REVIEW DATE : May 31, 2012
Considering the mishmash of data-breach laws currently in place, businesses can use Co3 to plan ahead and prepare for the worst-case-scenario. Even if the rules get simplified, being able to create details incident response plans is well-worth the money.
PROS: No setup. Up-to-date rules for each state and industry regulations. Generates step-by-step action plan. Creates a clear audit trail to track what has been done.
Some identical reports, only with different names. Performs only legal liability calculations. Price may be too high for some companies.
Co3 Systems Inc
Type: Business, Enterprise
OS Compatibility: Windows Vista, Windows XP, Linux, Mac OS, Windows 7, Windows 8
By Fahmida Y. Rashid
Co3 Systems offers customers a cloud-based Co3 portal ($5,000 for annual subscription) to help businesses calculate the ramifications of a successful security incident–data breach, cyber-attack, or even just a lost laptop–and develop appropriate incident plans long before the event occurs. As recent data breaches, such as the massive one at Global Payments have shown, businesses have to think about and plan what they will do in the advent of a data breach long before it actually happens.
Considering that many of the state regulations and federal compliance requirements require that companies suffering a breach respond quickly, there really isn't time to figure out what to do and then execute the plan. In fact, spending those critical first few days deciding what to do next after data has been exposed can wind up being tremendously expensive for the company.
The cloud-based incident recovery analysis tool from Co3 Systems helps businesses face the worst-case scenario. External attackers have breached the network and wandered off with a sensitive customer database. The top sales guy copied a client list onto his laptop before leaving for a roadshow, and lost the computer and all the data at the airport. A disgruntled executive has copied a customer mailing list onto a USB drive and quit the company.
What Co3 Does
Co3 takes these incidents–and other similar scenarios–and analyzes the important details to figure out if there are any state laws or federal regulations that apply, and what needs to be done so that they don't incur regulatory fines. The application also calculates a total cost of what happens if the business doesn't take those steps in the aftermath of a security incident.
Since it's software-as-a-service, Co3 Systems can easily update its software to maintain the most up-to-date rules about state laws and compliance requirements. Businesses don't have to maintain the list, or remember to update the rules every so often. When they log on to the platform, they know they always have access to the latest information Businesses, focused on preventing data breaches and leaks, often forget to plan for technology and process failures.
For some businesses, shelling out $5,000 (or more) for an annual subscription might seem high, but this is the perfect example of how one should spend money now to save money later. Data breaches themselves are costly. Considering that the Ponemon Institute pegs the total organizational cost of a data breach at $5.5 million, which includes legal liabilities, impaired productivity, and other losses, spending in the neighborhood of $5,000 to reduce the legal liabilities sounds like a bargain. I created an incident report for the Global Payments breach, and saw that despite affecting a "limited" number of MasterCard and Visa users, the payment processor faced over $1 million in potential fines.
Events Vs. Incidents
Co3 differentiates between an event and an incident. Events are things that have already happened, such as someone losing a laptop. Incidents are a bit more serious, as they refer to scenarios that could happen. If that lost laptop had sensitive personal identifying information that wasn't encrypted, then someone finding it could become an incident. Business would list events in the application, keeping track of everything that is happening.
When one of the events develops into an incident, the business can generate an incident response plan and get started on each of the checklist items. Even though Co3 treats events and incidents differently in the interface, but it's not always clear when to draw that line within the application, and it took me some time to get used to making that distinction.
The platform also allows the business to develop simulations to create what-if scenarios to see what could possibly happen in the case of an incident. It is also possible to create privacy impact assessment and risk assessments as part of risk planning.
Patchwork of Regulations
The platform draws on a constantly updated database of requirements from 46 states, three commonwealths, and 14 federal agencies when creating the action list. Businesses have difficulty navigating the various requirements, some of which are more stringent than others. The deadlines for breach notification also vary wildly. Maine, for example, requires organizations to notify the affected customer within seven days of discovering the incident. Other states are more generous, giving a few weeks or several months of time.
The kind of information that has to be disclosed, and the type of language used in the notification letter, also varies by state. Co3 presents templates and necessary forms to simplify the entire process.
Main User Interface
Businesses can either take advantage of the trial or pay for one of the annual subscription plans. The main difference is in the number of "incidents" that can be created and analyzed. The free trial allows only one incident plan, one simulation, but an unlimited number of events. The Co3 Silver plan ($19,000 annually) allows up to 25 incidents, unlimited number of events, users, and impact/risk assessments. The Co3 Gold plan ($34,000) supports up to 50 incidents, two simulations, and unlimited events, users, and impact/risk assessments. Considering the normal pricing plans, the introductory price of $5,000 is a bargain.
After logging onto the platform, I used the wizard to create an event, logging what happened. In the case of a lost laptop, I described what was lost, how it was misplaced, and what kind of information was on the lost device to begin with. I could specify how many customers lived in which states in order to get state-specific information. I also was able to indicate the types of data exposed, such as names, health records, banking information, and others. All businesses are different, so I was able to specify exactly the compliance regulations I was subject to (or just best practices).
It was a very easy process, as all the information is laid out screen-by-screen. There are helpful tips along each step, and the interface makes it simple to skip sections if I didn't have the requisite information. I could always go back and re-enter the missing information and regenerate the assessment.
Once I had all the information in place as an event, the application asked if I wanted to make it into an incident. If I said say yes, the software produced a list of which agencies need to be notified, the timeframe in which the notification process has to occur, how to contact the parties, and the penalties if the deadlines aren't met. It's also possible to look at the actual language of the legislation and regulation driving a particular step on the checklist.
Once I had the incident response plan, I also got to see a very important number: total liability. Depending on the rules which apply to the incident, the total liability can easily run into millions of dollars in potential restitution, credit monitoring, and legal fines. Co3 does not calculate the other costs of a data breach, such as lost productivity, reputation damage, or lost business. In most cases, that big number is not the final cost, but it's also the only number the company has any control over. As long as they complete the steps outlined in the plan on time, they aren't on the hook for those fines. Other data breach costs are not so easily reduced.
With the incident response plan in hand, I could then add notes and assign each task to relevant stakeholders. When things were completed, or reassigned, that could be added to the task. When a task was assigned to someone, that person received an email notification. The fact that notes on the tasks could be threaded as comment fields meant all the relevant discussions were right at the fingertips.
At any given point in time, I could see an updated list of exactly what had been done and what was left. The Co3 dashboard shows all the events and incidents that have been entered, as well as the tasks that have been assigned to me that I needed to complete. The tasks were coded to indicate the status (green, yellow, or red). I could also use reports to track response progress and fulfill audit requirements.
The Co3 platform is designed to help business accomplish a few specific tasks. The events interface allows them to be prepared, and prepare historical information for audit reporting and monitoring. The assessments part of the interface allows organizations to run hypothetical scenarios to understand risks and vulnerabilities, and simulations can be used to practice what could go wrong and make sure everyone in the organization know what to do in case of a real incident.
Each event entered into the system can be analyzed to understand breach scope. Liability assessment was perhaps my favorite part of the tool. There's nothing more attention-grabbing than being able to say, "That laptop you lost? It could cost us $100 million in fines."
Even with all these capabilities, the heart of Co3 is the ability to create incident response plans with a clear workflow that allows businesses to assign tasks and track when they are completed.
Co3 Systems positions the Co3 software to look at the aftermath of a security incident and help the customer when the security technology and processes wasn't enough to prevent the problem. With a detailed incident plan, incident response process time can be slashed dramatically, which translates directly into less liabilities and fines. Because it's a software-as-a-service, organizations also know they have access to the most up-to-date rules without having to spend the time tracking down the information.
Companies can quantify the risk of new projects and proposals and know how much worst-case-scenarios can cost. Organizations can also conduct training sessions to ensure the employees know what to do and how to accomplish those tasks by following the incident plan.
With Co3 Systems, customers have access to source legislation, disclosure letter templates, contact information and policies, and a very easy to use interface to create those incident plans. Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors' Choice for compliance tools.
Click here to read the original article.