Cybersecurity Requirements for Protecting Organizational Data

How do you make sense of the rapidly evolving cybersecurity rules, regulations, and required protections?  How can your ensure that your company has in place the minimum security measures to protect its proprietary information, third-party Confidential Information it receives pursuant to any contractual agreement, and any personally identifiable information (PII) it collects and uses (e.g., processes, stores), either from your customers, end-users, or even its employees (collectively “Organizational Data”)?  An organization should use generally accepted cybersecurity standards throughout its operations and in providing services, regardless of the scope, skill set, and complexity of the products and services it provides.  Generally accepted cybersecurity standards in the United States largely equate to the Cybersecurity Framework 2.0 (CSF) developed by the National Institute of Standards and Technology (NIST), which has been in place since 2024.[1] Indeed, the NIST CSF has been cited with approval for international use.[2]

NIST Cybersecurity Framework Core Functions

The six CSF Core functions include: Govern, Identify, Protect, Detect, Respond, and Recover. These six core functions are further broken down into subcategories. The CSF Organizational Profiles provide guidance on how organizations can assess themselves in terms of the CSF Core and where their cybersecurity practices can be improved and implemented. The CSF Tiers enable an organization to evaluate its cybersecurity readiness and ability to mitigate risks. The CSF Tiers are helpful for an organization to know what level of cybersecurity protection it has in place and the processes behind protection of its Organizational Data.  The CSF does not prescribe how security compliance should be achieved. Rather, it links to resources that provide additional guidance on practices and controls that could be used to achieve compliance.

Contractual Cybersecurity Obligations

But if you enter into a third-party agreement that requires a higher level of or more extensive security measures, you must abide by those requirements or potentially face violations of the agreement.

Recommended Security Measures

Consistent with the NIST CSF, Conley Rose recommends the following security measures should be adopted to handle Organizational Data in any form or media.

• Physical and logical separation of Organizational Data on all information systems where it is stored.
• Access controls to maintain appropriate segregation of duties and limited access to information resources on a need-to-know and least-privileged basis.
• Complex and appropriate length password requirements that comply with NIST Special Publication 800-63-4 (2025).
• Multi-factor authentication for all Vendor Personnel with access to GP Personal Data and systems that process GP Personal Data.
• Device and software management controls designed to guard against viruses and other malicious or unauthorized software.
• Information system and software patching consistent with manufacturer recommendations and Industry Leading Cybersecurity.
• Intrusion detection and prevention systems to guard against unauthorized information system access or failures.
• Role-based training for Vendor Personnel handling Organizational Data in identified threats and the Security Safeguards intended to address those threats.
• Encryption of Organizational Data transmitted across unsecure or public networks, including enforcement of Transport Layer Security for emails containing Organizational Data.
• Encryption of Organizational Data stored on mobile media and devices.
• Encryption of all Organizational Data (including disk and databases, archives and disk and data system backups) whether in transport or at rest in accordance with the Federal Information Processing Standard 140-2, with a minimum encryption of AES-256 with 2048-bit keys for asymmetric encryption and 128-bit keys for symmetrical encryption.
• Encryption of Organizational Data “at rest” at the disk level and database/file level.
• Penetration tests conducted by a reputable third party for Vendor’s internet-facing applications and systems that hold Organizational Data, including mobile applications that support the applications and systems.
• Audit logging that records user and system activities.

Ongoing Review and Testing

An organization should review and test the effectiveness of its Security Measures at least annually and within thirty (30) days after the organization detects the unauthorized or unlawful acquisition, viewing, destruction, loss, alteration or other use of or access to Organizational Data or systems (“Organizational Data Breach”).

Data Protection and Compliance Obligations

An organization should take steps to ensure that all its personnel and processors, including sub-processors fully understand the obligations to notify contractual partners about an Organizational Data Breach within the time period and using the contact information, usually set forth in a written Data Protection Agreement (DPA) between the parties.

Upon execution of a DPA Agreement, an organization should provide its contract partner with a copy of its Written Information Security Plan, or if available, a SOC 2 Type 2 report pursuant to the then-current standards of the American Institute of Certified Public Accountants, subject to execution of a Non-Disclosure Agreement.  Thereafter, the organization should deliver its updated SOC-2 Type 2 report to its contractual partners annually within ten (10) business days of a written request therefor, subject to that third party’s execution of a Non-Disclosure Agreement.

To the extent permitted by applicable law, all of an organization’s personnel who have access to Organizational Data should be screened with regard to each of the following: (i) a national criminal offender record information check; and (ii) a federal criminal offender record information check. (A clean report refers to a report with no discrepancies in criminal investigations or convictions related to felonies or to crimes involving identity theft or other misuse of sensitive information.)

An organization should take commercially reasonable and appropriate steps to remediate its security measures to address any significant gaps or vulnerabilities identified in its audit or Incident Response Plan and any non-compliance with the requirements of any DPA and notify its contractual partners about those steps.

Practical Considerations and Next Steps

Cybersecurity measures are too important to go it alone. For help developing, auditing, and implementing appropriate security measures, as well as any related security/privacy issues (e.g., preparing or reviewing Written Information Security Plans, Incident Response Plans/Playbooks), contact Conley Rose, and its Privacy/Cybersecurity Practice group, headed by Alan Thiemann, a principal in the firm resident in the Alexandria, Virginia office. You may reach Alan at athiemann@conleyrose.com.

 

[1] The first version of the NIST Framework (CSF 1.0) was released in 2014 and was updated in 2018 (CSF 1.1). To reflect the ever-evolving cybersecurity landscape and to help organizations more easily and effectively manage cybersecurity risk, NIST developed a new, updated version, of the Framework (CSF 2.0) in 2024.  This list of security measures is based on an abbreviated summary of CSF 2.0, which contains some 156 security “controls.” For access to related resources see Celebrating Two Years of CSF 2.0! | NIST.

[2] See, e.g., Salas-Riega, Juan Luis; Riega-Virú, Yasmina; Ninaquispe-Soto, Mario; Salas-Riega, José Miguel (2025), “Cybersecurity and the NIST Framework: A Systematic Review of its Implementation and Effectiveness Against Cyber Threats”. International Journal of Advanced Computer Science and Applications. Vol. 16 (Issue 6). doi:10.14569/IJACSA.2025.0160672 [“The NIST CSF is more adaptable but less prescriptive. We identify key gaps in empirical validation and sector-specific applications.”]; Toussaint,  Marion; Krima, Sylvère; Panetto, Hervé (May 1, 2024),“Industry 4.0 data security: A cybersecurity frameworks review”. Journal of Industrial Information Integration, Vol. 39 100604. doi:10.1016/j.jii.2024.100604. ISSN 2452-414X [“The NIST Framework offers a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity risk in critical infrastructure environments. Besides, the Framework also explicitly acknowledges that organizations have different cybersecurity risk management needs, which necessitates different types and levels of cybersecurity investments.”]