Information Security Archives - MGO CPA | Tax, Audit, and Consulting Services

10 Critical Questions for Reducing Information Technology Risk in Tribal Gaming

Key Takeaways:

IT operational assessments help Tribal nations and gaming enterprises by enhancing efficiency, security, compliance, and overall business performance.

Tribal nations can use this 10-question checklist to evaluate current IT practices; identify areas to improve security, compliance, and risk management; and guide future strategic planning and decision-making.

Your Tribal nation and its gaming enterprises demand robust and secure information technology (IT) systems. IT operational assessments can significantly contribute to the overall success and sustainability of your property — helping you identify vulnerabilities, optimize systems, verify compliance, and enhance guest experiences.

Checklist: 10 Key IT Questions You Should Be Asking

Understanding the importance of IT assessments for your Tribal nation and gaming entities begins with asking these questions:

1. How can we identify potential vulnerabilities in our technology?

Conducting thorough evaluations of your systems, networks, applications, and data assets helps to pinpoint security weaknesses and potential risk within your systems before they can be exploited. Regular assessments help improve defenses against cyberattacks, fraud, and data breaches.

2. What steps should we take to enhance our security posture?

By evaluating the current IT infrastructure, you can identify outdated or inefficient systems and processes that need upgrading or replacement. Streamlining processes through better technology integration can lead to more efficient operations, reducing downtime and increasing productivity. By enhancing your cybersecurity, you safeguard critical data and increase stakeholder confidence.

3. How can we achieve regulatory compliance in our Tribal gaming and business operations?

Maintaining compliance with industry standards and regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), and other relevant security frameworks, can provide a roadmap to identify risk while upgrading and optimizing IT systems.

4. What strategies should we use to manage risks effectively?

Prioritizing risks based on their potential impact is essential for effective risk management. Allocating resources efficiently to address the most critical threats allows for a comprehensive risk management strategy tailored to the unique needs of your Tribal nation and its gaming entities. This proactive approach helps mitigate potential risks before they become significant issues.

5. How can we support a disaster recovery and business continuity plan?

Continuous gaming and business activities play a pivotal role in the success and reputation of your Tribal entity. Preserving the integrity and availability of your IT systems is indispensable in shielding your operations from potential disruptions. By building a plan, your organization will be able to handle IT incidents efficiently and recover swiftly when challenges arise.

6. What methods can we use to review and update our IT policies and procedures effectively?

Evaluating your current IT policies and procedures for comprehensiveness and relevance keeps them effective. Updating your policies to reflect the latest industry standards and regulatory changes keeps them applicable. And facilitating enforcement and adherence minimizes the risk of IT-related incidents and enhances your overall security.

7. How can we prevent unauthorized access to sensitive data and systems?

Reviewing user access rights, privileges, and authentication mechanisms is essential for preventing unauthorized access to sensitive data and systems. Also, by implementing a robust third-party vendor evaluation process and access controls, you can help mitigate the risk of data breaches and protect valuable information. This process is critical for maintaining the security of your Tribal nation operations and gaming entities.

8. What actions are necessary to secure our network architecture?

To identify vulnerabilities in firewalls, intrusion detection and prevention systems (IDPSs), virtual private networks (VPNs), and network segmentation practices, a thorough evaluation of your network architecture, configuration, and security controls is necessary. Addressing these weaknesses enhances your network security and prevents potential points of compromise. A secure network architecture serves as the foundation for a resilient IT infrastructure.

9. How can we protect our data assets?

Maintaining data protection measures such as encryption, data loss prevention (DLP) controls, and backup procedures is vital for the confidentiality, integrity, and availability of sensitive information. By protecting data against unauthorized access, disclosure, or alteration, your organization can safeguard its critical assets and keep your IT systems secure.

10. What measures should we take to prepare for incident response and maintain effective IT operations?

Establishing efficient incident detection, reporting mechanisms, and escalation processes helps minimize damage and reduce recovery time during IT incidents. Being ready for incidents allows your Tribal nation and gaming entities to respond quickly and effectively to any disruptions.

Strengthening Your Tribal Nation with IT Assessments

Regular IT assessments are not just a regulatory requirement but a strategic necessity for your Tribal nation and its gaming entities. By investing in IT assessments, your organization can protect its digital assets, support business continuity, and maintain stakeholder trust. Stay ahead in the digital age by making IT assessments an integral part of your IT strategy.

For more insights and to explore how our IT advisory solutions can fortify your Tribal enterprise’s defenses, visit MGO’s IT Advisory Solutions.

SEC Adopts Rules on Cybersecurity Risk Management

Executive Summary

The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “material” disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why is the SEC implementing this rule change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What are the requirements for risk management, strategy, and governance disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How will the SEC cybersecurity rules affect you?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How we can help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.

State and Local Cybersecurity Improvement Act Update: Get Started Protecting Sensitive Data and Systems

On May 18, 2021, the House of Representatives passed the State and Local Cybersecurity Improvement Act (SLCIA) to address cybersecurity vulnerabilities and promote additional cybersecurity collaborative efforts between the Department of Homeland Security (DHS) and state, local, tribal, and territorial governments. The bipartisan bill was received in the Senate on July 21, 2021, read twice, and then referred to the Committee on Homeland Security and government affairs, where it has been sitting since. Once it passes, it will go to the President’s desk, where it will then immediately provide incentives to address the increasing danger of malicious cyberattacks on state and local IT infrastructure.

Giving state and local governments the resources to protect against hackers

The SLCIA updates the Homeland Security Act of 2002 to give the DHS leeway to utilize centers like the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC). This will allow them to work with state, local, tribal, and territorial governments as needed, upon request.

This collaboration will encourage conducting cybersecurity exercises and hosting trainings meant to address current or future cyber risks or incidents. It will also provide operational and technical assistance to state and local governments to implement security resources, tools, and procedures to improve overall protection against attacks. The goal is to provide state and local governments with the support they need to defend themselves from hackers.

Resources to bolster government security capabilities

The SLCIA establishes a $500 million DHS grant program that will empower government institutions to increase their focus on cybersecurity. The bill also:

Requires CISA to develop a strategy to improve cybersecurity of state, local, tribal, and territorial governments, enabling them to identify federal resources to capitalize on as well as set baseline objectives for their efforts;
Indicates state, local, tribal, and territorial governments must develop a comprehensive cybersecurity plan to guide their usage of any grant money they receive;
Establishes a state and local cybersecurity resiliency committee made up of representatives from state, local, tribal, and territorial governments to provide awareness of cybersecurity needs; and
Enjoins CISA to assess the feasibility of a rotational program for the detail of approved government employees holding cyber positions.

The bill gives state and local governments the push they need to begin defending their networks. This can include the development of new strategies to boost their cybersecurity capabilities and acquisition of the funding needed to ensure their implementation. By investing in cybersecurity ahead of an attack, an entity is more likely to save money and protect its data.

Assessing eligibility for cybersecurity grants

Cybersecurity grants are available to municipalities of all sizes — but it’s important to start strategizing now by considering your IT infrastructure and cybersecurity frameworks. By applying for the grants, you indicate that you are taking your entity’s security seriously and taking the proper steps to qualify.

The State and Local Cybersecurity Improvement Act will provide up to $1 billion in grants for state, local, tribal, and territorial governments, allowing them to directly address their cybersecurity threats and risks. The program’s funding starts at $2 million for 2022, $400 million for 2023, $300 million for 2024, and $100 million for 2025.

To be eligible, an entity must:

Maintain responsibility for monitoring, managing, and tracking its information systems, applications, and those user accounts owned and operated by the government;
Show it has a process of continuously prioritizing the assessment of its cybersecurity vulnerabilities and threat mitigation practices; and
Have a tangible plan that outlines:
- How to manage and audit network traffic.
- How the government plans to use the information to improve its systems’ resiliency and strength.

Our perspective

While the bill is still waiting on the Committee on Homeland Security and Governmental Affairs there are some things you can do to make sure you are ready. State and local governments should focus on building teams that can handle the grant application process — and be prepared to implement once awarded. This bill indicates that governments are past the point of merely updating a firewall or running a generic virus program — things like multifactor authentication and zero-trust architecture are viewed as the next steps (which was required for federal agencies in a 2021 executive order).

How we can help

Prior to starting the grant application process, your IT leaders should start thinking about how to handle security gaps with various procedures and consistent tests. MGO can help. Our Technology and Cybersecurity team can provide guidance as you prepare for the future.

About the authors

Francisco Colon is a Partner at MGO with extensive experience in external audit, fraud examinations, litigation support, operational and internal controls reviews, and buyer/seller due diligence. He specifically focuses on assisting organizations with evaluating and updating their internal controls with a focus on strategic alignment and fraud litigation deterrence management in a variety of industries, including tribal government, gaming, technology, cannabis, hospitality, government contracting, distribution, manufacturing, and private equity. Contact Francisco at [email protected].

Cybersecurity Culture: Empowering Your Employees

by Joshua Silberman, IT / Cyber Security Consultant, MGO Technology Group

Are your employees comfortable telling leadership about a potential problem at your company? Now ask yourself, are they comfortable telling leadership about a potential mistake? A large number of today’s cyberbreaches often begin as the result of an innocent mistake by an employee. It might be sharing a password over an unprotected median, a nefarious actor grabbing a picture of an employee’s laptop screen while they are working in public, or as is most common, an employee clicks on an innocuous link from a phishing email. What most employers may not realize is that many employee’s common sense regarding breaches is actually pretty good. At the very least they will suspect that something is amiss, which could be the first step in detecting a potential breach. Empowering your employees to actively look for, and report on, potential breaches goes a long way to helping your organization build a strong cyber security culture.

Creating a positive cyber security culture

The first step is to educate your employees on what to look out for when it comes to cyber and information risk. Many firms employ some form of basic cyber-security training, mostly at the time of on-boarding, but training usually ends there. Cyber security is an ever-shifting landscape where threats are always evolving. This is why it is important for firms to enact a year-round cyber security awareness program based around employee activities. A good employee-based cyber security awareness program will be light on technical jargon and focused on highlighting the vulnerabilities of the processes and systems that all employees use in their day-to-day work, such as instant messaging, answering e-mails, browsing the web, and sending documents through authorized and unauthorized means of file sharing. There is no great need to get into the technical details of how an attack might happen, but rather acknowledge that the danger is out there and focus on what employees can do to look out for potential dangers, such as noticing strange URL’s and suspicious e-mail attachments from unrecognized users. Consistently educating employees on current cyber threats and methods will give them the tools to identify a threat and be proactive in helping your company stop it.

Encouraging active breach and threat reporting

Training employees to spot the dangers is only half the battle. The other half is generating an effective reporting culture. No cyber security strategy is complete without a good cyber security reporting culture that puts a premium on reporting potential breaches. Here are a few suggestions to create a positive culture of reporting:

Have the team that provides your first level IT Support lead awareness/education sessions, as they will mostly likely also be the first point of contact for reporting potential breaches. The sessions can be developed by an outside consultant or an internal cyber security professional, but building a repertoire between those who should be reporting the incident and that first point of contact provides a sense of comfort that your employees are reporting the issue to the right group in the correct way.

In training, the IT support staff should make clear that reporting a threat is NOT a burden and that employees should err on the side of caution. If an employee receives an e-mail they find suspect they should not hesitate to contact their IT department through the designated reporting means.

Everyone from the organization must know and believe that the consequences of reporting a potential mistake will not be dire. Beyond feeling comfortable reporting suspicious activities, employees must also feel comfortable in reporting suspicious behavior that might be a direct result of their own actions. If an employee feels that admitting a mistake will be detrimental to their career they will keep quiet and a potential breach oversight could occur. Admittedly, this strategy carries some risk as you do not want certain behaviors to be consequence-free. However, the scope of consequence must be weighed against the actual action.

For example, an employee need not be officially reprimanded for admitting to clicking on a suspicious link and reporting it, but it would be prudent for the IT support staff to point out what could have been done differently to avoid the infraction. If the employee becomes a repeat offender, then a more official process might be warranted. Until then, simply pointing out of the issue should be enough to change behavior while maintaining a culture where employees are not fearful of bringing an issue forward.

Strong and proactive cyber security culture starts at the top

When setting the company’s cyber security policy, upper management must keep an eye toward baseline employees who perform the day-to-day actions of the company. Clear signals about saying something if you think something is wrong can go a long way toward changing your company culture. Having a strong IT or Cyber Security group is simply not enough when your own staff could unknowingly be your cyber Achilles Heel. There is a saying in cyber security that “every employee is a potential vulnerability.” However, if trained and leveraged correctly, your employees can also act as another safeguard, actively working to protect your information technology environment.

If you have any questions or would like support developing and implementing an effective cyber security program, reach out to the MGO Technology Group for a consultation.