Co3 Systems review

Considering the mishmash of data-breach laws currently in place, businesses can use Co3 to plan ahead and prepare for a data breach and the worst-case-scenario. The new IR modules lets organizations create detailed incident response plans for other types of cyber-security incidents.
Photo of Co3 Systems

Co3 Systems offers businesses a cloud-based incident response planning portal to create and manage both data breaches and general security incidents. The platform’s original privacy module brings together the mishmash of data breach notification laws and regulatory requirements and helps organizations identify a clear step-by-step action plan on what to do in the event of a data breach, whether it’s the result of a cyber-attack, a lost device, or a rogue employee. The new Security module expands the platform’s capabilities to give the team access to the same tools to manage general security incidents, such as malware infections, distributed denial of service attacks, and advanced persistent threats. The updated Co3 Systems platform now lets Internal incident response teams effectively, accurately, and consistently manage both privacy and security related events while meeting necessary compliance requirements from a single administrative pane.

Organizations often lose precious time in the advent of an attack or breach trying to figure out what to do, and security teams wind up responding in fire-fighting mode or missing critical steps which result in expensive regulatory fines.  With Co3 Systems, businesses can calculate the ramifications of a successful security incident and develop appropriate incident plans (as simulations) long before the event occurs. Using the platform I can track actual events and assign relevant tasks to appropriate responders while figuring out what needs to be done next. The simulations are useful because, as recent data breaches and cyber-attacks have shown, businesses have to proactively plan what they will do long before the worst-case-scenario becomes reality.

The privacy module help businesses figure out how to deal with exposure of private data. Perhaps external attackers have breached the network and wandered off with a sensitive customer database. Or the top sales guy copied a client list onto his laptop before leaving for a roadshow, and left the computer with all the sensitive data on the airplane. A disgruntled executive copied a customer mailing list onto a USB drive and quit the company. The security module focuses on phishing, malware infections, DDoS attacks, and network intrusion. The best part is that both modules are integrated in one view, so administrators can deal with all the incidents in one place.

What Co3 Does
Co3 takes these incidents–and other similar scenarios–and analyzes the important details to figure out if there are any state laws or federal regulations that apply, who needs to be notified, what steps have to be taken, and what needs to be done so that the company doesn’t incur regulatory fines, if any. Since it’s software-as-a-service, Co3 Systems can easily update its software to maintain the most up-to-date rules about state laws and compliance requirements. Businesses don’t have to maintain the list, or remember to update the rules every so often. When they log on to the platform, they know they always have access to the latest information. Businesses, focused on preventing data breaches and leaks, often forget to plan for technology and process failures. The new security module was added to my account automatically, so I didn’t have to worry about installing or manually turning on the feature.

The platform now has a revamped look, with a nifty analytics dashboard which tells me what tasks I have open for each active incident, and incidents that have not yet been resolved. The activity dashboard is new, which resembles a Twitter stream or a Facebook news feed, providing up-to-date information of what other users have done, such as creating new incidents, assigning tasks, and updating information. It’s a great way to keep on top of what has changed day-to-day.

Creating Incidents
Within the Co3 world, I can create an incident, which refers to events that have happened, or simulations, which are scenarios that could happen. All incidents, regardless of whether they are privacy-related or security use the same interface.

I clicked on “New Incident” at the top of the screen to start my six-step wizard. I indicated whether it was a privacy or security incident by selecting one of 19 different incident type, including stolen devices, exposure by a third-party provider, phishing, and improper disposal of equipment, to name a few. I liked the fact that it is possible to select multiple types for an incident, since a System Intrusion (security) can also result in stolen data (privacy).

After selecting an incident type, I entered basic information, such as when the incident occurred, when it was discovered, whether there was criminal intent or employee involvement, and the possibility of negative PR. If Personal Identify Information was exposed, the wizard asked specific questions such as whether the data was encrypted; otherwise, those questions were grayed out. At this point, I can assign the “owner” to the incident, which refers to the person who has oversight and managing the response plan, as well as users and groups who will be assigned tasks to work on. The platform also allows the business to develop simulations to create what-if scenarios to see what could possibly happen in the case of an incident. It is possible to create privacy impact assessment and risk assessments as part of risk planning. Co3 allows only one scenario to be in progress at a time as the incident response team works through all the steps defined in the generated plan.

In the case of a data breach, such as a stolen laptop, the wizard has additional steps beyond the initial six steps. Questions include the types of data lost, such as names, health records, banking information, and others, the type of compliance regulations (or best practices) the business is subject to, I was subject to (or just best practices), and number of records lost.

Patchwork of Regulations
The platform draws on a constantly updated database of requirements from 46 states, three commonwealths, and 14 federal agencies when creating the action list. Businesses have difficulty navigating the various requirements, some of which are more stringent than others. The deadlines for breach notification also vary wildly. Maine, for example, requires organizations to notify the affected customer within seven days of discovering the incident. Other states are more generous, giving a few weeks or several months of time.

The kind of information that has to be disclosed, and the type of language used in the notification letter, also varies by state. Co3 presents templates and necessary forms to simplify the entire process.—Next: Managing Incidents, Creating Response Plans

Businesses can either take advantage of the trial or pay for one of the annual subscription plans. The main difference is in the number of “incidents” that can be created and analyzed. The free trial allows only one incident plan, one simulation, but an unlimited number of events. The Co3 Silver plan ($19,000 annually) allows up to 25 incidents, unlimited number of events, users, and impact/risk assessments. The Co3 Gold plan ($34,000) supports up to 50 incidents, two simulations, and unlimited events, users, and impact/risk assessments. Considering the normal pricing plans, the introductory price of $5,000 is a bargain.

For some businesses, shelling out $5,000 (or more) for an annual subscription might seem high, but this is the perfect example of how one should spend money now to save money later. Data breaches themselves are costly. Considering that the Ponemon Institute pegs the total organizational cost of a data breach at $5.5 million, which includes legal liabilities, impaired productivity, and other losses, spending in the neighborhood of $5,000 to reduce the legal liabilities sounds like a bargain. I created an incident report for last year’s Global Payments breach, and saw that despite affecting a “limited” number of MasterCard and Visa users, the payment processor faced over $1 million in potential fines.

Co3 makes the entire process easy, as all the information is laid out screen-by-screen. There are helpful tips along each step, and the interface makes it simple to skip sections if I didn’t have the requisite information. I could always go back and re-enter the missing information and regenerate the assessment.

 

Once the incident is created, I could view all the steps and tasks associated with the plan on the detail page. I can see all the tasks associated with the plan, such as “notify internal management chain,” “Determine if illegal activity is involved,” “generate incident report,” and “update policies and procedures.” Each incident type has its own relevant tasks, such as “notify ISP” for DDoS incidents, and what agencies to notify in case of a data breach. After all the information is in place, the software produces a list of which agencies need to be notified, the timeframe in which the notification process has to occur, how to contact the parties, and the penalties if the deadlines aren’t met. It’s also possible to look at the actual language of the legislation and regulation driving a particular step on the checklist.

I can assign the tasks to appropriate team members and check off steps that have been completed.

After the system generated the incident response plan, I could see a very important number: total liability. Depending on the rules which apply to the incident, the total liability can easily run into millions of dollars in potential restitution, credit monitoring, and legal fines. Co3 does not calculate the other costs of a data breach, such as lost productivity, reputation damage, or lost business.

The revamped interface moved this figure under “Assessment” beneath the “Breach” tab within an existing incident. This value gets caluclated only if PII was involved and/or exposed, and I had provided information such as number of records lost, the states the vctims live in, and others.

With the incident response plan in hand, I could then add notes and assign each task to relevant stakeholders. When things were completed, or reassigned, that could be added to the task. When a task was assigned to someone, that person received an email notification. The fact that notes on the tasks could be threaded as comment fields meant all the relevant discussions were right at the fingertips.

I could add and view notes associated with the incident and even attach relevant files to the incident. This incident page is the central location for all information—there is no need to look at emails or other places for supplemental data since everything can be stored here.At any given point in time, I could see an updated list of exactly what had been done and what was left. The Co3 dashboard shows all the events and incidents that have been entered, as well as the tasks that have been assigned to me that I needed to complete. The tasks were coded to indicate the status (green, yellow, or red). I could also use reports to track response progress and fulfill audit requirements.

Co3 Systems added the Analytics tab to the incident response page, which shows graphs about what tasks are assigned and which ones are overdue, along with a “task burndown” graph. This gives the team a very clear visual of how much work is left to do, and it makes a powerful platform even more useful.

The heart of Co3 is the ability to create incident response plans with a clear workflow that allows businesses to assign tasks and track when they are completed.

Underserved Market
Co3 Systems positions the Co3 software to look at the aftermath of a security incident and help the customer when the security technology and processes wasn’t enough to prevent the problem. With a detailed incident plan, incident response process time can be slashed dramatically, which translates directly into less liabilities and fines. Because it’s a software-as-a-service, organizations also know they have access to the most up-to-date rules without having to spend the time tracking down the information

Companies can quantify the risk of new projects and proposals and know how much worst-case-scenarios can cost. Organizations can also conduct training sessions to ensure the employees know what to do and how to accomplish those tasks by following the incident plan.

With Co3 Systems, customers have access to source legislation, disclosure letter templates, contact information and policies, and a very easy to use interface to create those incident plans. Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice for compliance tools.

Specifications
OS Compatibility Windows Vista, Windows XP, Linux, Mac OS, Windows 7, Windows 8
Type Business, Enterprise

Verdict
Considering the mishmash of data-breach laws currently in place, businesses can use Co3 to plan ahead and prepare for a data breach and the worst-case-scenario. The new IR modules lets organizations create detailed incident response plans for other types of cyber-security incidents.
Published under license from Ziff Davis, Inc., New York, All rights reserved.
Copyright © 2012 Ziff Davis, Inc