Compliance Certification: Step outside the checkbox

 

CERTIFY ME!

We have previously spoken of the impact to businesses and security teams of SolarWinds, along with increasing ransomware and other cyberattacks. The demand is increasing to demonstrate an implemented security posture to make it through the sales process. Whether it’s SOC 2 Certification, ISO Certification, or CMMC Certification for DIB’s, government and corporations are both being held accountable and calling for greater accountability in their supply chain. This is, hopefully, good for consumers, good for society, good for humanity even!

As the demand for “certified” compliance increases, the cybersecurity industry has responded with new tools, automation, and “virtual CISO” services, all designed to simplify and expedite the readiness and certification process, because, of course, as a customer, you need certification, and you need it NOW!

BEYOND THE CHECKBOX

If you are about to launch headlong into a SOC 2 or another type of compliance certification, read this first! If you are planning to use a spreadsheet… Don’t. If you are looking for a SaaS product, tool, MSP, or combination of both, keep reading! It is important to know what is ahead and find a tool that enables you to fulfill all of your tasks and objectives and/or guide your MSP partners to make your investment and cost-effective and successful as possible. We think of it in three stages:

  1. Readiness: Scope of the certification (only do what you need to do); what is already in place; what do we need to build? (This is the checklist)
  2. Continuous Monitoring: Implementation, corrective action, validation; review, recycle, add, rinse. (This is beyond the checkbox)
  3. Risk in Action: Risk Register, established risk metrics, empirical data, and actionable activity to make the organization stronger, faster, better… (This is where you want to be)
I CHECKED ALL THE BOXES!

The impression of ‘getting certified’ after 14, 30 90 days (SOC 2 Type 1, maybe…) 6-12 months (SOC 2 Type 2/ISO 27001, CMMC), is misleading at best, and generally speaking, creates a “false” sense of security. In reality, passing the certification audit is just the beginning of an ongoing compliance cycle that requires ongoing maintenance, or, in other words, a risk management program. If you are not thinking beyond the checkbox, you are underestimating the task at hand.

POLICY CREATES LIABILITY

Step one: all certifications require developed policies. Once written, that policy must be implemented. There is no going back! Failure to implement the standards and procedures outlined by your policies and accompanying procedural documents creates liability, not just audit penalties. There are many templates and offerings to help craft policies. These do largely serve as a good starting point, but “buyer-beware” unless you understand what is in your policy–can you validate that your policy statements are actionable within your organization?–then you are potentially opening your company up to a world of pain!

COMPLIANCE & RISK MANAGEMENT

The jolly old Oxford English Dictionary describes compliance as “the act of obeying a rule, order or request”. OK, that mostly works, with one rather important addendum. “Ongoing”… Security OR Privacy compliance are not point-in-time activities, rather, they are any point-in-time activities. We call this continuous monitoring (Step two).  Immediately, this is why compliance is not sustainable in a spreadsheet. It’s simply too hard to keep up with ongoing activity, issues, and changes across the business, product, and in-scope technology. Automation is the key to effectively reviewing or monitoring compliance. Tools like CyberOne can automate evidence collection through API integrations or “manually” through project management notifications and alerts that go out to evidence owners. However, if automation can help sustain existing compliance, the business of managing gaps, risk management is the next level. Now, we are in the realm of risk management. Managing threats, vulnerabilities, issues that arise, events (heaven forbid), and business continuity, all of which are compliance requirements, can only be done through effective, empirical risk management. Risk management takes you through (Steps three, four, five, etc…). Compliance tells you what you are and are not doing, so to speak, where effective risk management, tells how to maintain, scale, and do it better. On the right tool (ahem!), this can refer to both operational and enterprise risk. With the right risk data, measured in real-time, against established requirements and objectives, your company will become more efficient and work smarter across security and general operations. As such, compliance is only as valuable as the risk management that it informs, and as a stand-alone activity, it is not sustainable.

CERTIFICATION TOOLS: CHECK THESE BOXES

As you launch into your certification tool search, here’s a quick summary of the capabilities you really need to be successful:

  1. Policy Management: Can you write, review, update and communicate policies and connect them to your internal controls and regulatory requirements?
  2. Asset Management: Can you attach controls to specific assets and monitor those assets in your tool?
  3. Control Management: Can you work with multiple regulations and consolidate your internal controls to meet multiple requirements?
  4. Evidence Collection: Can you automate evidence collection and use one piece of evidence to meet many controls?
  5. Control tests: can you validate evidence and create reports that demonstrate validation by control and assets?
  6. Issue Management: Can you create findings from findings, as well as view, prioritize and mitigate findings (corrective actions, issues) form all areas of the business (compliance review, vulnerability scans, vendor review, internal audit, etc.)
  7. Risk Management: Can you define risk metrics and objectives, and cascade risk > threat > issue > incident > controls > assets to understand for a comprehensive understanding of your risk and compliance status and environment?
  8. Data application: Can you take that data and apply it to organizational strategy?

Once you implement the above, well, remember where we said you wanna be? Faster, stronger, better… You are here!

CyberOne is cloud-based GRC automation. We bring governance, compliance, and risk together with purpose. If you are ready to go beyond the checkbox, reach out to CyberOne and we will tell you more.

See what our clients say about CyberOne here:

 

 

 

Credits:

Harvard Business Review: https://hbr.org/2018/03/why-compliance-programs-fail

The Compliance and Ethics Blog:

Check Your Use of “Check the Box”

 

 

 

Lower Audit Costs with a GRC Automation Platform

You can get a free readiness assessment by clicking this link and telling us which frameworks you need (CMMC, SOC 2, ISO, PCI, HIPAA, GDPR, all of these and more)

Did you know?

More and more auditors factor the use of a GRC solution into the pricing of an audit. If you are still working in spreadsheets, time is no longer your only enemy. Now and in the future, you will be paying more for that certification as well as wasting precious time. Compliance requirements are holding up the sales pipeline, causing stress, chaos, and general distress across your organization. Are you trying to keep up with evidence collection, control implementation, and managing the inevitable corrective actions that come from (using a spreadsheet) being overloaded, under-resourced, and ill-prepared for your audits? We all know it’s is a fools-errand if your tool has a “green-kiss” icon. We want to help! 

Auditors have figured it out/So has Forbes Magazine!

Auditors have recognized the value of an automation solution to manage the, otherwise arduous, compliance workflow. Compliance requires a lot of repetition, attention to detail and the ability to macro- and micro-manage your people, process and technology. CyberOne will save you time, money, audit penalties (more money) and de-stress you – Forbes magazine agrees!  (cut and paste this into an email to your boss, now!)

CyberOne Cloud-Based Automation

CyberOne’s cloud-based automation solution is widely accepted by audit firms and supports the full compliance lifecycle. We automate evidence collection, risk and finding alerts and risk monitoring. CyberOne also integrates with all your security tools, BitSight, Nexpose, Nessus, Qualys, productivity tools, Jira, Slack, Power BI, ServiceNow, and more.

CyberOne pays for itself in a matter of months.

We start by helping you select an auditor that is right for you and scoping your readiness and requirements.  We also provide all the tools you need to build or scale your compliance program, including readiness assessments, policy templates, control guidance and sample evidence lists. We will take you step by step through your readiness, audit and certification and set you up with continuous monitoring and ongoing automation to ensure success for this audit and the next surveillance audit, and certification, year after year.

You can get a free readiness assessment by clicking this link and telling us which frameworks you need (CMMC, SOC 2, ISO, PCI, HIPAA, GDPR, all of these and more)

I would like to talk to an expert about my compliance needs

 

Weekends are Free: Get Your SOC 2 Free Readiness Assessment

 

CyberOne is offering a free readiness assessment for SOC 2 Type 1 for Type 2 readiness. Simply click the link below and put SOC 2 in the contact notes, and we will send your free assessment out and (optional) schedule some time to review the results with you and discuss next steps.

FREE SOC 2 Readiness Assessment

Let us support you and automate your SOC 2 Certification process. It’s as easy as one-click and costs as low as $3600/year with no need for expensive consultants.

CyberOne SOC 2 Step by Step Certification Process: (90 days or less to SOC 1 Type 1 and 6-8 Month typical timeframe to SOC 2 Type 2 Certification)

  1. Choose Auditor  – we have direct relationships with auditors who will fit your budget
  2. Define Audit Scope
  3. Control design documentation
  4. Control implementation. Capture up to 6 months audit records.
  5. Internal readiness gap analysis. Fix the gap for the audit
  6. Start the audit. Get audit evidence checklist from auditor
  7. Collect evidence
  8. Document SOC2 Report section 3
  9. Review audit results
  10. Sign audit report & obtain certification

 

SOC 2 Certification. Your Security Passport.

The Hotman Group and CyberOne Security have more than 50 years combined experience delivering risk and compliance management and SOC 2 Certification to companies of all sizes. Trust your SOC 2 readiness to certified CPAs who understand the complex control implementation and infrastructure needed to satisfy audit requirements. Maintain your control implementation, any corrective actions and automate your year-round evidence collection process on CyberOne’s modern SaaS GRC automation platform. We provide continuous, comprehensive compliance at a fraction of the cost of traditional consulting services and limited, niche compliance solutions. 

 

CyberOne is delighted to feature today’s article from Cheri Hotman, Owner Principal of the Hotman Group.

As the federal government rolls out CMMC (the Cybersecurity Maturity Model Certification), corporations are both facing increased scrutiny and demanding higher levels of security, risk, and compliance. In today’s marketplace, doing business is an issue of security. You need it and you need to demonstrate it. SOC 2 certification applies to any company that manages data in the cloud, which is, pretty much all of us these days. It can also serve as a basis for governing regulated data (PHI or P)) and is also a highly useful means of validating cybersecurity practices to the board and all current and future clients.   As such, it is quickly becoming the first question in a risk assessment (do you have a SOC 2 report?), and subsequently, it is a revenue driver and a means of expediting security review in the sales pipeline, as well as a comprehensive framework and foundation to security.

In this article, Cheri addresses the broadly publicized SolarWinds hack, its impact on the cybersecurity community and resulting measures taken by corporations to manage risk across the enterprise and in the supply chain.

 

The SolarWinds Breach

We’ve all heard about the recent SolarWinds breach, and for good reason. The massive software development company was hacked in 2019, leaving their clients vulnerable to attack. The company unknowingly sent out a software update this March with hidden malware embedded in it. Of their 33,000 clients, an estimated 18,000 downloaded and contracted the spyware making extremely valuable, highly sensitive information available to the hackers (Canales and Jibilian).

 

What Now?

The initial chaos has subsided, and the resounding question now is “how?” Surely a high-level company such as the one offering services to Fortune 500 companies and the U.S. Government would detect a breach in their system- right? Unfortunately, the answer isn’t quite so simple. Cybersecurity is a complex, multidimensional practice meant to protect against digital attacks. There are countless parts to it, but as a result of this breach, the importance of one particular part has been brought to light- SOC 2.

 

What Exactly is SOC 2?

SOC 2 is an intense cybersecurity, risk, and technical controls audit that must be performed by a CPA. It’s used to produce a report that provides either a green light or a bold, flashing red light in regard to the controls a company has set in place to protect the product/ service (and data) they offer. Companies use them to ensure their systems are secure and functioning properly, and potential clients use them to vet their vendors. Companies that have a CPA produce these reports make their company stand out by simplifying the process of deciding on a vendor, and make it cost-effective and confidence-building for potential clients.

There are two types of SOC 2 audits: Type 1, which determines whether a company’s cybersecurity and technical controls are designed appropriately as of a specific point of time (think: April 3, 2021- it could have been compromised the day before and could become compromised the day after, but this type of audit only attests to the date of the report). Next is Type 2, which measures a business’ control design and operation over a period of time (typically over the course of 12 months). Most companies and clients seek out Type 2 reports due to the detail and assurance made available. Here, more is more– companies and clients alike want little-to-no room for error in knowing the controls in place are reducing risk as they’re supposed to.

 

How to be Successful with SOC 2:

The SolarWinds breach has accounted for numerous companies seeking out their first SOC 2 report, which can be an overwhelming process. Fortunately, it doesn’t have to be daunting! SOC 2 is attainable for every company. First to know is that your commitment to managing your systems and risk will make or break the success of your SOC 2 audits, meaning it’s essential to have an ongoing program built into your company to effectively design and continuously monitor controls. The goal here is to be ready for an audit before the audit. Doing so leaves less room for failure, and results in less stress and scrambling to get things in place last-minute. There are several GRC tool options built to help you do this successfully! Use one to simply and continuously monitor your controls, communicate metrics, and produce evidence for it via documentation. As a part of these programs, you need to have corrective action processes for when you catch failures, because they will happen, and that’s okay- so long as you have a plan! Lastly, it is best to hire someone to help you design and run your control environment. Because it is an ongoing and complex process, this will save you time, hassle and error. Focus on what you excel at while allowing a SOC 2 expert to focus on what they do best- minimizing waste, guessing, and failures.

 

Words of Wisdom:

Although this is a completely attainable solution, there are a few things you’ll want to avoid when implementing your new SOC 2 program:

 

  • Do not try to do this with Excel, Word, or email. It will result in a blow-up-in-your-face disaster. Go ahead and invest in a platform built for handling compliance, risk and controls. You’ll thank me later!
  • Because a SOC 2 program is an ongoing one, it often seems ideal to hire someone in-house to build out and manage your program. However, this also means managing them to make sure they are doing their job correctly. Ultimately, it’s both time-consuming and expensive, so if this route doesn’t seem feasible…
  • Work with a company or person that can get you set up and keep you running like a well-oiled engine. Many businesses offer implementation and management for a lower overall cost than an in-house resource.
  • Although using a third party is a great option, use caution when choosing who to work with. Make sure they have the proper certifications for both SOC 2 AND security, as well as deep cybersecurity and risk practitioner expertise.
  • If this sounds like a foreign language to you, you’re just overwhelmed, or you don’t know if you’re ready to begin this process, hire someone to perform a gap assessment to figure out where you are today, and what your needs are, to put you on the path to success.

 

About the Author:

Cheri Hotman is an enthusiastic, passionate professional. Her drive to succeed began when she graduated with an MBA from the University of Texas at Dallas, and has only grown since then. With a track record that includes a career predominately in banking, financial services, and consulting followed by a position as Vice President in the Tech/IT space, you’d think her tenacity to have faltered- and you’d be wrong. She is a CPA, now holds her CISSP (cybersecurity certification), and has launched her own cybersecurity, risk, and compliance practitioner company. If you need a cybersecurity expert, or even just some inspiration, connect with her through www.hotmangroup.com, or via LinkedIn at www.linkedin.com/in/cherihotman.

 

 

Read more about CyberOne from our clients here on Gartner’s, Capterra review site or contact us directly.

     

 

 

 

The Value of Continuous Monitoring, (or “Come in spreadsheet row number 349, your time is up!)

 

IT WAS A FOOLPROOF PLAN! AREN’T THEY ALL?

It was a marvelous marketing maneuver! The whole company was literally bubbling with excitement. Market share had already sky-rocketed from 4% to 24% by the simple implementation of this beautiful bottle-cap bonanza.  Promotion, pay-rise, praise from all corners seemed inevitable for this, yes call it that which it is, genius plan! Until… It cost $32 billion. That will sure make you burp!

 

$1 MIIIILLLLLIIIIIION  PESOS FOR PEPSI-LOVERS!

You may have heard this story before, especially if you are my age. It’s from the ’90s after all – my formative years! It is the story of, what was indeed, a genius plan by Pepsico to grow its market share in the Philippines with a simple competition – a competition “borrowed” from the pages of Roald Dahl’s Charlie and the Chocolate Factory no less! A simple plan… Collect bottle caps from your “Pepsi” all with a magic number inside and on May 25th, 1992, the grand prize winners will be revealed. The prize? $1 Million (please read like Dr.Evil – an equally apt 90’s reference) shiny pesos, or the equivalent of about only $40,000 at the time. Enough, however, to buy one a rather spanking house in the Philippines or a whole lotta Pepsi, at the very least.

 

“I WON!” “So did I” “And me, too” “And me”!

The country went wild for Pepsi. The success surprised even the Pepsico execs. For an entire year, Pepsi-fever gripped the nation like grandpa gripping Charlie’s Golden Ticket. It was all working out perfectly. It was brilliant, and, it was initially well-executed. Strict implementation processes and security measures were immediately put in place to avoid fraud and any other miscalculations. For example, Pepsico’s suppliers were not allowed to print bottle caps, security codes accompanied bottle caps to eliminate fraud, and Pepsico even took charge of making the only two prize-winning bottle-caps with the magic number “349”. Except, there was a tiny hiccup – pre-burp – due to lack of communication with the supply chain and a teeny-tiny process error that was overlooked and then not monitored internally. Consequently, rather than printing 2 caps,  Pepsico inadvertently created 800,000 prize-winners. It was a happy day in the Philipinnes! Praise Pepsi!

 

Uhhh, yes, well, but, err, yes, err,  it’s tricky, err, and darned unfortunate, err… sorry chaps?

Upon discovery of the error, not too long after the winning number had been announced on national TV, Pepsico, of course, had an “oops my bad” moment and, long story short, riots ensued, lawsuits came forth, Pepsi ran in the streets, and there was a lotta egg-on-the-face. Not to worry, Pepsico managed to survive, though not surprisingly, it is not the drink of choice in the Philippines! I am a Pepsi imbiber to this day, though I am partial to RC Cola when I can get it – Yea! I said it.

 

People, Process, TECHNOLOGY!

The GRC moral of this story? Pepsi suffered from point in time issues all the way down their supply chain. From the initial implementation of this ill-fated marketing plan, key steps in that implementation were clearly not monitored, communicated and-or subsequently addressed. Vendors were unaware that ‘349’ was the magic number – perhaps understandable – but to print 800,000 ‘349 bottle caps’ points to a large breakdown in communication and oversight. As a GRC professional, I can say with some certainty that many of us are practicing one or more of the following: we are still working from spreadsheets; our risk evaluation is de-centralized; our governance oversight is decentralized; we are not continuously monitoring our controls, which also means our risk prioritization and information is out of date, now. The point about security measures is that they are just that… measures. Measures need to be measured, monitored, maintained, at all times.

 

TO SPREADSHEET OR NOT TO SPREADSHEET – THAT IS NOT A QUESTION!

So, should the powers-that-be question your need for a modern GRC solution to centralize, prioritize, and manage all your information from a single pane of glass, you might ask which they prefer? Coke or Pepsi? $32 billion versus $125 per month? And, please share this story with them, but “beware”, you may also want to step back, as this story is likely to cause loud burping!

CyberOne does not spend money on marketing (see article above!) enabling us to provide a cost-efficient full suite, integrated GRC SaaS platform with outstanding training and support for all your security team needs. Starting at $125 per month. Our best marketing campaign is our client’s satisfaction. You can read more about our client satisfaction on Capterra, a Gartner review site. The Power of One begins here.

No bottle caps were harmed in the creation of this article.

This source of this story originally appeared in the LA Times on July 26, 1993.