Security Compliance Toolkit For Startups and SMBs
Kick-Start Your Compliance Program With This 11 Step Guide
If your organization is trying to adhere to a security compliance standard (e.g., SOC 2, ISO/IEC 27000 series, HIPAA, PCI DSS, Microsoft SSPA) for the first time, it’s normal to have questions and feel confused about many aspects of a security compliance program.
To help startups and SMBs get a running start on their compliance journey, Hyperproof’s Senior Director of Information Security, Risk, and Compliance, Aaron Poulsen and our content marketing team decided to develop a new, super approachable compliance toolkit to try to demystify a relatively complex discipline and help startups get a running start on their security compliance program.
In this toolkit, we’ve outlined the key steps organizations (regardless of their industry and size) need to take to become “compliant” with popular cybersecurity compliance frameworks and standards, and earn the trust of their customers and partners. Here are the eleven essential steps for implementing an effective security program and staying in compliance with regulations and voluntary security compliance frameworks.
Know your industry and your customers (current and future)
Why? Your industry and what you do will impact the regulations, standards, and frameworks you will need to comply with to be validated in your market. You should also be aware of risks specific to your industry. Here are just a few questions to ask of your organization to narrow down the list of cybersecurity/data privacy frameworks and regulations you may need to consider:
- Do you work with healthcare institutions?
- Do you work with financial services institutions such as banks, credit unions, or insurance companies?
- Are you a privately held company? Do you have aspirations to go public in two to three years?
- Where are you operating? Are you aware of the country — and state — specific data protection laws in places where you have significant operations?
- Are you looking to sell to the federal government of the United States?
Essentially, determining your compliance obligations comes down to knowing what you do and plan to do in the future as a business.
Deep Dive Resources:
Know your technology stack
Why? You will need to demonstrate a deep understanding of how you protect your tech stack and maintain it on an ongoing basis. It is important to keep an inventory of what you're using to deliver your product and/or services (OS, application, infrastructure, appliances, support, and security systems).
It is important to remember that vendors you select as part of your product or service are constituents of your technology stack—they become part of the product or service you provide to your customers and will require regular monitoring.
The goal of this step is to understand your risk exposure by identifying potential vulnerabilities from the technology you implement and the assets operating within your environment.
Know what data you'll collect and where it goes
Why? Knowing what information you have is crucial for meeting privacy requirements. Different states, countries, and industries have various regulations governing how organizations subject to those laws need to handle Personal Identifiable Information (PII) — any data that can be used to clearly identify an individual.
Some examples that have traditionally been considered personally identifiable information include social security numbers in the U.S., national insurance numbers in the UK, mailing addresses, emails, and phone numbers. But as technology has evolved, the scope of PII has grown considerably to include IP addresses, login ID details, social media posts, and digital images, as well as geolocation, behavioral, and biometric data.
Everyone has PII to some extent and it's likely the most important thing you need to protect (besides your employees). Treat your data like any other valuable asset.
Deep Dive Resources:
Perform a risk assessment on your entire organization
Why? Risk assessments allow you to see how your organization’s risks and vulnerabilities are changing over time. This allows decision-makers to put necessary measures and safeguards in place to respond to risks appropriately. IT security risk assessments focus on identifying the threats facing your information systems, networks, and data, and assessing the potential consequences you’d face should these adverse events occur.
Risk assessments provide a lot of valuable information to your company. Each requires you to
- Identify material assets (including people and data)
- Determine the impact of losing a particular asset and how such a loss would influence the business
- Provide a means for selection of security controls and how to implement them.
Here are the key components of a risk assessment:
Business Impact Analysis (BIA): A BIA is a structured process your organization uses to determine and evaluate the potential impacts of an interruption to critical business operations due to natural disasters, accidents, intrusions, or emergencies. A BIA can prepare you to handle the fallout of risk events coming to fruition and give your business the best chance at recovery.
Risk Assessment: Where the BIA identifies the impact of interruptions to critical business operations, a risk assessment will use this information as input to identify potential threats, enterprise impact, and likelihood that these interruptions will actually occur. This exercise, when complete, should identify and prioritize risks based on a number of factors including severity (impact), risk appetite of the organization, existing compensating controls, and any other information of specific interest to the business and used for mitigation. Risk Assessment findings should be documented in a Risk Register.
Risk Register: A catalog or inventory of all identified risks an organization is tracking. Risk registers are living documents and should be updated frequently based on changes to an organization’s internal and external environment, updates resulting from a risk assessment, or changes in a company’s risk appetite or risk tolerance (this is not an exhaustive list). A risk register is a quick way to identify what an organization considers its greatest risks, the controls associated with those risks, mitigation plans, ownership, etc.
Risk Remediation: Using the BIA, Risk Assessment, and Risk Register, the risks of greatest concern for an organization should now be identified and prioritized for remediation. Generally, the highest-scored risks get the most attention (high impact / high likelihood), but quick solutions for lesser risks should also be considered when planning remediation activities. Risk remediation, also known as risk treatment or risk response, includes:
- Avoidance: discontinuing the activity or process that is introducing risk to your organization. Not used very often.
- Acceptance: some risks are considered acceptable based on various factors (e.g., risk appetite, low enough impact/likelihood). Usage of this treatment varies.
- Mitigation: the most common treatment strategy is mitigation — either fully resolving the issue(s) contributing to a risk item, or implementing one or more compensating controls that will reduce a risk item’s score to acceptable levels.
- Transfer: risk transfer almost always refers to financial risk that can be remediated through the use of insurance (cyber, or otherwise).
Risk Monitoring: Once risks have been identified, their impact quantified and captured in a risk register, and remediation plans determined, it’s crucial to ensure ongoing management of these risk items. While risk assessments, traditionally, are performed annually, any emergent risks should be captured in the risk register and given the same level of review as those coming from an annual exercise.
Deep Dive Resources:
Develop a common set of policies
Why? These form key elements of your internal governance processes and are required by most standards and regulations (don't forget they will need to be maintained and, in some cases, tested). Here are some policies to include:
- BCP: Business Continuity Plan
- AUP: Acceptable Use Policy
- ISP: Information Security policy
- ACP: Access Control Policy
- CMP: Configuration Management Policy
- IRP: Incident Response Policy
- Comms Policy: Communications Policy
- DRP: Disaster Recovery Policy
Deep Dive Resources:
Identify controls based on prior exercises
Use default (illustrative) controls
The Trust Services Criteria from AICPA (SOC 2), ISO 27001 Annex A controls, or the Secure Controls Framework (SCF) are good sources for getting default controls you can then tailor to your organization. You may also review NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, to get input (NIST SP 800-53 contains a comprehensive set of security and privacy controls. It may be overwhelming for beginners).
Create your own controls
Every organization is different in its structure, culture, technology stack, and processes. Auditors will be testing how well your organization meets various criteria — it’s for this reason that your controls must reflect how your company operates, and not how illustrative controls suggest they operate. If using illustrative controls, it’s important to tailor them to your organization. Use them as guidance and only assert an illustrative control as your own if it accurately reflects your operations!
Designate control ownership and accountability
Control ownership and accountability is critical to the ongoing management of your compliance operations — employees need to understand the expectations for maintaining a healthy set of controls based upon organizational (and program-specific) requirements. Compliance teams need to know who is responsible for ensuring requirements are being met, from whom to request evidence as part of an audit, and who will remedy gaps resulting from testing.
Identify frequency of control operation and testing
Not all controls need reviewing or testing at the same time: some (like policy-related controls) may be set up on an annual schedule; others (like vulnerability-related controls) may be configured for quarterly, monthly, weekly, or even continuous execution. Whatever frequency is identified in your set of controls, ensure you operate against what is asserted.
Deep Dive Resources:
Gap assess your controls against compliance requirements
A gap assessment may be done as part of step 6, but this step would identify gaps in control design or implementation. It may also be referred to as a CSA (Controls Self Assessment) — essentially an audit you perform on yourself against a program/framework/etc. to gauge audit readiness.
To conduct a gap assessment, you’d collect evidence used for testing controls. Results should be documented in a gap analysis report, possibly as input into the risk register for subsequent remediation (might be labelled as "audit risks" since failure to fix could result in audit finding(s)). If you’re new to a compliance framework and don’t have internal subject matter expertise, you may want to consider hiring a qualified compliance consultant to conduct the gap assessment.
Here’s a general structure for information you’d include in a gap analysis report:
- Overview of the gap analysis
- Findings (or the “gaps”)
- Remediation plan(s)
Deep Dive Resources:
Remediate gaps prior to your external audit
Remediating gaps before an external audit is important and will minimize the risk of receiving audit findings or exceptions; however, you will want to resolve issues as quickly as possible based on the severity of the gap, independent of your external audit timeframe.
That being said, your first gap analysis will likely produce a large number of issues that require remediating. Start by identifying those issues that represent the greatest risk to your organization based on likelihood and impact if left unresolved. Once these issues are identified and ‘scored’, start fixing and document your progress.
Undergo your external audit
There are varying severities of audit findings:
Recommendations are just that, but do carry weight — it's rare that implementing a recommendation will work against you. Remember that a function of an audit is to strengthen your org's security and compliance posture, so they shouldn't be ignored.
Findings can be expressed in a number of ways: major, minor, qualified opinion, unqualified opinion, exception, critical, informational — audit reporting criteria will determine how findings are presented and your auditor will be able to explain the severity relative to the particular audit you're undergoing.
Remediate Any Audit Findings
Regardless of the severity of findings you may have received from an external auditor, you will want to prioritize them for remediation — you may even elect not to fix something (with sufficient justification).
Don't waste time here. Sometimes trivial fixes turn into quarter-long (or longer) projects. Remember, by the time you receive your audit letter or certification, you're most likely already in the next audit period. The longer a finding stays un-remediated, the harder it will be to convince auditors you are adequately managing your controls and meeting program criteria.
Ongoing: Manage controls and risk
Once the audit is over, the next one has already started (in fact, it probably started before your current audit finished). The state of your compliance program must be continuously maintained.
Perform regular CSAs (Control Self Assessments) to ensure changes in your environment are accurately reflected (and tested) in your control language. Add, modify, and/or remove controls as needed.
Collect evidence on an ongoing basis to contribute to your next audit's success. It will validate effective operation of your controls.
Some risks will remain fairly constant, but emergent risks are always a concern; they should be identified in a risk register, and be included in the next risk assessment. Be proactive in looking for vulnerabilities and develop a security-by-design mindset throughout your organization.
For instance, it’s good to be especially cognizant of changes in:
- Your technology stack
- Any changes to where data is transmitted / stored and if the type(s) of data collected and processed have changed
- Your vendors' security postures (via regular Vendor Security Audits)
- The way you implement authentication and access control (both users and systems)
- Your inventory, both hardware and software
- Your organization that will impact the set of policies identified earlier (e.g., addition or removal of a datacenter that would affect BCP execution, implementation of a SIEM for more efficient incident response, etc.).
Of course, this list is not exhaustive (regular testing of your controls will provide the best coverage) but should provide you an idea of the types of changes to be aware of during any given audit period.
Hyperproof Can Support Your Compliance Journey
Hyperproof can help you jumpstart your first IT compliance program, pass the audit, and maintain continuous compliance -- so you can provide assurances to customers, maintain trusted business relationships, and establish a security baseline that supports your growth plan.
Here are some specific ways Hyperproof can help.
Referrals to subject matter experts
We can refer you to leading CPA and MSSP firms that can work with you to set up a solid security program, and guide you in the creation of policies, procedures and controls needed to pass compliance assessments and achieve attestation reports and certifications.
Compliance framework templates for quick start
Hyperproof’s compliance operations platform comes with many information security and data privacy compliance framework templates, such as SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC and others. Each template has a particular framework’s requirements and illustrative controls -- providing you a starting point for conducting a gap assessment.
Collect evidence to test controls
With Hyperproof, you can automatically access your latest company policies from various cloud-based file storage systems as well other compliance data from dozens of cloud-based tools across cloud infrastructure, DevOps, device management, security, HR, ticketing management, etc.
Ensure that remediations are happening in a timely manner
Hyperproof also comes with project management tools that streamline and automates much of the day-to-day work associated with managing controls and remediation projects.
Monitor your compliance program’s performance and identify areas for improvement
Hyperproof comes with reports that provide real-time visibility into your organization’s compliance posture. As you implement controls, you can set up tasks designating the control activities that need to be performed by certain individuals or teams and automatic reminders. You can configure Hyperproof to automatically flag controls that are in need of attention and alert the individuals that need to take actions. them to the right individuals.