At a glance.
- Wisconsin incident notification law.
- CISA releases advice for optimizing enterprise security.
- CISA involved in three proposed US federal cybersecurity standards.
New Wisconsin incident notification law.
The US state of Wisconsin is enacting a new data security law that will require entities who are licensed, registered, or authorized with the Office of the Commissioner of Insurance to notify the commissioner within three days of a cyber incident, instead of the forty-five days noted in the existing Wisconsin Data Breach Notification Law. Having come into effect on November 1, Wisconsin’s Insurance Data Security Law was developed in collaboration with the Professional Insurance Agents of Wisconsin, Inc. Lexology explains that under the new law, licensees must work to protect nonpublic information (defined as electronic information that could be used to identify a consumer) by conducting risk assessments and establishing a data protection plan based on the results.
CISA releases advice for optimizing enterprise security.
Last week the US Cybersecurity and Infrastructure Security Agency (CISA) published a Capacity Enhancement Guide (CEG) aimed at helping businesses detect weaknesses and improve enterprise security, Security Week reports. The guide incorporates an Enterprise Mobility Management system checklist specifying best practices for protecting enterprise-managed mobile devices. The guidance includes using devices that meet enterprise requirements, implementing automatic updates through a Mobile Device Management system, establishing a policy regarding trusted devices, and withholding access for untrusted devices. Other recommendations include requiring strong authentication on the enterprise-trusted devices, exercising strong app security, disabling radios such as Bluetooth and Wi-Fi when not in use, ensuring mobile devices are secure by using Mobile Threat Defense systems, and making sure mobile devices are not connected to critical systems.
CISA involved in three proposed US federal cybersecurity standards.
CISA is seeking industry feedback on new measures to improve federal civilian email security. FCW explains that CISA’s intent is to better defend federal civilian executive branch email systems and federal networks against malicious content, while also advancing the agency’s activities aimed at incident prevention, mitigation, and response. The request for information adds that CISA will obtain deeper authority over agency email systems: “Agency email service operators and administrators will continue to perform their operational mission. They will have access to their agency [protective email service] data and additional policy settings but will not be able to override CISA globally provisioned policies.” Responses are due by December 20.
ExecutiveGov reports that CISA and the Department of Defense (DOD) collaborated in creating a five-step guide to help agencies define federal use cases of new 5G wireless communications equipment. The guidelines are intended to advise agencies in identifying an assessment boundary and security requirements, while also ascertaining any policy gap between the conditions with federal assessment and authorization policies. Vincent Sritapan, who leads new services innovation in CISA’s Cybersecurity Quality Services Management Office, has stated that the aim of the collaboration is to address “the need to assess 5G technologies and incorporate it into our operational environment.”
A new proposal from the US Government Accountability Office is asking CISA, when reviewing transactions with US entities, to consider whether connected software applications have been deemed secure by a reliable third party. Nextgov.com notes that, in response to a June executive order from President Joe Biden, the Commerce secretary is suggesting that auditing of connected software applications be added to the list of criteria for approving transactions involving data and communications technology. Third-party audits have become a source of much debate, and the Department has requested public comment on criteria controlling connected software applications.