Evolving Your Organization through Continuous Security and Compliance
By Marc Gold and Megan Sajewski
You’ve worked hard to successfully complete several cybersecurity audit engagements—now what? Partnering with BARR means you get an evolutionary approach to your cybersecurity compliance strategy. Controls may change as your organization grows, and through continuous security and compliance, a third-party auditor like BARR can help your transitions be compliant and support you as you evolve.
No matter what framework you’ve chosen, BARR works with you to ensure you have the right processes and systems in place. Our rigorous testing will identify exceptions and process improvement opportunities (PIOs) within your systems. Even when we issue a successful audit, we always want to offer places where you can tighten up your security program for the following year’s report. If PIOs are left unattended, they can lead to exceptions in the future, so it’s always a good idea to take any notes about where to remediate gaps or errors.
Let’s take a look at some key factors that will influence your organization’s continuous security and compliance strategy.
Security vs. Compliance: What’s the Difference?
The main distinction between security and compliance is a difference of kind rather than degree—security is based on principles of trust, and compliance asks questions of similarity.
In other words:
- Security is something you have in place to protect yourself. This can include many layers like firewalls, physical security, etc., or making sure data centers are protected with correct security.
- Compliance means you and your organization are complying with security rules. It’s the standard or policy that’s in place and meeting those rules as best practice.
Let’s talk in more depth about how these differences might show up when working on continuous security and compliance.
Security Frameworks and Standards
A framework or standard is a set of requirements published by a specific group for completing a security process. For example, when working on a SOC 2 report, there are five Trust Service Criteria determined by the AICPA you need to follow—security, availability, confidentiality, processing integrity, and privacy.
A few examples of popular frameworks and standards include:
- International Organization for Standards (ISO)—An international federation of national standards bodies
- Systems and Organization Controls (SOC)—A framework that tracks and monitors security events
- National Institute of Standards and Technology (NIST)—A framework that helps organizations manage and reduce cybersecurity risk and protect their networks and data
Compliance and Regulations
Compliance and regulations contain similar requirements but with no set of rules upon which to test. Your organization can be working toward compliance under a specific regulation, however, you can never reach 100% compliance, like when achieving a report or certification for a framework or standard.
Examples of specific compliance and regulations include GDPR and HIPAA.
Both GDPR and HIPAA are important governmentally mandated compliance systems; when they are objectively measured, they each provide assurance that personal data remains private. The focus of GDPR in the EU is about protecting the individual rights of humans, their privacy, and the safety of their data. HIPAA is focused on electronic protected healthcare information (ePHI). This compliance measure can either be mapped to a SOC report in Section V or given an opinion upon by the auditor testing an environment. At BARR, we test “HIPAA Security Rule requirements” to ensure that ePHI is secure in transit and at rest as it interacts with a client’s system.
Security Questionnaires and SLAs
While knowing the difference between a specific framework, standard, or regulation is important when seeking out continuous security and compliance, your client’s stakeholders also have obligations—like answering security questionnaires or legal reviews of service-level agreements (SLAs) prior to beginning services.
There are many different versions of security questionnaires and SLAs, and as an organization, you can come up with your own set of questions to gain appropriate information. The main objective of security questionnaires and SLAs is to determine an organization’s security posture. In other words, you want to know what you’re getting into when signing on a new client.
Questions you may want to ask include:
- What level of risk are you going to be using?
- What do you already have in place for security?
- What controls do you have and how are they put into practice?
- What does your organization have in place to protect yourself from an attack?
How to Know What’s Right for Your Organization
Prior to starting your security and compliance journey, it’s important to understand what’s involved with each engagement. For instance, ISO 27001 is extremely beneficial for organizations looking to improve the security of their information security management system (ISMS). However, the process can become complicated and requires an extensive amount of preparation. That’s why it’s helpful to track how much time and resources your organization can provide toward each step of the way.
Once you’ve completed an engagement, you can always add more criteria, and BARR can help scale our services based on your organization’s needs. For example, your organization might benefit from adding privacy or the HIPAA security rule to your SOC report. In addition, you can add frameworks like ISO to meet international standards or HITRUST for healthcare privacy once you’ve completed your first engagement.
At BARR, our work is to stay ethically objective in all phases of the engagement cycle. Part of our independence as your auditor partner means not offering advice or opinions about services. Our business development and attest management teams take on that responsibility of gauging which service lines fit best to our client environments and do great work putting the pieces together.
Looking Toward the Future
In the cybersecurity industry, change is forever afoot, so continuous security and compliance is often about a mindset of adaptability rather than predicting what’s to come. Assuring that equity is built into our technological future should be top priority. It’s also probable that quantum computing is on the horizon, which could mean a more broadly automated future run by sophisticated AI.
As operations in the cloud continue to grow, cloud service providers (CSPs) like AWS and GCP will become more of a one-stop shop. However, not all features through these CSPs can be default. Having a core set of security and compliance goals that are unique to your organization’s platform prevents you from future problems so you can make sure you have the correct security and compliance processes in place.
Interested in learning more about how BARR can help you with your continuous security and compliance goals? Contact us today.
About the Authors:
As Manager of Attest Services, Marc Gold serves as the lead for planning and executing information technology audits (SOC 1, SOC 2, and SOC 3), client risk assessments and CISO Advisory engagements for clients in a wide range of industries. Marc brings extensive experience in assessing effectiveness and design of control environments.
Prior to BARR, Marc previously worked as a senior associate at KPMG and is a United States Army Veteran. He has a Bachelor of Business Administration in Management Information Systems from Temple University.
As Senior Consultant in BARR’s Attest Services, Megan Sajewski supports SOC examinations and helps clients navigate complex security and compliance issues. This involves identifying and evaluating risks and providing solutions to mitigate those risks.
Prior to joining BARR, Megan worked as a technical writer at Altair. She holds a Master of Arts in art history from Yale University and a Bachelor of Arts in English literature from the University of Michigan.