Best Practices
Startup’s Guide to Compliance
August 31, 2021
Introduction
Being the founder of a small start-up is tricky enough with the multiple hats you wear — from CEO to developing a product; understandably, security and compliance are generally the last things on your mind as you cultivate your business from scratch. Many compliance blogs and articles aren’t the most engaging to read. To scale and grow your business, you must incorporate compliance into the culture of your business. Prioritizing compliance will ensure your data remains secure, your clients feel confident, and you stay in the headlines for the right reasons. This guide will go over the fundamentals of a security compliance program.
What is a CISO, and Do I Really Need One?
The Chief Information Security Officer (CISO) protects your business from security risks, and their goals are to make sure you have established policies that fit your business requirements. If you have one already in-house, great; feel free to skip the rest of the blog and take your CISO to lunch. If you don’t have one, don’t freak out just yet, but let’s talk about some reasons why you might want to consider hiring a CISO in the future.
The CISO carries a vast array of knowledge and experience related to security best practices. This experience makes them uniquely suited for (a) reviewing the language in existing policies, (b) performing risk assessments, and © deciding on those industry-standard frameworks relevant to your line of business. Rules and technology are constantly changing, meaning that risk changes as well. A CISO will review the latest changes in your company’s processes and seek to minimize risk as you acquire new software, partners, or employees. Suppose your product incorporates many high-risk data (financial or healthcare). In that case, you should strongly consider having a CISO on board to make sure you adhere to any regulations. More on that later.
The 10,000 Foot View on Security Basics
Now that we established the importance of having someone lead the company through the compliance journey let’s discuss some items on the CISO’s immediate roadmap. This list is not comprehensive but serves as the basis for several conversations you will likely have with your CISO and clients as they vet your product.
Network Protection
Network protection is about controlling who has access to the IT resources within your infrastructure. If you don’t want others to see what is under the hood, you need to secure it. Like closing the blinds before you dress, you want to restrict your WiFi so your neighbors can’t see. Even if you think nothing is interesting on your network, you still want to secure it. Security means no sharing passwords to the WiFI, especially on a whiteboard where visitors can easily see it. How do you secure your network?
Secure Endpoints
Securing endpoints is the process of protecting end-user devices like laptops and cellphones from cyber attacks. Eliminating cybersecurity threats takes constant monitoring and evolution as hackers become bolder daily. Particularly for platforms hosting healthcare data, ransomware is something you need to be aware of and task your team to prevent as they are a high target for hackers. Hosting your application(s) in the cloud does not guarantee secure endpoints, and weak security on devices puts your cloud infrastructure at risk. You will want to ensure your security team installs anti-virus software and updates all devices with the latest patches. While ignoring a Windows update might save you from a restart and losing 10 minutes of work, it exposes your devices to unnecessary vulnerabilities.
Password Management
Password management is one of the most critical elements of security compliance. Many regulations and frameworks have dedicated sections to password management. The more complicated the password, the harder it is for a hacker to break it. Even better if the application supports multi-factor authentication (MFA). MFA requires a hacker to spoof two pieces of information, typically in a limited time frame. Simultaneously, as applications keep increasing password requirements, employees have difficulty remembering passwords. Eliminating the number of passwords you ask your employees to manage will reduce the risk that your employees start writing down passwords on paper- A big no-no in the compliance space! Speaking of significant issues in password management, employees should never share passwords. You want a culture that sets the tone on day one that everyone needs a unique password. Sharing passwords puts your data at risk as you can’t verify who knows the passwords to essential applications.
Encryption
Sensitive data must be encrypted while in rest or transit. Data at rest is where you localize information and store it. To secure data at rest, you should have a method of identifying where sensitive data resides to limit who has access to it. In addition, you will want to verify the infrastructure storing the information is secure. That means encrypting all computer devices and databases and storing sensitive data. Luckily, operating systems offer full-disk encryption today, so you need to make sure IT is enabling encryption. Data in transit refers to data moving across a private network or the internet. How do you protect data as it transfers to various applications and devices? To protect data in transit, you need to use secure tunnels like enabling TSL/SSL protocols.
Employee Security Awareness Training
Employees are some of the most significant threats to data security. A stolen laptop device or clicking a link in an email can make your company liable for violation fees. While you can minimize employee risk by ensuring complex passwords, utilizing firewalls, and encrypting laptops, a consistent training program can reduce security risks. The security training program should be incorporated into onboarding employees and reinforced annually at a minimum.
Laws and Regulations
Depending on your business industry, you might have to follow compliance mandates stipulated by a government agency. Many regulations revolve around the type of data collected and how the information is stored. Below are some of the most common government regulations; however, this is not an encompassing list. Your CISO will want to verify any applicable laws your business must follow.
General Data Protection Regulation (GDPR)
The GDPR is a European Union (EU) regulation that protects data and privacy. It was adopted on April 14, 2016, and became enforceable beginning May 25, 2018.
General Synopsis
The GDPR defines personal data and has seven principles for how that data should be protected. Under the GDPR, personal data is any information directly or indirectly tied back to a person. This definition expands past the information defined by other regulations like HIPAA to include identifiers like IP addresses. The GDPR requires that companies store personal data, and the data stored must be accurate. Additionally, a person may request their data at any point, so companies need the capability to transport or delete personal data upon request.
Who follows it?
Any business that collects data from EU residents or stores data in the EU is responsible for following GDPR. There are exceptions to collecting personal data for national security activities or law enforcement. Note: The California Consumer Privacy Act is similar and is effective on June 28, 2018.
Penalties for Non-Compliance
Penalties for not following GDPR include fines of up to €20 million or 4% of annual global revenue.
Health Insurance Portability and Accountability Act (HIPAA)
Developed by the US Department of Health and Human Services in 1996, HIPAA comprises the HIPAA Privacy Rule and the HIPAA Security Rule. The privacy rule defines standards to protect sensitive health information. The Security Rule creates standards to protect sensitive health information held or transferred in electronic form.
General Synopsis
Under the Privacy Rule, protected health information (PHI) is individually identifiable patient data. Examples of PHI include names, social security numbers, and addresses. PHI might be embedded in billing and claims payment or within the medical record. A fundamental principle of HIPAA consists of the “minimum necessary” policy: view and use as little of PHI as possible to accomplish a task. Businesses need to make a concerted effort to determine which fields are necessary for analytics and front-end views in developing applications. If you can achieve the mission without PHI, eliminate it from your application. The HIPAA Security Rule outlines security controls companies must have to ensure PHI is protected. Administrative, Technical, and Physical safeguards are stipulated within the rules companies must follow. The Administrative Safeguards include ongoing risk analysis reviews that evaluate how PHI is stored and who has access to it. During the risk analysis process, the company should review and analyze potential risks to PHI and implement measures to reduce any risks identified. Additional Administrative Safeguards controls include identifying a security official, conducting annual HIPAA training, implementing “minimum necessary,” and re-evaluating all security policies and procedures related to the Security Rule. Physical Safeguards include adding controls to who can access facilities, workstations, and devices that contain PHI. Organizations must also have policies to transfer, remove, and dispose of media containing PHI. Technical Safeguards include controls for PHI data like audit logs, data integrity, and securing data in motion.
Who follows it?
Covered entities like health plans, clearinghouses, and providers who transmit health information electronically must adhere to HIPAA standards. The HITECH ACT of 2009 requires that business associates (companies with access to patient information) adhere to HIPAA standards.
Penalties for Non-Compliance
Penalties for violation include fines of up to $50,000 may also lead to criminal charges. Civil lawsuits for damages can also be filed.
Sarbanes-Oxley Act (SOX)
SOX is a regulation passed by Congress on July 30, 2002, to protect investors by implementing controls that increase the transparency of corporate disclosures in financial reports.
General Synopsis
SOX includes 11 titles that establish mandates and standards for publicly traded companies. Sections 302, 404, 409, 802, and 906 contain the crucial provisions for compliance requirements.
Section 302: Disclosure controls
Mandates the CEO and CFO are responsible for reviewing and signing off on financial reports certifying the accuracy of documentation submitted to the SEC.
Section 404: Assessment of Internal Control
States that the company needs to have controls to provide data required by a compliance audit.
Section 409: Real-Time Disclosures
Dictates organizations must promptly disclose material changes in their financial condition or operations to the public.
Section 802: Criminal Penalties for Altering Document
Imposes penalties for altering, destroying, mutilating, concealing, falsifying records, documents, or tangible objects with the intent to impede, obstruct, or influence a legal investigation.
Section 906: Corporate Responsibility for Financial Reports
Imposes penalties for certifying misleading or fraudulent financial reports.
Who follows it?
All publicly-traded companies and the accounting firms that perform SOC audits must comply with an exception for low-revenue companies.
Penalties for Non-Compliance
Failure to comply can result in fines up to $5,000,000 and imprisonment.
Security Frameworks and Standards
Security frameworks outline industry best practices for compliance and cybersecurity. They can be an excellent asset for letting your client know some of the processes you follow as an organization to minimize threats. Frameworks can reduce the procurement process; however, it would be misleading to state that certifications make vendor assessments obsolete. For example, companies with software hosted in the cloud might need to perform a supplemental cloud security assessment as part of the procurement process. Since frameworks speak to overarching industry standards, you will likely need to supplement with internal controls for a complete compliance program. Some of the common security frameworks include:
National Institute of Standards Technology (NIST)
NIST was developed in 2014 by the United States government for assessing agencies and vendors.
Applicable Industries
Designed for government agencies but applicable across all industries.
Focus
The comprehensive framework covers asset management, business environment, risk management, governance, data security, and information protection. NIST guides you through ways to detect, identify, protect, and recover from cybersecurity threats.
Health Information Trust Alliance (HITRUST)
HITRUST was created in 2007 to respond to HIPAA regulations building on elements of other frameworks like ISO, NIST, PCI, and state laws.
Relevant
It was developed specifically for the healthcare industry; however, beneficial for any organization hosting private data.
Focus
Guides organizations by protecting private data covering access control, security awareness, risk management, risk analysis, data protection, and business continuity.
Service Organization Control 2 (SOC2)
Developed by the American Institute of Certified Public Accountants to create an auditing standard to help assess an organization’s vendors and partners.
Industries
SOC2 primarily serves SaaS-based companies that handle or store customer data.
Focus
Criteria for the SOC2 audit focus on security, availability, confidentiality, privacy, and processing integrity.
International Organization for Standardization (ISO) 27001
An international standard for validating internal and third-party cybersecurity programs.
Applicable Industries
Broadly designed, so it applies to all industries.
Focus
ISO covers the entire information security program, including access control, physical security, incident management, and governance. There are even modules that focus on specific industries like healthcare.
Business Continuity Planning
The business continuity plan (BCP) outlines processes to enable ongoing operations during an unplanned service disruption. Creating a BCP will minimize business interruption, ensuring less loss of revenue and greater satisfaction with your clients. The plan should cover everything, including processes, assets, human resources, and business partners. The main components of the BCP include the following:
Risk Assessment
The goal of the risk assessment is to identify critical assets and business functions. Assets can include people, buildings, equipment, documentation, and meeting service level agreements. Examples of essential functions include payroll, communication, security, and operations. The risk assessment also needs to identify dependencies between assets and critical functions to help prioritize recovery efforts. Each identified asset or critical process needs a defined recovery time objective (RTO). The RTO indicates the timeframe to recover a process before unacceptable consequences to the business. The business will want to define the impact on services when considering the RTO. For example, there could be financial, legal, reputation, and customer ramifications resulting from disruption of services. You will also want to consider the recovery point objective, which dictates the maximum amount of data the company can afford to lose without unacceptable consequences.
Recovery Strategy
The plan should prioritize and outline processes to recover critical business functions. The disaster recovery plan focuses on IT infrastructure, including data backup and restoration timelines, and is part of the overall business continuity plan. In addition, the recovery strategy needs to address how to recover all critical functions identified in the risk assessment. For example, you might need to address relocation plans within the plan or discuss ways to communicate to clients.
Organization
The team is responsible for evaluating the business continuity plan and executing the recovery strategy. It is essential to identify each assigned member’s job titles and responsibilities so the organization knows who to contact and what processes to follow in the event of disrupted services.
Training and Testing
Individuals assigned to the business continuity plan should review the plan and strategies, including completing exercises to ensure the document is comprehensive and up to date. For example, the organization might create a tabletop exercise where the group reviews specific aspects of the plan to identify potential gaps in the process. The activity could include role-playing disaster scenarios along with scripted hiccups. As part of the process, you will want to update the business plan and all applicable procedures.
Getting Started
Creating a compliance program may seem like a daunting task. We have unpacked many areas within this one post, and you might be left wondering, “What now?”. Sometimes it is easiest to start with the basics: policies and procedures. Policies indicate what you are doing as an organization to ensure compliance. Procedures outline the process for fulfilling those policy obligations. We have outlined best practices for writing policies. With PolicyCo, we ensure your policies are adaptable by segmenting them into articles that define a particular compliance control. Structuring your policies allows you to write about your current compliance objectives and evolve those controls over time with incremental changes. To help get you started, we have a marketplace full of policies with pre-mapped to common security frameworks. These policy examples can help eliminate the writer’s block on the policy's structure. Another option is to start by documenting the procedures you do today to help identify the policies your organization is already following.
How We Can Help
Your compliance program will require monitoring and updates. If you have aggressive compliance goals or are overwhelmed with starting the compliance journey, our vCISO can help you reach your targets. We will design a customized compliance program that is scalable. Our team will guide you through creating policies and procedures that ensure your company is secure and prepared for any legal or client mandates. Further, with your policies, procedures, and evidence housed in Policyco’s compliance management software platform, your organization will be audit-ready and able to manage multiple security frameworks without duplicating efforts.
Best Practices
Startup’s Guide to Compliance
August 31, 2021
Introduction
Being the founder of a small start-up is tricky enough with the multiple hats you wear — from CEO to developing a product; understandably, security and compliance are generally the last things on your mind as you cultivate your business from scratch. Many compliance blogs and articles aren’t the most engaging to read. To scale and grow your business, you must incorporate compliance into the culture of your business. Prioritizing compliance will ensure your data remains secure, your clients feel confident, and you stay in the headlines for the right reasons. This guide will go over the fundamentals of a security compliance program.
What is a CISO, and Do I Really Need One?
The Chief Information Security Officer (CISO) protects your business from security risks, and their goals are to make sure you have established policies that fit your business requirements. If you have one already in-house, great; feel free to skip the rest of the blog and take your CISO to lunch. If you don’t have one, don’t freak out just yet, but let’s talk about some reasons why you might want to consider hiring a CISO in the future.
The CISO carries a vast array of knowledge and experience related to security best practices. This experience makes them uniquely suited for (a) reviewing the language in existing policies, (b) performing risk assessments, and © deciding on those industry-standard frameworks relevant to your line of business. Rules and technology are constantly changing, meaning that risk changes as well. A CISO will review the latest changes in your company’s processes and seek to minimize risk as you acquire new software, partners, or employees. Suppose your product incorporates many high-risk data (financial or healthcare). In that case, you should strongly consider having a CISO on board to make sure you adhere to any regulations. More on that later.
The 10,000 Foot View on Security Basics
Now that we established the importance of having someone lead the company through the compliance journey let’s discuss some items on the CISO’s immediate roadmap. This list is not comprehensive but serves as the basis for several conversations you will likely have with your CISO and clients as they vet your product.
Network Protection
Network protection is about controlling who has access to the IT resources within your infrastructure. If you don’t want others to see what is under the hood, you need to secure it. Like closing the blinds before you dress, you want to restrict your WiFi so your neighbors can’t see. Even if you think nothing is interesting on your network, you still want to secure it. Security means no sharing passwords to the WiFI, especially on a whiteboard where visitors can easily see it. How do you secure your network?
Secure Endpoints
Securing endpoints is the process of protecting end-user devices like laptops and cellphones from cyber attacks. Eliminating cybersecurity threats takes constant monitoring and evolution as hackers become bolder daily. Particularly for platforms hosting healthcare data, ransomware is something you need to be aware of and task your team to prevent as they are a high target for hackers. Hosting your application(s) in the cloud does not guarantee secure endpoints, and weak security on devices puts your cloud infrastructure at risk. You will want to ensure your security team installs anti-virus software and updates all devices with the latest patches. While ignoring a Windows update might save you from a restart and losing 10 minutes of work, it exposes your devices to unnecessary vulnerabilities.
Password Management
Password management is one of the most critical elements of security compliance. Many regulations and frameworks have dedicated sections to password management. The more complicated the password, the harder it is for a hacker to break it. Even better if the application supports multi-factor authentication (MFA). MFA requires a hacker to spoof two pieces of information, typically in a limited time frame. Simultaneously, as applications keep increasing password requirements, employees have difficulty remembering passwords. Eliminating the number of passwords you ask your employees to manage will reduce the risk that your employees start writing down passwords on paper- A big no-no in the compliance space! Speaking of significant issues in password management, employees should never share passwords. You want a culture that sets the tone on day one that everyone needs a unique password. Sharing passwords puts your data at risk as you can’t verify who knows the passwords to essential applications.
Encryption
Sensitive data must be encrypted while in rest or transit. Data at rest is where you localize information and store it. To secure data at rest, you should have a method of identifying where sensitive data resides to limit who has access to it. In addition, you will want to verify the infrastructure storing the information is secure. That means encrypting all computer devices and databases and storing sensitive data. Luckily, operating systems offer full-disk encryption today, so you need to make sure IT is enabling encryption. Data in transit refers to data moving across a private network or the internet. How do you protect data as it transfers to various applications and devices? To protect data in transit, you need to use secure tunnels like enabling TSL/SSL protocols.
Employee Security Awareness Training
Employees are some of the most significant threats to data security. A stolen laptop device or clicking a link in an email can make your company liable for violation fees. While you can minimize employee risk by ensuring complex passwords, utilizing firewalls, and encrypting laptops, a consistent training program can reduce security risks. The security training program should be incorporated into onboarding employees and reinforced annually at a minimum.
Laws and Regulations
Depending on your business industry, you might have to follow compliance mandates stipulated by a government agency. Many regulations revolve around the type of data collected and how the information is stored. Below are some of the most common government regulations; however, this is not an encompassing list. Your CISO will want to verify any applicable laws your business must follow.
General Data Protection Regulation (GDPR)
The GDPR is a European Union (EU) regulation that protects data and privacy. It was adopted on April 14, 2016, and became enforceable beginning May 25, 2018.
General Synopsis
The GDPR defines personal data and has seven principles for how that data should be protected. Under the GDPR, personal data is any information directly or indirectly tied back to a person. This definition expands past the information defined by other regulations like HIPAA to include identifiers like IP addresses. The GDPR requires that companies store personal data, and the data stored must be accurate. Additionally, a person may request their data at any point, so companies need the capability to transport or delete personal data upon request.
Who follows it?
Any business that collects data from EU residents or stores data in the EU is responsible for following GDPR. There are exceptions to collecting personal data for national security activities or law enforcement. Note: The California Consumer Privacy Act is similar and is effective on June 28, 2018.
Penalties for Non-Compliance
Penalties for not following GDPR include fines of up to €20 million or 4% of annual global revenue.
Health Insurance Portability and Accountability Act (HIPAA)
Developed by the US Department of Health and Human Services in 1996, HIPAA comprises the HIPAA Privacy Rule and the HIPAA Security Rule. The privacy rule defines standards to protect sensitive health information. The Security Rule creates standards to protect sensitive health information held or transferred in electronic form.
General Synopsis
Under the Privacy Rule, protected health information (PHI) is individually identifiable patient data. Examples of PHI include names, social security numbers, and addresses. PHI might be embedded in billing and claims payment or within the medical record. A fundamental principle of HIPAA consists of the “minimum necessary” policy: view and use as little of PHI as possible to accomplish a task. Businesses need to make a concerted effort to determine which fields are necessary for analytics and front-end views in developing applications. If you can achieve the mission without PHI, eliminate it from your application. The HIPAA Security Rule outlines security controls companies must have to ensure PHI is protected. Administrative, Technical, and Physical safeguards are stipulated within the rules companies must follow. The Administrative Safeguards include ongoing risk analysis reviews that evaluate how PHI is stored and who has access to it. During the risk analysis process, the company should review and analyze potential risks to PHI and implement measures to reduce any risks identified. Additional Administrative Safeguards controls include identifying a security official, conducting annual HIPAA training, implementing “minimum necessary,” and re-evaluating all security policies and procedures related to the Security Rule. Physical Safeguards include adding controls to who can access facilities, workstations, and devices that contain PHI. Organizations must also have policies to transfer, remove, and dispose of media containing PHI. Technical Safeguards include controls for PHI data like audit logs, data integrity, and securing data in motion.
Who follows it?
Covered entities like health plans, clearinghouses, and providers who transmit health information electronically must adhere to HIPAA standards. The HITECH ACT of 2009 requires that business associates (companies with access to patient information) adhere to HIPAA standards.
Penalties for Non-Compliance
Penalties for violation include fines of up to $50,000 may also lead to criminal charges. Civil lawsuits for damages can also be filed.
Sarbanes-Oxley Act (SOX)
SOX is a regulation passed by Congress on July 30, 2002, to protect investors by implementing controls that increase the transparency of corporate disclosures in financial reports.
General Synopsis
SOX includes 11 titles that establish mandates and standards for publicly traded companies. Sections 302, 404, 409, 802, and 906 contain the crucial provisions for compliance requirements.
Section 302: Disclosure controls
Mandates the CEO and CFO are responsible for reviewing and signing off on financial reports certifying the accuracy of documentation submitted to the SEC.
Section 404: Assessment of Internal Control
States that the company needs to have controls to provide data required by a compliance audit.
Section 409: Real-Time Disclosures
Dictates organizations must promptly disclose material changes in their financial condition or operations to the public.
Section 802: Criminal Penalties for Altering Document
Imposes penalties for altering, destroying, mutilating, concealing, falsifying records, documents, or tangible objects with the intent to impede, obstruct, or influence a legal investigation.
Section 906: Corporate Responsibility for Financial Reports
Imposes penalties for certifying misleading or fraudulent financial reports.
Who follows it?
All publicly-traded companies and the accounting firms that perform SOC audits must comply with an exception for low-revenue companies.
Penalties for Non-Compliance
Failure to comply can result in fines up to $5,000,000 and imprisonment.
Security Frameworks and Standards
Security frameworks outline industry best practices for compliance and cybersecurity. They can be an excellent asset for letting your client know some of the processes you follow as an organization to minimize threats. Frameworks can reduce the procurement process; however, it would be misleading to state that certifications make vendor assessments obsolete. For example, companies with software hosted in the cloud might need to perform a supplemental cloud security assessment as part of the procurement process. Since frameworks speak to overarching industry standards, you will likely need to supplement with internal controls for a complete compliance program. Some of the common security frameworks include:
National Institute of Standards Technology (NIST)
NIST was developed in 2014 by the United States government for assessing agencies and vendors.
Applicable Industries
Designed for government agencies but applicable across all industries.
Focus
The comprehensive framework covers asset management, business environment, risk management, governance, data security, and information protection. NIST guides you through ways to detect, identify, protect, and recover from cybersecurity threats.
Health Information Trust Alliance (HITRUST)
HITRUST was created in 2007 to respond to HIPAA regulations building on elements of other frameworks like ISO, NIST, PCI, and state laws.
Relevant
It was developed specifically for the healthcare industry; however, beneficial for any organization hosting private data.
Focus
Guides organizations by protecting private data covering access control, security awareness, risk management, risk analysis, data protection, and business continuity.
Service Organization Control 2 (SOC2)
Developed by the American Institute of Certified Public Accountants to create an auditing standard to help assess an organization’s vendors and partners.
Industries
SOC2 primarily serves SaaS-based companies that handle or store customer data.
Focus
Criteria for the SOC2 audit focus on security, availability, confidentiality, privacy, and processing integrity.
International Organization for Standardization (ISO) 27001
An international standard for validating internal and third-party cybersecurity programs.
Applicable Industries
Broadly designed, so it applies to all industries.
Focus
ISO covers the entire information security program, including access control, physical security, incident management, and governance. There are even modules that focus on specific industries like healthcare.
Business Continuity Planning
The business continuity plan (BCP) outlines processes to enable ongoing operations during an unplanned service disruption. Creating a BCP will minimize business interruption, ensuring less loss of revenue and greater satisfaction with your clients. The plan should cover everything, including processes, assets, human resources, and business partners. The main components of the BCP include the following:
Risk Assessment
The goal of the risk assessment is to identify critical assets and business functions. Assets can include people, buildings, equipment, documentation, and meeting service level agreements. Examples of essential functions include payroll, communication, security, and operations. The risk assessment also needs to identify dependencies between assets and critical functions to help prioritize recovery efforts. Each identified asset or critical process needs a defined recovery time objective (RTO). The RTO indicates the timeframe to recover a process before unacceptable consequences to the business. The business will want to define the impact on services when considering the RTO. For example, there could be financial, legal, reputation, and customer ramifications resulting from disruption of services. You will also want to consider the recovery point objective, which dictates the maximum amount of data the company can afford to lose without unacceptable consequences.
Recovery Strategy
The plan should prioritize and outline processes to recover critical business functions. The disaster recovery plan focuses on IT infrastructure, including data backup and restoration timelines, and is part of the overall business continuity plan. In addition, the recovery strategy needs to address how to recover all critical functions identified in the risk assessment. For example, you might need to address relocation plans within the plan or discuss ways to communicate to clients.
Organization
The team is responsible for evaluating the business continuity plan and executing the recovery strategy. It is essential to identify each assigned member’s job titles and responsibilities so the organization knows who to contact and what processes to follow in the event of disrupted services.
Training and Testing
Individuals assigned to the business continuity plan should review the plan and strategies, including completing exercises to ensure the document is comprehensive and up to date. For example, the organization might create a tabletop exercise where the group reviews specific aspects of the plan to identify potential gaps in the process. The activity could include role-playing disaster scenarios along with scripted hiccups. As part of the process, you will want to update the business plan and all applicable procedures.
Getting Started
Creating a compliance program may seem like a daunting task. We have unpacked many areas within this one post, and you might be left wondering, “What now?”. Sometimes it is easiest to start with the basics: policies and procedures. Policies indicate what you are doing as an organization to ensure compliance. Procedures outline the process for fulfilling those policy obligations. We have outlined best practices for writing policies. With PolicyCo, we ensure your policies are adaptable by segmenting them into articles that define a particular compliance control. Structuring your policies allows you to write about your current compliance objectives and evolve those controls over time with incremental changes. To help get you started, we have a marketplace full of policies with pre-mapped to common security frameworks. These policy examples can help eliminate the writer’s block on the policy's structure. Another option is to start by documenting the procedures you do today to help identify the policies your organization is already following.
How We Can Help
Your compliance program will require monitoring and updates. If you have aggressive compliance goals or are overwhelmed with starting the compliance journey, our vCISO can help you reach your targets. We will design a customized compliance program that is scalable. Our team will guide you through creating policies and procedures that ensure your company is secure and prepared for any legal or client mandates. Further, with your policies, procedures, and evidence housed in Policyco’s compliance management software platform, your organization will be audit-ready and able to manage multiple security frameworks without duplicating efforts.
Best Practices
Startup’s Guide to Compliance
August 31, 2021
Introduction
Being the founder of a small start-up is tricky enough with the multiple hats you wear — from CEO to developing a product; understandably, security and compliance are generally the last things on your mind as you cultivate your business from scratch. Many compliance blogs and articles aren’t the most engaging to read. To scale and grow your business, you must incorporate compliance into the culture of your business. Prioritizing compliance will ensure your data remains secure, your clients feel confident, and you stay in the headlines for the right reasons. This guide will go over the fundamentals of a security compliance program.
What is a CISO, and Do I Really Need One?
The Chief Information Security Officer (CISO) protects your business from security risks, and their goals are to make sure you have established policies that fit your business requirements. If you have one already in-house, great; feel free to skip the rest of the blog and take your CISO to lunch. If you don’t have one, don’t freak out just yet, but let’s talk about some reasons why you might want to consider hiring a CISO in the future.
The CISO carries a vast array of knowledge and experience related to security best practices. This experience makes them uniquely suited for (a) reviewing the language in existing policies, (b) performing risk assessments, and © deciding on those industry-standard frameworks relevant to your line of business. Rules and technology are constantly changing, meaning that risk changes as well. A CISO will review the latest changes in your company’s processes and seek to minimize risk as you acquire new software, partners, or employees. Suppose your product incorporates many high-risk data (financial or healthcare). In that case, you should strongly consider having a CISO on board to make sure you adhere to any regulations. More on that later.
The 10,000 Foot View on Security Basics
Now that we established the importance of having someone lead the company through the compliance journey let’s discuss some items on the CISO’s immediate roadmap. This list is not comprehensive but serves as the basis for several conversations you will likely have with your CISO and clients as they vet your product.
Network Protection
Network protection is about controlling who has access to the IT resources within your infrastructure. If you don’t want others to see what is under the hood, you need to secure it. Like closing the blinds before you dress, you want to restrict your WiFi so your neighbors can’t see. Even if you think nothing is interesting on your network, you still want to secure it. Security means no sharing passwords to the WiFI, especially on a whiteboard where visitors can easily see it. How do you secure your network?
Secure Endpoints
Securing endpoints is the process of protecting end-user devices like laptops and cellphones from cyber attacks. Eliminating cybersecurity threats takes constant monitoring and evolution as hackers become bolder daily. Particularly for platforms hosting healthcare data, ransomware is something you need to be aware of and task your team to prevent as they are a high target for hackers. Hosting your application(s) in the cloud does not guarantee secure endpoints, and weak security on devices puts your cloud infrastructure at risk. You will want to ensure your security team installs anti-virus software and updates all devices with the latest patches. While ignoring a Windows update might save you from a restart and losing 10 minutes of work, it exposes your devices to unnecessary vulnerabilities.
Password Management
Password management is one of the most critical elements of security compliance. Many regulations and frameworks have dedicated sections to password management. The more complicated the password, the harder it is for a hacker to break it. Even better if the application supports multi-factor authentication (MFA). MFA requires a hacker to spoof two pieces of information, typically in a limited time frame. Simultaneously, as applications keep increasing password requirements, employees have difficulty remembering passwords. Eliminating the number of passwords you ask your employees to manage will reduce the risk that your employees start writing down passwords on paper- A big no-no in the compliance space! Speaking of significant issues in password management, employees should never share passwords. You want a culture that sets the tone on day one that everyone needs a unique password. Sharing passwords puts your data at risk as you can’t verify who knows the passwords to essential applications.
Encryption
Sensitive data must be encrypted while in rest or transit. Data at rest is where you localize information and store it. To secure data at rest, you should have a method of identifying where sensitive data resides to limit who has access to it. In addition, you will want to verify the infrastructure storing the information is secure. That means encrypting all computer devices and databases and storing sensitive data. Luckily, operating systems offer full-disk encryption today, so you need to make sure IT is enabling encryption. Data in transit refers to data moving across a private network or the internet. How do you protect data as it transfers to various applications and devices? To protect data in transit, you need to use secure tunnels like enabling TSL/SSL protocols.
Employee Security Awareness Training
Employees are some of the most significant threats to data security. A stolen laptop device or clicking a link in an email can make your company liable for violation fees. While you can minimize employee risk by ensuring complex passwords, utilizing firewalls, and encrypting laptops, a consistent training program can reduce security risks. The security training program should be incorporated into onboarding employees and reinforced annually at a minimum.
Laws and Regulations
Depending on your business industry, you might have to follow compliance mandates stipulated by a government agency. Many regulations revolve around the type of data collected and how the information is stored. Below are some of the most common government regulations; however, this is not an encompassing list. Your CISO will want to verify any applicable laws your business must follow.
General Data Protection Regulation (GDPR)
The GDPR is a European Union (EU) regulation that protects data and privacy. It was adopted on April 14, 2016, and became enforceable beginning May 25, 2018.
General Synopsis
The GDPR defines personal data and has seven principles for how that data should be protected. Under the GDPR, personal data is any information directly or indirectly tied back to a person. This definition expands past the information defined by other regulations like HIPAA to include identifiers like IP addresses. The GDPR requires that companies store personal data, and the data stored must be accurate. Additionally, a person may request their data at any point, so companies need the capability to transport or delete personal data upon request.
Who follows it?
Any business that collects data from EU residents or stores data in the EU is responsible for following GDPR. There are exceptions to collecting personal data for national security activities or law enforcement. Note: The California Consumer Privacy Act is similar and is effective on June 28, 2018.
Penalties for Non-Compliance
Penalties for not following GDPR include fines of up to €20 million or 4% of annual global revenue.
Health Insurance Portability and Accountability Act (HIPAA)
Developed by the US Department of Health and Human Services in 1996, HIPAA comprises the HIPAA Privacy Rule and the HIPAA Security Rule. The privacy rule defines standards to protect sensitive health information. The Security Rule creates standards to protect sensitive health information held or transferred in electronic form.
General Synopsis
Under the Privacy Rule, protected health information (PHI) is individually identifiable patient data. Examples of PHI include names, social security numbers, and addresses. PHI might be embedded in billing and claims payment or within the medical record. A fundamental principle of HIPAA consists of the “minimum necessary” policy: view and use as little of PHI as possible to accomplish a task. Businesses need to make a concerted effort to determine which fields are necessary for analytics and front-end views in developing applications. If you can achieve the mission without PHI, eliminate it from your application. The HIPAA Security Rule outlines security controls companies must have to ensure PHI is protected. Administrative, Technical, and Physical safeguards are stipulated within the rules companies must follow. The Administrative Safeguards include ongoing risk analysis reviews that evaluate how PHI is stored and who has access to it. During the risk analysis process, the company should review and analyze potential risks to PHI and implement measures to reduce any risks identified. Additional Administrative Safeguards controls include identifying a security official, conducting annual HIPAA training, implementing “minimum necessary,” and re-evaluating all security policies and procedures related to the Security Rule. Physical Safeguards include adding controls to who can access facilities, workstations, and devices that contain PHI. Organizations must also have policies to transfer, remove, and dispose of media containing PHI. Technical Safeguards include controls for PHI data like audit logs, data integrity, and securing data in motion.
Who follows it?
Covered entities like health plans, clearinghouses, and providers who transmit health information electronically must adhere to HIPAA standards. The HITECH ACT of 2009 requires that business associates (companies with access to patient information) adhere to HIPAA standards.
Penalties for Non-Compliance
Penalties for violation include fines of up to $50,000 may also lead to criminal charges. Civil lawsuits for damages can also be filed.
Sarbanes-Oxley Act (SOX)
SOX is a regulation passed by Congress on July 30, 2002, to protect investors by implementing controls that increase the transparency of corporate disclosures in financial reports.
General Synopsis
SOX includes 11 titles that establish mandates and standards for publicly traded companies. Sections 302, 404, 409, 802, and 906 contain the crucial provisions for compliance requirements.
Section 302: Disclosure controls
Mandates the CEO and CFO are responsible for reviewing and signing off on financial reports certifying the accuracy of documentation submitted to the SEC.
Section 404: Assessment of Internal Control
States that the company needs to have controls to provide data required by a compliance audit.
Section 409: Real-Time Disclosures
Dictates organizations must promptly disclose material changes in their financial condition or operations to the public.
Section 802: Criminal Penalties for Altering Document
Imposes penalties for altering, destroying, mutilating, concealing, falsifying records, documents, or tangible objects with the intent to impede, obstruct, or influence a legal investigation.
Section 906: Corporate Responsibility for Financial Reports
Imposes penalties for certifying misleading or fraudulent financial reports.
Who follows it?
All publicly-traded companies and the accounting firms that perform SOC audits must comply with an exception for low-revenue companies.
Penalties for Non-Compliance
Failure to comply can result in fines up to $5,000,000 and imprisonment.
Security Frameworks and Standards
Security frameworks outline industry best practices for compliance and cybersecurity. They can be an excellent asset for letting your client know some of the processes you follow as an organization to minimize threats. Frameworks can reduce the procurement process; however, it would be misleading to state that certifications make vendor assessments obsolete. For example, companies with software hosted in the cloud might need to perform a supplemental cloud security assessment as part of the procurement process. Since frameworks speak to overarching industry standards, you will likely need to supplement with internal controls for a complete compliance program. Some of the common security frameworks include:
National Institute of Standards Technology (NIST)
NIST was developed in 2014 by the United States government for assessing agencies and vendors.
Applicable Industries
Designed for government agencies but applicable across all industries.
Focus
The comprehensive framework covers asset management, business environment, risk management, governance, data security, and information protection. NIST guides you through ways to detect, identify, protect, and recover from cybersecurity threats.
Health Information Trust Alliance (HITRUST)
HITRUST was created in 2007 to respond to HIPAA regulations building on elements of other frameworks like ISO, NIST, PCI, and state laws.
Relevant
It was developed specifically for the healthcare industry; however, beneficial for any organization hosting private data.
Focus
Guides organizations by protecting private data covering access control, security awareness, risk management, risk analysis, data protection, and business continuity.
Service Organization Control 2 (SOC2)
Developed by the American Institute of Certified Public Accountants to create an auditing standard to help assess an organization’s vendors and partners.
Industries
SOC2 primarily serves SaaS-based companies that handle or store customer data.
Focus
Criteria for the SOC2 audit focus on security, availability, confidentiality, privacy, and processing integrity.
International Organization for Standardization (ISO) 27001
An international standard for validating internal and third-party cybersecurity programs.
Applicable Industries
Broadly designed, so it applies to all industries.
Focus
ISO covers the entire information security program, including access control, physical security, incident management, and governance. There are even modules that focus on specific industries like healthcare.
Business Continuity Planning
The business continuity plan (BCP) outlines processes to enable ongoing operations during an unplanned service disruption. Creating a BCP will minimize business interruption, ensuring less loss of revenue and greater satisfaction with your clients. The plan should cover everything, including processes, assets, human resources, and business partners. The main components of the BCP include the following:
Risk Assessment
The goal of the risk assessment is to identify critical assets and business functions. Assets can include people, buildings, equipment, documentation, and meeting service level agreements. Examples of essential functions include payroll, communication, security, and operations. The risk assessment also needs to identify dependencies between assets and critical functions to help prioritize recovery efforts. Each identified asset or critical process needs a defined recovery time objective (RTO). The RTO indicates the timeframe to recover a process before unacceptable consequences to the business. The business will want to define the impact on services when considering the RTO. For example, there could be financial, legal, reputation, and customer ramifications resulting from disruption of services. You will also want to consider the recovery point objective, which dictates the maximum amount of data the company can afford to lose without unacceptable consequences.
Recovery Strategy
The plan should prioritize and outline processes to recover critical business functions. The disaster recovery plan focuses on IT infrastructure, including data backup and restoration timelines, and is part of the overall business continuity plan. In addition, the recovery strategy needs to address how to recover all critical functions identified in the risk assessment. For example, you might need to address relocation plans within the plan or discuss ways to communicate to clients.
Organization
The team is responsible for evaluating the business continuity plan and executing the recovery strategy. It is essential to identify each assigned member’s job titles and responsibilities so the organization knows who to contact and what processes to follow in the event of disrupted services.
Training and Testing
Individuals assigned to the business continuity plan should review the plan and strategies, including completing exercises to ensure the document is comprehensive and up to date. For example, the organization might create a tabletop exercise where the group reviews specific aspects of the plan to identify potential gaps in the process. The activity could include role-playing disaster scenarios along with scripted hiccups. As part of the process, you will want to update the business plan and all applicable procedures.
Getting Started
Creating a compliance program may seem like a daunting task. We have unpacked many areas within this one post, and you might be left wondering, “What now?”. Sometimes it is easiest to start with the basics: policies and procedures. Policies indicate what you are doing as an organization to ensure compliance. Procedures outline the process for fulfilling those policy obligations. We have outlined best practices for writing policies. With PolicyCo, we ensure your policies are adaptable by segmenting them into articles that define a particular compliance control. Structuring your policies allows you to write about your current compliance objectives and evolve those controls over time with incremental changes. To help get you started, we have a marketplace full of policies with pre-mapped to common security frameworks. These policy examples can help eliminate the writer’s block on the policy's structure. Another option is to start by documenting the procedures you do today to help identify the policies your organization is already following.
How We Can Help
Your compliance program will require monitoring and updates. If you have aggressive compliance goals or are overwhelmed with starting the compliance journey, our vCISO can help you reach your targets. We will design a customized compliance program that is scalable. Our team will guide you through creating policies and procedures that ensure your company is secure and prepared for any legal or client mandates. Further, with your policies, procedures, and evidence housed in Policyco’s compliance management software platform, your organization will be audit-ready and able to manage multiple security frameworks without duplicating efforts.
Emily McMakin