Security Compliance Toolkit For Startups and SMBs

1

1. Know your industry and your customers (current and future)

Why? Your industry and what you do will impact the regulations, standards, and frameworks you will need to comply with to be validated in your market. You should also be aware of risks specific to your industry. Here are just a few questions to ask of your organization to narrow down the list of cybersecurity/data privacy frameworks and regulations you may need to consider:

Essentially, determining your compliance obligations comes down to knowing what you do and plan to do in the future as a business.

2

2. Know your technology stack

Why? You will need to demonstrate a deep understanding of how you protect your tech stack and maintain it on an ongoing basis. It is important to keep an inventory of what you’re using to deliver your product and/or services (OS, application, infrastructure, appliances, support, and security systems).

It is important to remember that vendors you select as part of your product or service are constituents of your technology stack—they become part of the product or service you provide to your customers and will require regular monitoring.

The goal of this step is to understand your risk exposure by identifying potential vulnerabilities from the technology you implement and the assets operating within your environment.

3

3. Know what data you’ll collect and where it goes

Why? Knowing what information you have is crucial for meeting privacy requirements. Different states, countries, and industries have various regulations governing how organizations subject to those laws need to handle Personal Identifiable Information (PII) — any data that can be used to clearly identify an individual.

Some examples that have traditionally been considered personally identifiable information include social security numbers in the U.S., national insurance numbers in the UK, mailing addresses, emails, and phone numbers. But as technology has evolved, the scope of PII has grown considerably to include IP addresses, login ID details, social media posts, and digital images, as well as geolocation, behavioral, and biometric data.

Everyone has PII to some extent and it’s likely the most important thing you need to protect (besides your employees). Treat your data like any other valuable asset.

4

4. Perform a risk assessment on your entire organization

Risk assessments provide a lot of valuable information to your company. Each requires you to  

Here are the key components of a risk assessment:

Business Impact Analysis (BIA): A BIA is a structured process your organization uses to determine and evaluate the potential impacts of an interruption to critical business operations due to natural disasters, accidents, intrusions, or emergencies. A BIA can prepare you to handle the fallout of risk events coming to fruition and give your business the best chance at recovery.  

Risk Assessment: Where the BIA identifies the impact of interruptions to critical business operations, a risk assessment will use this information as input to identify potential threats, enterprise impact, and likelihood that these interruptions will actually occur. This exercise, when complete, should identify and prioritize risks based on a number of factors including severity (impact), risk appetite of the organization, existing compensating controls, and any other information of specific interest to the business and used for mitigation. Risk Assessment findings should be documented in a Risk Register.

Risk Register: A catalog or inventory of all identified risks an organization is tracking.  Risk registers are living documents and should be updated frequently based on  changes to an organization’s internal and external environment, updates resulting from a risk assessment, or changes in a company’s risk appetite or risk tolerance (this is not an exhaustive list). A risk register is a quick way to identify what an organization considers its greatest risks, the controls associated with those risks, mitigation plans, ownership, etc.

Risk Remediation: Using the BIA, Risk Assessment, and Risk Register, the risks of greatest concern for an organization should now be identified and prioritized for remediation. Generally, the highest-scored risks get the most attention (high impact / high likelihood), but quick solutions for lesser risks should also be considered when planning remediation activities. Risk remediation, also known as risk treatment or risk response, includes:

Risk Monitoring: Once risks have been identified, their impact quantified and captured in a risk register, and remediation plans determined, it’s crucial to ensure ongoing management of these risk items. While risk assessments, traditionally, are performed annually, any emergent risks should be captured in the risk register and given the same level of review as those coming from an annual exercise.

5

5. Develop a common set of policies

Why? These form key elements of your internal governance processes and are required by most standards and regulations (don’t forget they will need to be maintained and, in some cases, tested). Here are some policies to include:

6

6. Identify controls based on prior exercises

Use default (illustrative) controls

The Trust Services Criteria from AICPA (SOC 2), ISO 27001 Annex A controls, or the Secure Controls Framework (SCF) are good sources for getting default controls you can then tailor to your organization. You may also review NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, to get input (NIST SP 800-53 contains a comprehensive set of security and privacy controls. It may be overwhelming for beginners). 

Create your own controls 

Every organization is different in its structure, culture, technology stack, and processes.  Auditors will be testing how well your organization meets various criteria — it’s for this reason that your controls must reflect how your company operates, and not how illustrative controls suggest they operate. If using illustrative controls, it’s important to tailor them to your organization. Use them as guidance and only assert an illustrative control as your own if it accurately reflects your operations!

Designate control ownership and accountability 

Control ownership and accountability is critical to the ongoing management of your compliance operations — employees need to understand the expectations for maintaining a healthy set of controls based upon organizational (and program-specific) requirements. Compliance teams need to know who is responsible for ensuring requirements are being met, from whom to request evidence as part of an audit, and who will remedy gaps resulting from testing. 

Identify frequency of control operation and testing 

Not all controls need reviewing or testing at the same time: some (like policy-related controls) may be set up on an annual schedule; others (like vulnerability-related controls) may be configured for quarterly, monthly, weekly, or even continuous execution. Whatever frequency is identified in your set of controls, ensure you operate against what is asserted.

7

7. Gap assess your controls against compliance requirements

A gap assessment may be done as part of step 6, but this step would identify gaps in control design or implementation. It may also be referred to as a CSA (Controls Self Assessment) — essentially an audit you perform on yourself against a program/framework/etc. to gauge audit readiness.

To conduct a gap assessment, you’d collect evidence used for testing controls. Results should be documented in a gap analysis report, possibly as input into the risk register for subsequent remediation (might be labelled as “audit risks” since failure to fix could result in audit finding(s)). If you’re new to a compliance framework and don’t have internal subject matter expertise, you may want to consider hiring a qualified compliance consultant to conduct the gap assessment.

Here’s a general structure for information you’d include in a gap analysis report:

8

8. Remediate gaps prior to your external audit

Remediating gaps before an external audit is important and will minimize the risk of receiving audit findings or exceptions; however, you will want to resolve issues as quickly as possible based on the severity of the gap, independent of your external audit timeframe.

That being said, your first gap analysis will likely produce a large number of issues that require remediating. Start by identifying those issues that represent the greatest risk to your organization based on likelihood and impact if left unresolved. Once these issues are identified and ‘scored’, start fixing and document your progress.

9

9. Undergo your external audit

There are varying severities of audit findings:

Recommendations are just that, but do carry weight — it’s rare that implementing a recommendation will work against you. Remember that a function of an audit is to strengthen your org’s security and compliance posture, so they shouldn’t be ignored.

Findings can be expressed in a number of ways: major, minor, qualified opinion, unqualified opinion, exception, critical, informational — audit reporting criteria will determine how findings are presented and your auditor will be able to explain the severity relative to the particular audit you’re undergoing.

10

10. Remediate Any Audit Findings

Regardless of the severity of findings you may have received from an external auditor, you will want to prioritize them for remediation — you may even elect not to fix something (with sufficient justification).

Don’t waste time here. Sometimes trivial fixes turn into quarter-long (or longer) projects. Remember, by the time you receive your audit letter or certification, you’re most likely already in the next audit period. The longer a finding stays un-remediated, the harder it will be to convince auditors you are adequately managing your controls and meeting program criteria.

11

11. Ongoing: Manage controls and risk

Once the audit is over, the next one has already started (in fact, it probably started before your current audit finished). The state of your compliance program must be continuously maintained.

Perform regular CSAs (Control Self Assessments) to ensure changes in your environment are accurately reflected (and tested) in your control language. Add,  modify, and/or remove controls as needed.

Collect evidence on an ongoing basis to contribute to your next audit’s success. It will validate effective operation of your controls. 

Some risks will remain fairly constant, but emergent risks are always a concern; they should be identified in a risk register, and be included in the next risk assessment. Be proactive in looking for vulnerabilities and develop a security-by-design mindset throughout your organization.

For instance, it’s good to be especially cognizant of changes in: 

Of course, this list is not exhaustive (regular testing of your controls will provide the best coverage) but should provide you an idea of the types of changes to be aware of during any given audit period.