Regulatory Compliance

Tehama takes the heavy lifting out of compliance, making it easier for your organization to meet specific regulatory requirements.

With Tehama you can leverage a SOC 2 Type II end-user compute environment and achieve and maintain regulatory compliance requirements for heavily regulated industries such as banking, financial services, health care, energy and utilities, insurance and government enterprises. The Tehama solution has 81 SOC 2 Type II controls built into the platform, saving you time and resources on your internal SOC 2 Type II audits.

AICPA SOC Logo

SOC 2 Type II Certification

SOC (Service Organization Controls) certifications are the internal data protection controls that are implemented at a third-party service organization. SOC certifications protect the systems or data that are being accessed by third-parties. SOC 2 Type II reports are the most comprehensive SOC certifications. A company that has achieved SOC 2 Type II certification is taking a proactive approach and investing in keeping its clients’ data secure. For service providers working with cloud and IT services, this certification is critical for their regulators, examiners, and auditors.

Typically, an MSP will choose to be evaluated against the security, availability, and confidentiality categories. Data security is critical to the livelihood of MSPs, and taking a proactive approach with critical controls is a huge differentiator from competitors.

Achieving SOC 2 Type II compliance takes a dedicated compliance team, regular audits, and engaging an independent third party to produce bi-annual reviews. The costs can easily reach hundreds of thousands of dollars.

Tehama’s SOC 2 Type II controls are audited on Security, Availability and Confidentiality

Tehama has 81 controls built into the platform, making SOC 2 Type II compliance a lot easier and affordable for an MSP or Service Provider.

NYDFS 23 NYCRR 500 badge

NYDFS 23 NYCRR 500 Regulation

The State of New York is the first state to introduce a cybersecurity regulation designed to protect the financial services’ critical infrastructure. The NY Department of Financial Services (NYDFS) introduced the NYDFS Cybersecurity Regulation (23 NYCRR 500) that imposes new cybersecurity requirements on all covered financial institutions.

The 23 NYCRR 500 Regulation applies to all businesses operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. 

This includes:

Accelerate your compliance with Tehama

Section 500.11 requires all financial services (covered entities) to comply with the Third Party Service Provider Security Policy regulation.

“Section 500.11 Third Party Service Provider Security Policy.

Section 500.11 (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. 

In Tehama, financial services organizations can set cybersecurity policies such as treatment of data, access to sensitive data, privileged credential management and obfuscation, nationality and secret clearance access, geo-fencing access with partner IAM solutions, and additional compliance regulations for third-party service providers. Tehama can track how third parties, such as service providers are adhering to their policies and prevent them from delivering or accessing critical systems if they fail to comply with the policies. 

Via deep audit, activity logging and session recordings, the financial services institution can track every single person within the service provider entity or sub-contractor’s activity while delivering services on mission critical and data sensitive assets. 

Tehama applies several layers of protection to adhere to section 500.11B.

Furthermore, the Tehama platform is certified SOC 2 Type II compliant and undergoes rigorous penetration testing as part of the SOC 2 Type II audit.

“Section 500.11 (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.”

Tehama supports multi-party collaboration between third-parties and covered entities such that several contractors can collaborate on the same project or access the same critical infrastructure. All policies and procedures defined in the Tehama platform for one financial institution extend to all collaborators in the services ecosystem when extended to all parties.

Tehama supports multi-party collaboration between third-parties.
NERC CIP logo

NERC & CIP

The North American Electric Reliability Corporation (NERC) is a non-profit international regulatory authority that oversees the effective and efficient reduction of risks to the reliability and security of the grid.

NERC develops and enforces Reliability Standards. NERC CIP v5 addresses cyber-related risks facing this sector by promoting organizations to categorize Bulk Electric Systems (BES) into high, medium, and low impact. Once categorized, BES assets can have appropriate Critical Infrastructure Protection (CIP) standards applied to address risks.

Tehama’s secure perimeters and firewalls address vulnerabilities encountered during remote access. 

FIPS

FIPS

Federal Information Processing Standards (FIPS) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

Organizations that use Tehama will be able to take advantage of the platform to meet security requirements for handling data. The platform’s secure perimeters, automated encryption, continuous malware protection, and network segregation protect corporate assets.

Tehama secures data and intellectual property from breaches and abuse. Secure Virtual Rooms prevent data from escaping. Users and Room owners have full visibility into all data and intellectual property used in the Room. Because data and IP never leave the Room, endpoint devices being lost or stolen don’t pose a threat to data breaches.

Tehama secures data and intellectual property from breaches and abuse. Secure Virtual Rooms prevent data from escaping.
HIPAA Logo

HIPAA

The Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information.

Tehama’s virtual perimeters ensure that medical records are secure when working with employees or other third-parties. The platform adheres to a zero-trust access model, applying MFA (Multi-Factor Authentication) and network access policies. There is a deep workflow and approval process for granting access to Tehama Rooms with MFA or SAML/SCIM integration to ensure only trusted and approved members have access to the Room. 

Tehama focuses on protecting the data and intellectual property from breaches and abuse. Tehama’s secure Rooms prevent data from escaping. Users and Room owners have full visibility into all data and intellectual property used in the Room.

Because data and IP never leave the Room, endpoint devices being lost or stolen don’t pose a threat to data breaches.

PIPEDA Badge

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.

Tehama’s virtual perimeters ensure that organizations are compliant with PIPEDA. The platform adheres to a zero-trust access model, applying the principle of least privilege, MFA (Multi-Factor Authentication), and network access policies. There is a deep workflow and approval process for granting access to Tehama Rooms with MFA or SAML/SCIM integration to ensure only trusted and approved members have access to the Room. 

Tehama focuses on protecting the data and intellectual property from breaches and abuse. Tehama’s secure Rooms prevent data from escaping. Users and Room owners have full visibility into all data and intellectual property used in the Room. Because data and IP never leave the Room, endpoint devices being lost or stolen don’t pose a threat to data breaches. In this case, Tehama helps enforce requirements for  PIPEDA.

Users and Room owners have full visibility into all data and intellectual property used in the Tehama Room.
Cybersecure Canada Logo

CyberSecure Canada Cybersecurity Controls

The federal government of Canada’s new Centre for Cyber Security CCCS recently announced a new two-year cybersecurity program. The goal of the new program, CyberSecure Canada, is to help small and medium-sized businesses (SMBs) achieve a minimum required level of cybersecurity.

The program is also focused on increasing consumer confidence in the digital economy, promoting international standardization, and giving SMBs the ability to better compete globally.

The certification is comprised of a baseline set of cybersecurity controls developed by the Canadian Centre for Cyber Security. These controls include establishing an incident response plan, regularly patching operating systems and applications, and using security software and securely configuring devices.

Four of these critical controls can be addressed with Tehama to help SMBs achieve certification; strong user authentication, secure perimeters, secured cloud and outsourced IT services, and implementing access controls.

 

With Tehama’s secure and compliant virtual desktops SMBs can quickly and securely onboard employees and third-party IT services providers to access systems. Tehama enables any end-user device to securely connect to systems without the risk of malware intrusion or data breaches and intellectual property theft.

Tehama provides all the components for secure cloud-based Windows or Linux workspaces, including dedicated encrypted network channels, firewalls, access and role restrictions, MFA user authentication and geo-fencing, storage, and end-user compute infrastructure (virtual and secured desktops with auto-patching and updates to keep your OS secure), and deep audit logs within a secured perimeter called a Room —making it easier for you to achieve your cybersecurity goals. 

Each secure virtual Room is configured to work directly with the organization’s network via the Tehama gateway, which encrypts and restricts all traffic flow to within your network only. The secured network eliminates the risk of third-party attacks. Virtual desktops are accessible via the Tehama Web UI — that  requires strong MFA authentication.

Session recordings show all user activity performed in a Room, right down to the keystroke, for exceptionally accurate auditing as well as forensic analysis and live viewing for training and monitoring purposes. The File Vault is an encrypted storage volume that enables secure information-sharing, fully isolated from any other Rooms to ensure zero data leakage. The Secrets Vault provides secure storage of credentials and firewall rules for privileged-access assets — with masking to prevent the possibility of copying credentials outside the Tehama platform.

Tehama allows you to set strict policies for data and application access with robust user identity management and “just-in-time” user provisioning through SCIM and SAML. Access to credentials and other assets is available only after successful two-factor authentication and single-use passwords prevent access after a session has ended. 

Tehama allows you to set strict policies for data and application access with robust user identity management and “just-in-time” user provisioning through SCIM and SAML.