You know that data security and data privacy are critical functions you have to get right as you scale up. You are familiar with the core principles of cybersecurity and privacy, and you’ve identified the risks to your assets. At this time, you’re facing some challenges in one of the areas below:
- You want to make sure your controls help you meet desired business objectives and prevent undesired events, but you’re not sure how much work it’s going to require and whether you have enough resources. For instance, in order to meet multiple compliance requirements, you may end up creating too many controls and they become unwieldy to manage. After all, every additional internal control that gets created will generate additional work for someone within the organization. Each control needs to be documented, tested, monitored, reviewed, and updated over time.
- Producing documentation to demonstrate compliance with statutory, contractual, and regulatory obligations has become unwieldy and complex. Yet, there’s no way to bypass this work because customers, partners, and regulators are all highly sensitive when it comes to matters of data privacy and security.
- Managing your data security controls on a day-to-day basis is inefficient; you’re concerned about whether control processes are performed consistently and on-time
In this article, we’ll provide guidance on how to navigate through these common challenges so you can improve data security, streamline your compliance program and minimize administrative work. The tips we share below are based on Hyperproof’s experience with developing our own security program and completing a SOC 2 assessment.
To levelset, when we refer to “controls” in this article, we are referring to processes, standards, policies, and procedures that have the ability to influence or direct the course of events (for instance, reduce risk by avoiding, detecting, or correcting the things that introduce or create risk). When we refer to “security controls”, we’re referring to safeguards designed to avoid, detect, or minimize security risks to physical property, digital information (e.g., sensitive customer data or a company’s intellectual property), computer systems, mobile devices, servers, and other assets.
1. Create controls with business and risk objectives in mind, rather than for the sake of compliance.
Depending on where you conduct business and your target markets, there are certain statutory, regulatory and contractual obligations your organization has to meet. At this time, if your business is collecting or processing sensitive information from customers, users, and employees, there are a number of regulatory and industry-specific standards you may be subject to. Furthermore, your customers may ask you to go through their own vendor security and privacy audit.
Data Protection Regulations in the U.S.
Here’s a quick overview of the top regulations covering data protection that may impact U.S.-based businesses.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for how patient information has to be handled by doctors’ offices, hospitals, insurance companies, and other businesses that handle personal health information. HIPAA requires that providers (e.g., hospitals) and businesses that process patient data safeguard patient information and only disclose it in certain situations.
HIPAA provides four general rules that businesses must abide by, which are:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
For more information about who needs to comply with HIPAA and what it takes to become HIPAA compliant, check out Hyperproof’s guide to becoming HIPAA compliant.
The General Data Protection Regulation (GDPR) was enacted in 2018 to protect the rights of citizens in the EU when it comes to data collection and privacy. It gives customers the right to know what data is being collected and sets requirements for how and when businesses must report breaches.
GDPR is one of the toughest data privacy regulations to comply with. It does allow for a tiered approach to fines and penalties based on the relative seriousness of the offense, but businesses shouldn’t count on leniency; in 2019, British Airways was fined $228 million and Marriott International was fined over $124 million for exposing millions of records of personal data.
Payment Card Industry Data Security Standards (PCI-DSS) is somewhat unique, as it isn’t a government regulation and is imposed and enforced by an independent regulatory body, the Payment Card Industry Security Standards Council. Any business that accepts, stores, or transmits cardholder data is subject to PCI-DSS. This regulation requires businesses to have policies and processes in place to protect their customers’ information and ensure they’re properly handling and storing credit card data.
This even applies to businesses that use third-party vendors to handle credit card payments. All businesses involved in ecommerce need to be well versed in these requirements and prepared to make sure their vendors are too.
The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to the Enron scandal, and it is required that publicly traded companies be in compliance. It is designed to prevent the kinds of fraud that occurred by setting requirements for retaining and storing business records and penalties for destroying, altering, or falsifying records.
This involves not only accounting to ensure that records are accurate, but also the IT function to store records correctly. SOX also requires a system for tracking changes to records and storing the right records for the right length of time.
The California Consumer Privacy Act (CCPA) applies to companies that do business in California and either 1) generate $25 million or more in annual revenue; 2) buy or sell the personal information of 50,000 or more consumers, households, or devices; or 3) earns more than half its annual revenue selling consumers’ personal data. The law allows any California resident to get a full list of the data a business has about them and entitles consumers to know who businesses have shared that data with. If a business violates the privacy guidelines in the CCPA, consumers are allowed to sue the business even if there hasn’t been a data breach.
In addition, there’s a number of cybersecurity standards that aren’t governed by regulations but are considered the price of admission when transacting with enterprise and government customers. These voluntary cybersecurity frameworks include ISO 27701, SOC 2, NIST SP 800-series, FEDRAMP, CMMC and others.
Where Should Organizations Start?
It’s easy to make these compliance requirements your core focus when your organization starts to create controls. However, you really don’t want to make meeting obligations the primary objective when creating your control set. When you create controls for the sake of compliance, you’re likely to end up with multiple controls that are extremely similar and thus create unnecessary work for your team.
Rather than architecting your controls to meet regulatory requirements (e.g. GDPR), it’s much better to architect your controls in a way that makes sense for how you run your business.
If you’ve reviewed the requirements across several cybersecurity frameworks (e.g. SOC 2, HIPAA, ISO 27001, NIST SP 800 series), you will find that they have some similar or overlapping requirements. That’s because they generally share the same security and privacy by design principles and cover roughly the same core domains (e.g. business continuity and disaster recovery, change management, asset management, security and privacy governance, etc.).
As such, it is better to start by creating controls that satisfy the intentions behind key security and privacy principles for the core domains. If you focus on building security and privacy principles into your operations, compliance with statutory, regulatory, and contractual obligations will come naturally.
By following this process, you will be able to avoid the common pitfall organizations experience when they build controls merely for the sake of compliance– creating duplicative work, wasting time and resources.
Understand the core security and privacy by design principles and the risks they’re intended to mitigate
At this time, there are a number of good frameworks you can reference to ensure that you’re building security and privacy into your operations by design. Here at Hyperproof, we like the Security & Privacy Metaframework (SCF) created by Compliance Forge. The SCF is holistic and designed to empower organizations to design, implement, and manage both cybersecurity and privacy principles to address strategic, operational, and tactical guidance.
There are 32 domains that make up the SCF and approximately 750 controls. We recommend your security team get familiar with these domains and the controls within them. Here’s a snapshot of a few domains in the SCF.
Security and Privacy Governance: Organizations have a documented, risk-based program that encompasses appropriate security and privacy principles to address all applicable statutory, regulatory, and contractual obligations.
Asset Management: Organizations ensure that technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access an organization’s network and to protect the organization’s data that is stored, processed or transmitted on its asset.
Business Continuity & Disaster Recovery: Organizations should establish processes that will help them recover from adverse situations with minimal impact to operations.
Capacity Planning & Performance Planning: Organizations prevent avoidable business interruptions caused by capacity and performance limitations by proactively planning for growth and forecasting, as well as requiring both technology and business leadership to maintain situational awareness of current and future performance.
Change Management: Organizations ensure both technology and business leadership proactively manage change. This includes the assessment, authorization, and monitoring of technical changes across the enterprise so as not impact production systems uptime, as well as allow easier troubleshooting of issues.
Compliance: Organizations ensure controls are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.
See more domains in the SCF by visiting securecontrolsframework.com
Here at Hyperproof, we’ve used the SCF to map out requirements between various cybersecurity frameworks to help organizations jumpstart their efforts in adhering to multiple compliance programs. Thus far, we’ve lit up crosswalks between these frameworks.
- SOC 2
- ISO 27001
- NIST Privacy Framework 1.0
- NIST 80053 rev4
- NIST 800171 rev2
We plan to add more crosswalks in the next few months and will continue to make new crosswalks available over time. With a tool that does the mapping for you, you can save time and money upfront and manage your compliance program more effectively in the long run by better prioritizing your work and focusing your efforts in areas where you have gaps.
When you create a new compliance framework, Hyperproof automatically shows you suggested controls you can use to meet requirements based on the controls you’ve already built out in Hyperproof.
2. Use Tools to Make Compliance Documentation Faster
Even though it sounds self-serving to say that we saved a lot of time in our own SOC 2 preparation effort by using Hyperproof, it’s absolutely true. With Hyperproof serving as the system of record for our internal SOC 2 effort, we saved time through all project phases:
- Planning: We used Hyperproof’s prebuilt SOC 2 template — with requirements and illustrative controls — as the starting point for our compliance program. We saved time because we didn’t have to enter all requirements and our controls into a spreadsheet. All controls can be grouped by Domain or by Owner. We could immediately edit each control within Hyperproof to make sure it was reflective of what we’re doing.
- Assigning tasks and gathering evidence: Our compliance project leader and CEO Craig added key members of the security/compliance team to our Hyperproof account and assigned them key tasks and due dates. Each member could easily review the controls they’re responsible for and make sure control language in Hyperproof matched the design of the control. Each person is able to upload evidence files into Hyperproof on their own and it is linked to the right control. Everyone on the SOC 2 team knew what they needed to do, and when it needed to be done.
Craig also created Labels for managing evidence files that could be used across multiple controls. For instance, there are several controls within SOC 2 requiring an organization to conduct background checks for key employees who have access to the production environment. As such, Craig created a label called “Background checks” and linked it to the controls that called for Background check reports as proof. Once this was set up, all background checks could be uploaded to one folder under that label. This allowed us to avoid duplicative efforts when collecting evidence for the SOC 2 examination.
- Fulfilling the document request list (DRL) from our SOC 2 examiner. Once all controls and evidence files were ready for examination, we got the DRL in spreadsheet format from our auditor and put it right back into Hyperproof to manage (by loading a spreadsheet file). Because the DRL sheet has a column that maps each request to the requisite controls by control ID, as soon as the upload is complete, each request is already referencing (linked to) the controls we’ve set up in our Hyperproof account. This saves us the work of manually linking each request to each control.
From there, we just selected the proof for each control. This part is made easier too because all the proof we’ve already linked to each control from step 2 automatically gets pulled in for us to select from.
Once we completed all requests from the auditor, we simply exported all our proof (organized by Request ID or by Control ID) as a Zipped file and sent it back to our auditor.
3. Use automation to ensure consistency in performing control processes
One of the common challenges we hear over and over is how difficult it is to stay on top of all security controls on a day-to-day basis. Compliance leaders are often unsure about whether key control processes are performed consistently or on time. This happens simply because people and processes can change quickly, especially in rapidly growing organizations.
To prevent controls from failing, compliance leaders need to have visibility into control processes that were not performed timely so that the appropriate personnel can be alerted to resolve issues quickly. You should also evaluate evidence from established control processes (e.g., security policies, system logs, system configuration and user access and identity management reviews) on a regular basis — which is only possible when you automate this work.
Hyperproof was built to give risk and compliance leaders the visibility they need to keep things on track and ensure that no one drops the ball. It also comes with tools to make compliance tasks such as submitting evidence as user-friendly as possible — so people outside of the compliance team aren’t burdened by requests to provide compliance documentation and compliance managers know whether they’ve got everything they need.
With features like Labels and APIs, you can automate workflows around the collection of evidence, and stop pestering colleagues about compliance tasks. Contributors such as HR managers, software engineers, and product managers can work with your team in the tools they’re already using (e.g. Outlook, Google Drive).
Illustrative Use Case for Automating Compliance: Get your HR manager to submit signed employee agreements on time
Let’s say you’re a compliance manager and you need to collect copies of signed employee agreements (where employees acknowledge they’ve reviewed corporate policies in the Employee Handbook) on a semi-regular basis. These digital signatures are proof you need to submit during an upcoming audit in three weeks plus four other audits later in the year.
With Hyperproof’s integrations to cloud storage and productivity tools and features like Labels, you can automate workflows around the collection of evidence and finally stop pestering your HR manager.
Making this work requires just a few simple steps:
- Your HR manager agrees to put new Signed Employee Agreements into a Shared Google folder. She tells you the location of where she stores these employee agreements.
- In Hyperproof, you create a “Label” (a container for a bucket of related proof) called “Signed Employee Agreements”.
- You link this “Signed Employee Agreements” to the controls that call for employee agreements as proof.
- Assign this Label to your HR manager; this way, she knows she’s responsible for keeping the label up-to-date.
- You set a “refresh” cadence on this label, say 30 days. This will trigger an email reminder to your HR manager to check on the employee agreements each 30 days and make sure the latest documents within the past 30 days are uploaded into the Google folder.
- You set up a Zap in Hyperproof so Hyperproof knows the location of the Google folder where “Signed Employee Agreements” are. Give permission to Hyperproof to the appropriate Google Drive and authenticate the connection.
Each day, Hyperproof will automatically ping the Google Drive folder, check to see if there are updated files in the folder, and pull the new files into Hyperproof. There is no need to email or call your HR manager to collect this type of proof anymore.
When you design controls with key security and privacy principles in mind and ensure they’re designed for how you want to run your business, you’ll not only end up with better designed controls for mitigating risks, you’ll also find it easier to fulfill your compliance obligations.
Additionally, by using a compliance system of record that gives you the ability to manage both point-in-time compliance projects (e.g., SOC 2 assessment) and the ongoing evaluation of controls within a single platform, you’ll be able to run a more efficient compliance program and improve your data protection posture at once.
To see how Hyperproof can help your organization run a more efficient and effective compliance program, sign up for a personal consultation.
The post 3 Essential Tips For Streamlining Data Security and Minimizing Redundancies appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/resource/streamline-data-security-and-compliance/?utm_source=rss&utm_medium=rss&utm_campaign=streamline-data-security-and-compliance