Profile

CommunityPlatform_1350x900.jpg

Laura Raderman

Edit My Profile

My Content

1 to 14 of 14 total

RE: Req Info: Vendor Support for NIST CUI Data Hosting for Researchers

Posted By Laura Raderman 12-04-2024 07:26:33 AM
Found In Egroup: Cybersecurity \ view thread
Depending on if you're talking about DoD/CMMC work or "just" 800-171, you may have to consider a cloud service provider that is FedRAMP Authorized ("or equivalent", but it's easier to be authorized). Just something to keep in mind when you are looking - that usually increases prices by about 30%. We ...

RE: Azure and PowerBI NIST 800-171 Compliant?

Posted By Laura Raderman 11-13-2024 09:46:26 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
https://learn.microsoft.com/en-us/azure/azure-government/compliance/azure-services-in-fedramp-auditscope 800-171 - yes, CMMC/DFARS 7012 - no (there are differences in requirements and scoping between the two) https://techcommunity.microsoft.com/blog/publicsectorblog/understanding-compliance-betw ...

RE: New GRC analyst first 800-171 questions

Posted By Laura Raderman 11-04-2024 09:57:24 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
I can't speak to your GRC software tool, but as an assessor, we look for documentation that is being "used" - whatever form makes the most sense for your organization, given your size and organization - assessors don't care as long as they're not in draft format. The important part is that you do address ...

RE: Understanding NIST 800-53

Posted By Laura Raderman 07-17-2024 06:29:00 AM
Found In Egroup: Cybersecurity \ view thread
It's not exactly cliff notes, but is the authoritative source for determining whether you meet a 800-53 control: 800-53A. Each control has assessment objectives that need to be met to meet that control. https://csrc.nist.gov/pubs/sp/800/53/a/r5/final Neither document includes examples of how to ...

RE: Account Lockouts

Posted By Laura Raderman 05-10-2024 08:41:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
You could have them automatically unlock as well, there's no specific requirement on who or how the accounts unlock, only that they lock to start with. So, it's completely reasonable to have the accounts lock out after 5 failed attempts within 10 minutes, and they automatically unlock after 10 minutes ...

RE: Account Lockouts

Posted By Laura Raderman 05-10-2024 06:58:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
r2 only says "limit unsuccessful logon attempts", with the AOs being: [a] the means of limiting unsuccessful logon attempts is defined; and [b] the defined means of limiting unsuccessful logon attempts is implemented There is no requirement of a lockout. r3 however, specifically requires a ...

RE: Export Control

Posted By Laura Raderman 02-28-2023 07:58:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
Export Control is technically a type of CUI (specified) under NARA's registry: https://www.archives.gov/cui/registry/category-detail/export-control.html and https://www.archives.gov/cui/registry/category-detail/export-controlled-research It has limited distribution statements in addition to the 800-171 ...

RE: Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Status

Posted By Laura Raderman 12-09-2022 05:55:00 AM
Found In Egroup: Cybersecurity \ view thread
Surprisingly for us the hardest issue has been the MFA requirement for "any individual" accessing in-scope systems (314.4(c)(5)) - in our case that includes parents and admitted (but not matriculated) students - using Cirrus Identity, and reducing the number of "connected systems" that are in scope. ...

RE: December meeting poll

Posted By Laura Raderman 12-02-2022 06:30:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
I'm on PTO that week, but I don't have any plans yet, so I could probably join ------------------------------ Laura Raderman Policy and Compliance Coordinator Carnegie Mellon University ------------------------------

RE: PrivacyHawk App - data deletion request

Posted By Laura Raderman 08-26-2022 02:01:00 PM
Found In Egroup: Cybersecurity \ view thread
1. We have only gotten 2 PrivacyHawk requests, but I get about 8-9 Mine requests every week, and we've also gotten a request from Privacy Bee 2. I'm handing these as the primary access to our privacy/request email (gdpr-info@andrew.cmu.edu) 3. For PrivacyHawk, which asked us to not sell data, we responded ...

Interested in Training and Compliance?

Posted By Laura Raderman 06-23-2022 12:17:00 PM
Found In Egroup: Cybersecurity \ view thread
Come work for me at Carnegie Mellon University! Our training and awareness position is in our "GRC" organization (aka me) as much of the training we provide is compliance focused. However, our previous incumbent participated in National CyberSecurity Awareness Month, and created some great and fun training ...

RE: May Meeting Followup

Posted By Laura Raderman 06-07-2022 07:58:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
Count me in, I've already done a lot of work at CMU for our requirements (includes private Data Use agreements, so not really shareable without some massaging. ------------------------------ Laura Raderman Policy and Compliance Coordinator Carnegie Mellon University -------------------------- ...

RE: Good afternoon, Just joined....

Posted By Laura Raderman 06-07-2022 07:56:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
800-171 is a subset of 800-53 Moderate (the appendixes of 800-171 show the exact mapping). The appendix also describes how they determined which 800-53 controls to include (or exclude). ------------------------------ Laura Raderman Policy and Compliance Coordinator Carnegie Mellon University ...

RE: Compliant Communication Platforms (VOIP, Zoom, Teams..)

Posted By Laura Raderman 04-12-2022 07:09:00 AM
Found In Egroup: Regulated Information Security Compliance \ view thread
MS Teams in the GCC High environment claims compliance (FedRAMP High), so there is that. There's still some disagreement on whether FedRAMP is sufficient for CMMC. ------------------------------ Laura Raderman Policy and Compliance Coordinator Carnegie Mellon University ---------------------- ...