of our NIST controls to WatchGuard products available.

So we can follow up and make that available to people. We have compliance web pages. And in fact, Matthew, PCI, you've an update there too. Yes. I've been working with our marketing team to help update our PCI whitepaper.

And that should be live-- I believe it is live today as well on our PCI compliance pages at WatchGuard. So the white paper is updated with new language, not only for the updates in PCI DSS 4.0 but to help better reflect all of the WatchGuard products and not just our firewalls and Wi-Fi as our UTM, but for all of the WatchGuard products that can help maintain PCI compliance. OK.

With that, today's topic, again, with the limited time we have available, before we get into questions, I saw someone had said, I'd like to see more webinars in this type of area. Which type of topics would you like to see WatchGuard cover? Like Matthew, great expertise in PCI. We can do a webinar specific to that if we see the interest in that.

Sofia, obviously knows so much around GDPR, privacy regulations. And so we're interested in adding more to this series and seeing how we can help people out. So actually interesting, we kind of see a good spread around different things. Again, it kind of matches what we saw earlier, HIPAA and so on. We have some content around HIPAA. So I'll work with the team to get a more detailed webinar scheduled on that.

We'll get into the more specifics of the technical security controls, and also how watch our solutions can help just to show that to people quickly. So again, PCI, DSS, GDPR, CIS control. It's kind of interesting spread around the different areas there. So we will have follow up material available.

We have time for some questions. And I can see the question window has been pretty busy here. Let's start off with one for Sofia around GDPR. And there's been a lot of discussion in the GDPR area around adequacy rulings, and transfer of data from Europe to the United States, and what that means, and some of the court challenges. And someone said, we hear there may be an adequacy decision for the US soon. So you maybe fill us in some more what's happening there.

Yeah, sure. Well, thank you for your question, first of all. And then I think it's important to understand that the European Commission has not adopted the adequacy decision for the United States as of today.

So whatever transfer mechanisms you were relying on in the past and up until now, you should still rely on those and wait for the adequacy decision to be finalized by European Commission and sort of finally adopted. We are also very much expecting this to happen and looking forward to that. However, another thing to remember here is that it will, only certified companies will be able to rely on this new data privacy framework. And in order to be certified, you have to be-- you have to actually either certify with the privacy shield that is effective right now, and then fix your privacy practices so that they are actually compliant with the new data privacy framework or just wait and then certify at the point when it's going to be enacted.

Yeah. So this is just to keep in mind. We should still be relying on accesses if you were relying them before, and wait for that privacy-- for that adequacy decision to be enacted.

OK. Thanks, Sofia. Matthew, I've seen a few questions or interest come in about the PCI whitepaper, make sure people get notified about that. So if you could remind people how they can get their hands on that and when it will be available. Sure, I can do that.

I will make sure-- I saw that there was a suggestion about providing a blog post. So I'll work with marketing to make sure that there's a blog post highlighting the updated whitepaper that gets sent out in our partner news. And as soon as I can find the actual link, I will make sure that that's posted here if I can.

OK. Quite a few people asking for follow up information on CIS. So we will get that to people. Web content filtering for CIPA and Chromebooks through the firebox, so kind of enhancement request level there. There is some things we can do with DNSWatch on Chromebook. But again, if the Chromebook traffic is going through a firewall network, we'd be able to do web filtering around that too.

I think the requests come in where people are maybe in an education setting, taking a Chromebook away from the protected network. So that's something we should look at more. Let's see what else we've got. Someone-- as we talk about crypto, I mentioned FIPS certification, which is something WatchGuard has available. FIPS certification applies to a specific firmware version. Because as NIST goes through that, basically the process is we use strong cryptography.

It goes through a lot of testing by NIST. And that takes time to run through. We are in the process of updating our FIPS certification to FIPS 140-3 for all the WatchGuard models. It's a lengthy process, so it probably will take towards the end of this year. Again, watch four WatchGuard product blogs for information as we progress through the testing cycle for FIPS 140-3 too.

It's a relatively newer version of the FIPS standard. So we're progressing from 140-2 to 140-3 for WatchGuard products. And all of our current products will be certified to that. Let's see what else we get here. A lot of people asking for access and reference to the useful content. So we'll make sure that is available.

Someone said you mentioned keyword filtering for KCSIE. Are there any plans to add this for the firebox? We do have search engine filtering for KCSIE available now with the firebox in our WatchGuard cloud reporting. So that is a feature that we actually called safeguarding within WatchGuard cloud. And we filter search engine content against a set of keywords we get from the internet, watch foundation in the UK, and can alert when any of those concerning terms may show up in the search engines. It's of interest in school areas. That's a feature we've had for a while now on-- for a while.

I think a few months. And we continue to expand it. We're going to add more kind of sources of concerning keyword content into the list we track against there. We also have a search engine report in WatchGuard cloud, where you can just see which search engine keywords or terms have been used by people behind the firewall as well. So that's a useful one.

It doesn't alert unspecific terms, like our safeguarding feature, but it is available for people who want to monitor that. Matthew, maybe I'll address this one to you. How about protecting our WatchGuard accounts. I'm very concerned about global access to it. Can it be restricted to particular IP address? So while you're thinking about that one, one thing I will highlight, as we talk about best security practices and concerns and complying with regulations, that also applies to all of the tools you're using.

So things like MFA don't just apply to MFA to your applications, but also apply MFA to your logins to WatchGuard cloud. Password complexity, apply that. Have long passwords for your firewalls. So all of the good practices apply, not just to the products you're securing but also the security products you're using yourself.

Right. Yeah. I absolutely agree. The ability to apply MFA to your WatchGuard account so that it helps to protect logins to WatchGuard cloud and to WatchGuard guard is something that I think helps in this area, as well as certain things, like making complex passwords.

I use a password manager for all my passwords. And I use it to help generate passwords that are at least 20, 25, sometimes 30 characters if the website will allow it. And I don't know my passwords anymore. They're all complex jumbles of letters, and numbers, and special characters. So I can just copy and paste them from my password manager.

But yeah, absolutely. This is something we can look into if we wanted to have the ability to restrict specific accounts and say, the log into this account is only available for specific IP addresses. That might be something to look into. Yep.

And I see we're coming up against top of the hour here. So if you have a question we didn't get to yet, we can follow up. We have people's names, emails for addressing. That one final question I see, product related. Someone asked about DNSWatch needs to be integrated into WatchGuard cloud to make it useful for a managed service provider.

Good news that that is coming. We have team working on that. It's expected probably around early Q3 of this year. And we have some kind of detailed user experience, mockups around that.

And it will be fully integrated into the multi-tenant system in WatchGuard cloud for managed service providers to use. So I'd like to thank everyone for your time today. Very much kind of an introductory overview of regulatory compliance. And if there's one takeaway, it's like have a good information security practice, a control framework. Use that to map to the different regulations that are out there. If you have good cybersecurity hygiene and practices, that will help you with all sorts of different regulations that you'll encounter in the companies you need to work with as an MSP.

So thank you, everyone. Thank you so much, Brendan, Matthew, and Sofia. [MUSIC PLAYING]

2023-05-12

Show video