Ep 17: System & Information Integrity

BEN: System and information integrity. Let’s do it.

DAN: Okay this one, what you’re dealing with, the controls in this domain really focus on looking at malicious code. If you get security alerts, how are you handling them? This honestly, Ben, is a full-time job. If you don’t have a full-time person doing this, you’re using a tool, a SIEM, or something like this to help you get those alerts. When those alerts come down, it tells you exactly, hey we found an opening, we found a breach. Other people are getting attacked down this vector. It allows you to go back and say, okay how am I going to handle that from a business standpoint? Are you scanning? So there’s controls in here that basically say, am I scanning across my systems to make sure I don’t have any of those vulnerabilities? And is the malicious code patched? So this deals with the Integrity of your system making sure that everything is as it should be and that I’m not getting exposed.

BEN: Yeah, and then, I think you hit on it, it’s constant. This is not a set it and forget it domain, right? It is the dealing with the alerts that that hit your system; dealingwith the recommendations from scans. I mean, it’s a constant activity. I know, we obviously support a lot of infrastructures, and we outsource to a security operations center. Because I know I can have 85 people here that are dealing with users and maintaining systems and availability and such, but it’s important to have a whole other set of dedicated eyes that just are looking at it from a security standpoint and dealing with all of the different events and alerts that come from these different security tools that are implemented.

DAN: Yeah think of this as, pretty much, this is your check engine light.

BEN: Yeah.

DAN: When it comes on, it’s all that stuff behind that little light turning on. It says, hey something’s up. So you need to address and that’s what these policies do.

BEN: Perfect. All right, well I think that was good. So thank you, Dan, for joining us. And again, the idea here is to kind of demystify some of the details here so a business owner really understands what they’re trying to accomplish you know through this CMMC certification.

Quick plug for Avatara, we provide a platform that helps businesses do this both from an information security standpoint as well as from a compliance and documentation standpoint. We have several defense contractors that are customers and we’ve been in the space for over 10 years, so we’re used to it. And in fact I think at this point it’s our number one niche that we work within. I’ll let Dan plug himself but I’ll plug him previously because we have customers that even though we’re doing a big chunk of this for them, they also would like some third-party guidance on some of the things that they need to be doing on-site specific to CMMC. So Dan and his group is the group that we use and refer to help our customers make sure they’re  buttoned up going into these future assessments.

DAN: Yeah, so at Lupa Advisors, what we really do is, we come from the DoD space. Our other director is basically a former CEO of a defense contractor. He’s lived this. He’s actually sold his company and he’s looked at buying other companies. So we go through this on a regular basis and understand some of the pressures and problems and pains that you go through trying to implement something like this. So, think of us as, if you needed a third-party source, we’re happy to come out and work with you. We can have fun going through this. Some of it can be pretty dry, but we take and leverage our experience and our expertise in this realm and try to apply it to your environment.

BEN: Perfect. Thank you, appreciate your time, and thank you everybody.