Hyperproof Customer Uses the Platform to Manage Security Assurance Programs at Scale
Multiple Countries in the Middle East
- Communications and Information Technology Commission (CITC, Saudi Arabia)
- SOC 2 Type 1 and Type 2
- ISO 27001
- ISO 27017
- ISO 27018
- CSA STAR Level 1
- CSA STAR Level 2
- Compliance operations module
- Risk Register
This Hyperproof customer is a B2B customer engagement platform that helps organizations to delight customers with remarkable omnichannel experiences. By unifying communication channels, messaging apps, and chatbots, they streamline conversations at every touch point throughout the customer journey.
This Hyperproof customer has users across several countries in the Middle East. They saw an incredible expansion in their customer base in the last year. The company’s employee base doubled in the past year to support their growth.
As their business expanded, organizational leaders knew that it would be important to quickly establish and mature security operations and compliance functions. Their users leverage APIs to support many types of communications (SMS, voice, messaging apps) and need assurance that the API products are secure. To demonstrate its commitment to security, they set an ambitious goal to achieve five new data security standards/certifications in the next 12 months.
The Engineering Manager of Digital Enablement at this company is responsible for developing and implementing digital transformation and cyber security plans to improve business growth, cost-effectiveness, and service quality. Given their areas of expertise, this individual was put in charge of the company’s infosec compliance projects. To manage the volume of the anticipated work in compliance, they decided to find a software platform that could help them organize, improve, and automate the compliance work that needed to be done.
“Last year, we achieved our ISO 27001 certification. We did the work manually and used a mix of tools including spreadsheets, email and JIRA and Google drive. It was challenging to keep track of everything and to find information when I needed it. Communicating with control owners and with the auditor took a lot of time. To get better at compliance and handle the high volume of work, we needed to leverage software that can provide a central hub for information-sharing, collaboration. We needed technology that automates the work as much as possible,” says this customer.
Reduce time spent on responding to audit requests by 50%
This Hyperproof customer was able to save a significant amount of time on the SOC 2 Type I audit (the formal audit phase) by using Hyperproof’s Audit Module as the central hub for information exchange and communication between them team members and their external auditor.
Meet new compliance requirements in a shorter period of time
They set an ambitious goal to achieve five new data security standards/certifications within the next 12 months. Their Engineering Manager of Digital Enablement believes that by using Hyperproof to organize, streamline, and automate the work, they are setting his organization up to achieve their compliance goals sooner than originally planned.
Improved response time to customer questions
By creating an organized catalog of the company’s security controls within Hyperproof, this company could quickly find the details needed to answer specific customer questions about the company’s security posture, improving response time to questions.
This customer evaluated a number of compliance software tools and chose Hyperproof for three key reasons:
- Ease-of-use: Hyperproof’s platform is intuitive and easy to use. Hyperproof comes with the compliance frameworks this company needs out-of-the-box and and ready to use. Control owners can start using the tool quickly after just one training session. Getting people up and running with Hyperproof quickly is key to ensuring that the organization can achieve new certifications and meet requirements by the planned dates.
- Flexibility: This company wanted a platform that fit seamlessly into their existing environment and met their growing needs. With Hyperproof, they are able to stand up common controls and map them to the requirements of multiple frameworks/regulatory standards. Hyperproof comes with native integrations that are designed to automatically pull compliance information from third-party cloud apps in their tech stack. Because Hyperproof comes with APIs, it is easy for compliance and technical staff to write code to connect Hyperproof to additional open source systems and automatically pull in compliance data.
- Collaborative workflow support: Hyperproof provides this customer with means to easily distribute control ownership to stakeholders within the operational teams like customer support, IT Ops, Infrastructure, Engineering, and HR. Controls can be tracked centrally, and tasks can be automated to be sent to control owners via Hyperproof. It becomes easy for compliance teams to see which controls are operational and which ones need remediation. Hyperproof also comes with an Audit Module -- so the their compliance team and their external auditor can exchange information (eg., document request lists, company policy documents, evidence of control activities being performed) and collaborate in a central location.
How This Customer Used Hyperproof to Streamline Information Sharing and Communications Around Their SOC 2 Audit
This customer decided to use Hyperproof as its operations hub for its SOC 2 readiness work. Workflows being managed within Hyperproof include:
- Reviewing SOC trust service criteria and creating controls in Hyperproof needed to satisfy these criteria.
- Assigning controls to “owners” across the company to manage. Control owners include staff in HR, IT Ops, Customer Support, and Engineering.
- Creating tickets (or “tasks” in Hyperproof) requesting that control “owners” provide information about control design and their operational effectiveness.
- Sharing information needed for the SOC 2 Type 1 audit with the SOC auditor.The external auditor is granted limited access to their Hyperproof account for the audit.
- Communicating with the auditor and responding to their requests and follow-up questions
By moving these workflows into Hyperproof, this customer reduced the volume of back-and-forth communications that happen before and during audit significantly. Preparing for the SOC 2 Type I Audit was far easier than preparing for the ISO 27001 certification work last year. For the ISO 27001 audit, stakeholders primarily used email to collaborate and get work done. They had to provision the external auditor access to company tools like G-Drive and JIRA so they could review evidence. They also had to play the role of intermediary and translator between the auditor and internal control owners in the company whenever the auditor asked questions.
This time around, the SOC 2 auditor was able to review everything they needed directly in Hyperproof. When the auditor needed clarification or to ask a question, they would direct their questions to the control/process owners (who also have access to Hyperproof) and were able to get answers back without the team's involvement.
This customer estimates that by using Hyperproof to run the audit, they were able to spend 50% less time during the audit than when he ran audits without Hyperproof.
Accelerate the pace of control mapping work to become compliant in new standards faster
This customer chose Hyperproof because it allows them to streamline control maintenance while satisfying multiple compliance framework requirements. In Hyperproof, they can easily reference the requirements of all compliance frameworks the organization needs to satisfy and map existing controls to program requirements in bulk. Control owners can note additional details on each control. For example, they can call out that it satisfies multiple requirements.
“To differentiate ourselves and demonstrate our commitment to security, we’re planning to achieve several new assurance standards/certifications by the end of 2021 — including SOC 2 Type I and Type II, ISO 27017, ISO 27018, CIPC, CSA STAR Level 1 and Level 2. To address our compliance needs, we need a tool that helps us crosswalk our controls and gain visibility into their effectiveness in real-time. Hyperproof showed us they have the capabilities to support us on this journey and get the job done well," says this customer.
Improve response time to customer questions
This customer's users often have questions about the company’s security posture. Answering customer’s questions takes up a sizable chunk of time because it’s not always straightforward to find the correct information. Now that the company’s security controls and details about how those controls function reside in Hyperproof, they can answer specific security questions from customers more easily and get the right answers back to customers much faster than before.
“Because all of our controls and the details about how those controls function are stored in Hyperproof, I can easily retrieve information I need to answer customers’ questions," says this customer. "Our organization is able to be responsive to our customers and demonstrate that we are working towards becoming first-in-class from a security standpoint."
Take a risk-based approach to security
While their immediate focus is on getting their SOC 2 Type 2 report, the security team wants to take a risk-based approach towards managing its controls going forward. For instance, they are planning to import their risks, which are currently documented in spreadsheets, into a central Risk Register in Hyperproof and link those risks to controls/risk mitigation activities in Hyperproof. This allows the organization to monitor how risks are changing in real time based on the status of risk mitigation activities. They also have plans to use Hyperproof to test their controls on an ongoing basis.