Regulatory Compliance

Tehama takes the heavy lifting out of compliance, making it easier for your organization to meet specific regulatory requirements.

With Tehama you can leverage a SOC 2 Type II end-user compute environment and achieve and maintain regulatory compliance requirements for heavily regulated industries such as banking, financial services, health care, energy and utilities, insurance and government enterprises. The Tehama solution has 107 SOC 2 Type II controls built into the platform, saving you time and resources on your internal SOC 2 Type II audits.

Regulation Description
SOC 2 Type II Service Organization Controls Learn more
NYDFS 23 NYCRR 500 NY Department of Financial Services Cybersecurity Regulation Learn more
NERC & CIP The North American Electric Reliability Corporation & Critical Infrastructure Protection Learn more
FIPS Federal Information Processing Standards Learn more
HIPAA Health Insurance Portability and Accountability Act of 1996 Learn more
PIPEDA Personal Information Protection and Electronic Documents Act Learn more
CyberSecure Canada CyberSecure Canada Cybersecurity Controls Learn more

SOC 2 Type II Certification

SOC (Service Organization Controls) certifications are the internal data protection controls that are implemented at a third-party service organization. SOC certifications protect the systems or data that are being accessed by third-parties.

SOC 2 Type II reports are the most comprehensive SOC certifications. A company that has achieved SOC 2 Type II certification is taking a proactive approach and investing in keeping its clients’ data secure. For service providers working with cloud and IT services, this certification is critical for their regulators, examiners, and auditors.

The differences between SOC 1, SOC 2, and SOC 3 certifications are:
SOC 1 SOC 2 SOC 3
Reports on the service organization's controls related to its clients' financial reporting. Reports build on the financial reporting basis of SOC 1 and also require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards. Reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns.
The differences between SOC 1, SOC 2, and SOC 3 certifications are:
SOC 1
Reports on the service organization's controls related to its clients' financial reporting.
SOC 2
Reports build on the financial reporting basis of SOC 1 and also require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
SOC 3
Reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns.
The SOC 2 framework includes five key sections, forming a set of criteria called the Trust Services Principles. These include:
1 The security of the service provider's system
2 The processing integrity of this system
3 The availability of this system
4 The privacy of personal information that the service provider collects, retains, uses, discloses and disposes of for user entities
5 The confidentiality of the information that the service provider's system processes or maintains for user entities

Typically, an MSP will choose to be evaluated against the security, availability, and confidentiality categories. Data security is critical to the livelihood of MSPs, and taking a proactive approach with critical controls is a huge differentiator from competitors.

Achieving SOC 2 Type II compliance takes a dedicated compliance team, regular audits, and engaging an independent third party to produce bi-annual reviews. The costs can easily reach hundreds of thousands of dollars.

Tehama’s SOC 2 Type II controls are audited on Security, Availability and Confidentiality

Tehama has 107 controls built into the platform, making SOC 2 Type II compliance a lot easier and affordable for an MSP or Service Provider.

NYDFS 23 NYCRR 500 Regulation

The State of New York is the first state to introduce a cybersecurity regulation designed to protect the financial services’ critical infrastructure. The NY Department of Financial Services (NYDFS) introduced the NYDFS Cybersecurity Regulation (23 NYCRR 500) that imposes new cybersecurity requirements on all covered financial institutions.

The 23 NYCRR 500 Regulation applies to all businesses operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. 

This includes:

1 State-chartered banks
2 Licensed lenders
3 Private bankers
4 Foreign banks licensed to operate in New York
5 Mortgage companies
6 Insurance companies
7 Service Providers

Accelerate your compliance with Tehama

Section 500.11 requires all financial services (covered entities) to comply with the Third Party Service Provider Security Policy regulation.

“Section 500.11 Third Party Service Provider Security Policy.

Section 500.11 (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

(1) the identification and risk assessment of Third Party Service Providers;
(2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity;
(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and
(4) periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.”

In Tehama, financial services organizations can set cybersecurity policies such as treatment of data, access to sensitive data, privileged credential management and obfuscation, nationality and secret clearance access, geo-fencing access with partner IAM solutions, and additional compliance regulations for third-party service providers. Tehama can track how third parties, such as service providers are adhering to their policies and prevent them from delivering or accessing critical systems if they fail to comply with the policies. 

Via deep audit, activity logging and session recordings, the financial services institution can track every single person within the service provider entity or sub-contractor’s activity while delivering services on mission critical and data sensitive assets. Tehama calls this continuous compliance and governance.

(1) the Third-Party Service Provider's policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information;
(2) the Third-Party Service Provider's policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
(3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity's Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and
(4) representations and warranties addressing the Third-Party Service Provider's cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.”

Tehama applies several layers of protection to adhere to section 500.11B.

(1) First, Tehama requires all third party providers to use multi-factor authentication to access the critical systems;
(2) Second, Tehama also limits access to only the systems the third party has been granted access to;
(3) Third, all work done within the Tehama platform is encrypted and all communications between the third party worker and Tehama is encrypted as is all of the communication between the Tehama platform and the financial services infrastructure; and
(4) Fourth, Tehama, via the unique architecture prevents endpoint device infections from penetrating into the Tehama platform. Tehama has a continuous detection intrusion service that observes all files and activity for additional protection.

Furthermore, the Tehama platform is certified SOC 2 Type II compliant and undergoes rigorous penetration testing as part of the SOC 2 Type II audit.

“Section 500.11 (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.”

Tehama supports multi-party collaboration between third-parties and covered entities such that several contractors can collaborate on the same project or access the same critical infrastructure. All policies and procedures defined in the Tehama platform for one financial institution extend to all collaborators in the services ecosystem when extended to all parties.

Tehama supports multi-party collaboration between third-parties.

NERC & CIP

The North American Electric Reliability Corporation (NERC) is a non-profit international regulatory authority that oversees the effective and efficient reduction of risks to the reliability and security of the grid.

NERC develops and enforces Reliability Standards. NERC CIP v5 addresses cyber-related risks facing this sector by promoting organizations to categorize Bulk Electric Systems (BES) into high, medium, and low impact. Once categorized, BES assets can have appropriate Critical Infrastructure Protection (CIP) standards applied to address risks.

Tehama can help businesses comply with the following NERC cybersecurity standards:
CIP-005-5 CIP-007-6
Cyber Security - Electronic Security Perimeter(s) Cyber Security - System Security Management
This standard requires businesses "to manage electronic access to BES cyber systems by specifying a controlled Electronic Security Perimeter in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."

This standard mainly focuses on the perimeter and efforts to address vulnerabilities encountered during remote access. The perimeter that houses all critical cyber assets should be protected and any and all access points be secured. Key components to this include, but are not limited to, the following: remote session encryption, multi-factor authentication, anti-malware updates, patch updates and using extensible authentication protocol (EAP) to limit access based upon roles.
This standard requires businesses to "to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."

This requires that the business creates, implements and maintains processes and procedures for securing systems for both critical and non-critical cyber assets. This also means documenting security measures, including records of test procedures, ports and services, security patch management, and malicious software prevention.
Tehama can help businesses comply with the following NERC cybersecurity standards:
CIP-005-5
Cyber Security - Electronic Security Perimeter(s)
This standard requires businesses "to manage electronic access to BES cyber systems by specifying a controlled Electronic Security Perimeter in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."

This standard mainly focuses on the perimeter and efforts to address vulnerabilities encountered during remote access. The perimeter that houses all critical cyber assets should be protected and any and all access points be secured. Key components to this include, but are not limited to, the following: remote session encryption, multi-factor authentication, anti-malware updates, patch updates and using extensible authentication protocol (EAP) to limit access based upon roles.
CIP-007-6
Cyber Security - System Security Management
This standard requires businesses to "to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES."

This requires that the business creates, implements and maintains processes and procedures for securing systems for both critical and non-critical cyber assets. This also means documenting security measures, including records of test procedures, ports and services, security patch management, and malicious software prevention.

Tehama’s secure perimeters and firewalls address vulnerabilities encountered during remote access. 

FIPS

FIPS

Federal Information Processing Standards (FIPS) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

Organizations that use Tehama will be able to take advantage of the platform to meet security requirements for handling data. The platform’s secure perimeters, automated encryption, continuous malware protection, and network segregation protect corporate assets.

Tehama secures data and intellectual property from breaches and abuse. Secure Virtual Rooms prevent data from escaping. Users and Room owners have full visibility into all data and intellectual property used in the Room. Because data and IP never leave the Room, endpoint devices being lost or stolen don’t pose a threat to data breaches.

Tehama secures data and intellectual property from breaches and abuse. Secure Virtual Rooms prevent data from escaping.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information.

Tehama’s virtual perimeters ensure that medical records are secure when working with employees or other third-parties. The platform adheres to a zero-trust access model, applying MFA (Multi-Factor Authentication) and network access policies. There is a deep workflow and approval process for granting access to Tehama Rooms with MFA or SAML/SCIM integration to ensure only trusted and approved members have access to the Room. 

Tehama focuses on protecting the data and intellectual property from breaches and abuse. Tehama’s secure Rooms prevent data from escaping. Users and Room owners have full visibility into all data and intellectual property used in the Room.

Because data and IP never leave the Room, endpoint devices being lost or stolen don’t pose a threat to data breaches.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.

Tehama’s virtual perimeters ensure that organizations are compliant with PIPEDA. The platform adheres to a zero-trust access model, applying the principle of least privilege, MFA (Multi-Factor Authentication), and network access policies. There is a deep workflow and approval process for granting access to Tehama Rooms with MFA or SAML/SCIM integration to ensure only trusted and approved members have access to the Room. 

Tehama focuses on protecting the data and intellectual property from breaches and abuse. Tehama’s secure Rooms prevent data from escaping. Users and Room owners have full visibility into all data and intellectual property used in the Room. Because data and IP never leave the Room, endpoint devices being lost or stolen don’t pose a threat to data breaches. In this case, Tehama helps enforce requirements for  PIPEDA.

Users and Room owners have full visibility into all data and intellectual property used in the Tehama Room.

CyberSecure Canada Cybersecurity Controls 

The federal government of Canada’s new Centre for Cyber Security CCCS recently announced a new two-year cybersecurity program. The goal of the new program, CyberSecure Canada, is to help small and medium-sized businesses (SMBs) achieve a minimum required level of cybersecurity.

The program is also focused on increasing consumer confidence in the digital economy, promoting international standardization, and giving SMBs the ability to better compete globally.

The certification is comprised of a baseline set of cybersecurity controls developed by the Canadian Centre for Cyber Security. These controls include establishing an incident response plan, regularly patching operating systems and applications, and using security software and securely configuring devices.

Four of these critical controls can be addressed with Tehama to help SMBs achieve certification; strong user authentication, secure perimeters, secured cloud and outsourced IT services, and implementing access controls.

 
1 Develop an Incident Response Plan
2 Automatically Path Operating Systems and Applications
3 Enable Security Software
4 Securely Configure Devices
5 Strong User Authentication
6 Provide Employee with Awareness Training
7 Back Up and Encrypt Data
8 Secure Mobility
9 Establish Basic Perimeter Defences
10 Secure Cloud and Outsourced IT Services
11 Secure Websites
12 Implement Access Control and Authorization
13 Secure Portable Media

With Tehama’s secure and compliant virtual desktops SMBs can quickly and securely onboard employees and third-party IT services providers to access systems. Tehama enables any end-user device to securely connect to systems without the risk of malware intrusion or data breaches and intellectual property theft.

Tehama provides all the components for secure cloud-based Windows or Linux workspaces, including dedicated encrypted network channels, firewalls, access and role restrictions, MFA user authentication and geo-fencing, storage, and end-user compute infrastructure (virtual and secured desktops with auto-patching and updates to keep your OS secure), and deep audit logs within a secured perimeter called a Room —making it easier for you to achieve your cybersecurity goals. 

Each secure virtual Room is configured to work directly with the organization’s network via the Tehama gateway, which encrypts and restricts all traffic flow to within your network only. The secured network eliminates the risk of third-party attacks. Virtual desktops are accessible via the Tehama Web UI — that  requires strong MFA authentication.

Session recordings show all user activity performed in a Room, right down to the keystroke, for exceptionally accurate auditing as well as forensic analysis and live viewing for training and monitoring purposes. The File Vault is an encrypted storage volume that enables secure information-sharing, fully isolated from any other Rooms to ensure zero data leakage. The Secrets Vault provides secure storage of credentials and firewall rules for privileged-access assets — with masking to prevent the possibility of copying credentials outside the Tehama platform.

Tehama allows you to set strict policies for data and application access with robust user identity management and “just-in-time” user provisioning through SCIM and SAML. Access to credentials and other assets is available only after successful two-factor authentication and single-use passwords prevent access after a session has ended. 

Tehama allows you to set strict policies for data and application access with robust user identity management and “just-in-time” user provisioning through SCIM and SAML.