Economic pressures force security, governance, risk, and compliance leaders to do more with less. CISOs are especially vulnerable, as it can be hard to cut corners where data security is concerned.  

By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business. This means that even though security remains a top concern, CISOs will also face growing accountability for the financial success of the organizations they represent.  

To proactively prepare for future changes, A-LIGN has identified three areas for CISOs to concentrate when reducing budgets and helping their organizations generate ROI.   

1. Utilize Technology 

Becoming compliant is necessary to keep clients and win new business but it can be expensive and time consuming if done without technology streamlining the process. Organizations can utilize compliance technology to mitigate the impact of personnel shortages, time-related constraints, and reduction in resources.  

Compliance technology automates many manual tasks from audit processes, such as simplifying readiness assessments and deduplicating audits and evidence collection.  

A-SCEND is A-LIGN’s award-winning compliance automation software. A-SCEND allows teams of all sizes to gain instant visibility into their compliance standing, create policies, and manage evidence in one centralized platform. From automated evidence collection to continuous monitoring, A-SCEND is the end-to-end solution that bridges the gap between auditor experience and technology. 

Beware of the Limitations of Technology

Popular thought is that by enabling integrations into a cloud platform, an organization can become effectively hands-off in its approach to assuring compliance. While this idea may seem like a solution, several influences quickly highlight how cost-ineffective this route can be.  

Only a few of the available integrations consider the nuance of scoping. An organization might have the ability to pull data from its cloud service provider (CSP) quickly. However, a human must evaluate if that evidence applies to the assessment at hand. 

For example, pulling a population of users from an HR system might ease a burden on your HR team, but what if you deliver the wrong list of users? When the concern is providing more than the (minimum) necessary for an assessment, unmanaged integrations are a significant risk. 

Even if your organization adopts compliance technologies, CISOs and Compliance Officers should ensure their team stays actively engaged with the audit processes. 

2. Consolidate Vendors

Audit and compliance automation platforms are not the same as accredited auditors or assessors. This means organizations must still contract with and build relationships with one or many audit firms depending on the attestations and certifications they carry.  

It is common to see third-party compliance firms specializing in delivering either SOC, ISO, PCI, or HITRUST assessment and validation. However, when consolidation is key, many companies make uninformed decisions that increase their workload (and budget). Think of it like choosing to contract with a different cell provider for every cell phone in your home — you quickly realize how little sense it makes. 

Coordination, variety of opinions, and variations in quality and performance all become genuine risks when engaging with multiple assessor firms. Applicability of collected evidence is also a concern. Automation integrations pull some data from cloud platforms, the auditors must determine if that data is necessary to meet their evaluation.  

Audit firms must ensure they collect sufficient data to support the opinion they issue. If opinions vary, the burden to provide satisfactory evidence will always remain an obligation of the assessed entity — which can put organizations in a challenging position.  

3. Don’t Delay Cybersecurity Compliance Certifications

With an uncertain economy, it is easy to understand why some organizations may consider delaying the pursuit of compliance certifications. However, many prospective clients will value your organization’s additional protections to ensure their data remains protected, especially if the client sees an organization’s process is validated by a trusted, independent auditor.      

In particular, SOC 2 and ISO 27001 are two of the most effective cybersecurity frameworks. 

Organizations should proactively complete a SOC 2 audit before a customer requests a final report. This will set you apart from your competition and help you to win new business. 

Additionally, some authorizations, like FedRAMP, require yearly re-assessments. Organizations should seek re-authorization to remain competitive and retain current customers. 

Keep Compliance as a Top Priority

While budget reductions may be coming, CISOs do not need to sacrifice information security. Adopting compliance technology and consolidating vendors can minimize downtime and save money. Additionally, pursuing relevant certifications can attract new clients and increase your business revenue. 

A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks, including SOC 2, PCI DSS, ISO 27001, GDPR, FISMA, FedRAMP, and NIST-based frameworks. Our advisors and auditors can partner with your organization to help you meet all compliance needs, even during times of financial uncertainty.  

Keep forward on your path to success. Begin your compliance journey with A-LIGN today.  

Created in 2020, StateRAMP provides a standardized approach to cybersecurity for cloud vendors working with state and local governments. StateRAMP authorization is required for any organization that wishes to do business with state and local governments. 

If you are seeking StateRAMP authorization, here is a look at the step-by-step process you’ll need to complete with A-LIGN: 

  • Step 1: Pre-Assessment Review 
  • Step 2: Planning Activities 
  • Step 3: Assessment Activities 
  • Step 4: Reporting Activities 
  • Step 5: Earning Authorization

Look familiar? This is very similar to the process for FedRAMP authorization.  

Before You Begin

Before the assessment process gets underway, you’ll need to complete a few initial tasks to help your organization prepare: 

  • Research
  • Obtain a Sponsor (optional)
  • Find a Third Party Assessment Organization (3PAO)
  • Complete a Readiness Assessment (optional)

Research

It’s always good to gain a baseline understanding of StateRAMP and the assessment process before diving into it. Here is some recommended reading to help you begin your research: 

Leverage a Sponsor or the Approvals Committee

Sponsors are individuals or agencies responsible for reviewing a security package and approving StateRAMP Authorized status. Sponsors are the state agency or organization that will eventually be using the cloud product. 

Providers looking to achieve StateRAMP Authorization may choose to leverage a sponsor OR use StateRAMP’s Approvals Committee instead. Either route is acceptable and there is no difference (beyond some minor administrative changes) in the authorization process.  

Find a Third Party Assessment Organization (3PAO)

StateRAMP assessments must be completed by a 3PAO, an organization that has gained special authorization to conduct assessments on behalf of the StateRAMP program.  Any FedRAMP 3PAO is eligible to conduct the assessments but must register with StateRAMP. 

A-LIGN is a StateRAMP-registered assessor and accredited FedRAMP 3PAO. We have a longstanding relationship with FedRAMP and StateRAMP, and served as advisors on how best to adapt the FedRAMP framework into StateRAMP when the program was first created. We also currently serve on the Steering Committee and the Appeals Committee. 

Complete a Readiness Assessment 

Prior to undergoing a StateRAMP assessment you may want to perform a StateRAMP Readiness Assessment and get a Readiness Assessment Report (RAR). During this assessment, a 3PAO looks at your environment to determine if it is technically capable of meeting the StateRAMP requirements. 

A readiness assessment can help identify gaps in controls prior to the official 3PAO assessment — which ultimately will save you time and money in the official audit process. After the assessment, organizations can qualify for StateRAMP Ready status, which designates your organization as one that is qualified to achieve StateRAMP authorization and is in process.  

A-LIGN can provide you with both a readiness assessment, as well as an official assessment for StateRAMP authorization. 

Step 1: Pre-Assessment Review (1-4 Weeks) 

If you have already completed a readiness assessment with A-LIGN and received a StateRAMP Readiness Assessment Report, we will skip this step and move immediately to Step 2 in the process.  

Once you are ready for an official assessment and have signed a contract with A-LIGN, we’ll begin with a pre-assessment review phase.  

During this phase, our team will compare your current environment against the StateRAMP requirements to determine any known issues or gaps that need to be remediated before the official assessment.  

Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better. Once the review is complete, we will meet with your team to review the findings and outline the next steps.  

Step 2: Planning Activities (4 Weeks)

After the Pre-Assessment Review phase, you will need to submit responses to an initial Information Request List (IRL) that A-LIGN provides you with.  

While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include: 

  • An Authority to Test (ATT) – This is part of our penetration (pen) test planning and is only required if the system being reviewed is classified as StateRAMP Moderate impact level. Low and Low+ impact levels do not require pen tests under current guidance from StateRAMP. 
  • A Security Assessment Plan (SAP). 

Step 3: Assessment Activities (7 weeks) 

During the assessment phase, we will conduct on-site fieldwork (team interviews) and remote fieldwork (evidence review).  

Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. Any delays in evidence collection will result in delays in our review timeline. It’s important to plan ahead so we can stay on schedule throughout the assessment process.  

We will also conduct a pen test at this time. Again, this is only a requirement for StateRAMP Moderate. It is an optional step for Low and Low+. Although it is optional, we highly recommend undergoing this step as a safety net to eliminate any surprises we may encounter during the actual testing phase. 

Once we conduct the penetration test and get through a majority of the evidence review, we’ll provide your team with a draft of a risk exposure table. Your team can then review the draft and create a plan of action and milestones to remediate any initial issues that were found.  

Step 4: Reporting Activities (5 weeks)

Upon completion of our full evidence review and pen test, we will provide you with a draft Security Assessment Report (the next iteration of the initial risk exposure table) and pen test report for review. We will analyze and discuss the findings with your team before drafting a final report for you.  

Once the final report is complete, it will be sent to StateRAMP. 

Step 5: Earning Authorization (2-3 weeks)

The security package is then reviewed by the security professionals at StateRAMP’s Program Management Office (PMO). The PMO will verify the security status of your organization and grant you:

StateRAMP Authorized Status: A status that indicates the product or offering has: 

  • A government sponsor 
  • Meets all the required NIST controls by impact level  
  • Has completed the necessary documentation, including a 3PAO Security Assessment Report 

StateRAMP Provisional Status: A status that indicates the product or offering has: 

  • Met the minimum requirements and MOST critical controls, but not all 
  • Providers listed as provisional may continue to work toward authorized status  

All authorized providers will be listed on the publicly-available Authorized Vendor List (AVL) on stateramp.org, which includes information about the service providers’ products, including impact level, provider type, and security status. The PMO maintains responsibility for continuously monitoring providers listed on the StateRAMP Authorized Vendor List (AVL). 

Get Started Today

For any organization looking to work with state and local government entities, StateRAMP authorization is essential. With careful planning, a solid 3PAO partner, and an understanding of the process and associated timeline, you can streamline efforts to achieve StateRAMP authorization.   

For more information about the StateRAMP process, contact A-LIGN today

Since its creation in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has provided a standardized government-wide approach to assessing the security of cloud computing services. 

However, due to government agencies’ increased adoption of cloud technologies and a rise in cybersecurity attacks, many organizations and agencies have called for an updated version of FedRAMP to address their mounting cybersecurity concerns. 

In late December 2022, the President signed H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023,” into law, which includes the FedRAMP Authorization Act. The official FedRAMP Authorization Act document is nearly 30 pages long and details the proposed changes to the FedRAMP program.  

This blog will discuss everything you need to know about the FedRAMP Authorization Act, along with what the changes mean for organizations.  

1. Codifies secure market expansion into law 

The passing of the FedRAMP Authorization Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. By codifying the FedRAMP Authorization Act into law, FedRAMP will now receive Congressional oversight. With this oversight comes better insight into the cost burdens of FedRAMP Authorization for SMBs

Currently, the FedRAMP Authorization process is quite costly. Organizations that obtain authorization must undergo annual reassessments to retain their authorized status, only furthering the financial strain. The new FedRAMP Authorization Act aims to discover where and how they can alleviate these cost constraints. 

In addition to the above changes, the United States Office of Management and Budget and General Services Administration/FedRAMP Project Management Office will be required to produce and submit reports for Congressional review. These reports will document the metrics and performance standards of the FedRAMP program.  

2. Allows agencies to certify vendors more easily 

One of the FedRAMP Authorization Act’s most important features focuses on reciprocity. Reciprocity gives Cloud Service Providers (CSPs) the ability to authorize and then re-use their already-certified FedRAMP status across other agencies.  

Put simply, this “presumption of adequacy” clause, as it is called in the official documentation, allows FedRAMP-authorized tools to be used by any federal agency without further checks. Formalizing a “presumption of adequacy” for government contractors makes it easier for organizations to certify vendors, opening the door for organizations to get easier access to more cyber-secure services.  

3. Establishes a secure cloud advisory committee 

Additionally, the Federal government seeks to provide more transparency and increased dialogue between themselves and industries. The government wants to drive stronger adoption of secure cloud capabilities and reduce legacy information technology. 

To achieve this goal, the FedRAMP Authorization Act calls for the creation of a Secure Cloud Advisory Committee.  

The committee will consist of 15 members, including five representatives from cloud services companies. Two of the five representatives must come from small cloud vendors. The committee will also contain one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from Federal government agencies would also sit on the committee. 

Secure Cloud Advisory Committee members will work alongside the existing FedRAMP Joint Authorization Board to streamline selection and assessment processes. The two groups will uncover solutions to shorten the time to gain the authority to operate (ATO) and to update the framework over time.  

What does the FedRAMP Authorization Act mean for my organization?  

As of now, there are no immediate changes  to make in regard to obtaining FedRAMP Authorization

But, we do suggest organizations should take advantage of the benefits of the FedRAMP Authorization Act. The Act has made it easier for commercial cloud and software providers to access multiple agencies across the federal marketplace. 

This may provide a valuable opportunity to expand your organization’s work in the public sector — a highly profitable industry. 

Get started with FedRAMP today 

The FedRAMP Authorization Act will remove some of the current FedRAMP authorization bottlenecks and will make it easier for agencies to source FedRAMP ATO providers. For organizations who still need to obtain FedRAMP authorization, now is the perfect time to dive in. 

A-LIGN is one of the top FedRAMP assessors in the world, with a 96% satisfaction rating from our customers. Our experts can help you through every step of the process — from a readiness assessment to final authorization.

Contact A-LIGN today to learn more about our FedRAMP services.

According to a recent ENISA report, strong internal security is no longer enough for organisations, as attackers have already shifted their attention to suppliers.

With many recent cyberattacks on supply chains across Europe, organisations have begun to consider alternative enhancements to their existing security measures. One of these solutions is blockchain-based cybersecurity technology.

IBM defines blockchain cybersecurity as a “comprehensive risk management system for a blockchain network, using cybersecurity frameworks, assurance services and best practices to reduce risks against attacks and fraud.”

Although many solutions using blockchain have been announced, organisations have not rushed to adopt blockchain technology. I believe blockchain can complement efforts to provide an additional layer of security, but it’s important to be wary of the risks associated with cyber cyber supply chain blockchain technology.

Areas of highest risk for supply chains

Supply chains face a number of vulnerabilities — including economic instability, extreme weather events, supplier inconsistency and more. One of the top risks to supply chains are cyberattacks. The NotPetya attack in 2016 paralysed European and American supply chains and cost them nearly $10 billion worth of damage.

There is a reason why supply chains are especially vulnerable to attacks. The organisations making up supply chains aren’t technology companies. In fact, many supply chains still use aging and legacy infrastructure and rely on insufficient third-party software, which opens the door to risk.

Blockchain as a solution

The data structures of blockchain technology are based on consensus, cryptography, and decentralisation principles, which can enhance security.

But despite blockchain technology strongly improving since its inception, it still has several weaknesses in both security and structure that have prevented widespread adoption from organisations across the globe.

Risks associated with blockchain

Some of these shortcomings can make organizations more susceptible to attack. Security risks include:

  • Privacy: All network nodes have access to data on a public blockchain, despite blockchain databases being anonymous and encrypted. This makes it harder to control who has access to specific information.
  • Vulnerable to cyberattacks: Even though blockchain offers greater security than other platforms, it is not entirely safe. Cyberattacks and blockchain’s ​​cryptographic algorithm make it possible to compromise the blockchain network.
  • Private keys: Blockchain requires users to have private keys to access resources or data stored in the blockchain. If a user loses their private key, they can no longer access the wallet — but if a bad actor has taken the key, they potentially can.
  • Data immutability: Once data is written, it cannot be erased. If someone uses a blockchain-based digital platform, they can’t erase its record. Those who have access to the platform can see the data history.

Structural issues associated with blockchain

Along with the security risks facing blockchain, several structural issues exist as well. Some of the structural issues preventing widespread blockchain adoption include:

  • Scalability: Unlike their centralised counterparts, blockchains have limitations in how they can grow alongside a business.
  • Storage: Blockchain databases are stored permanently on all network nodes. Computers can only store a limited amount of data, and blockchain ledgers can outgrow their storage space.
  • Power use: Whenever a new node is created, it connects to all other existing nodes and builds a distributed, continuously updated ledger. This process can require an extraordinary amount of power.
  • ​​Cost and implementation: Even though most blockchain solutions are open source, implementing a blockchain solution can be a costly process. Enterprise blockchain projects can cost well over a million dollars to implement — and that figure does not include expected maintenance costs. 

This is not to say blockchain cannot be used as a valid solution. However, organisations should not rely solely on blockchain technology to keep their supply chains safe.

How to keep supply chains safe

On 15 September 2022, the European Union announced it would be advancing legislation to strengthen security requirements for all digital hardware and software products.

Even with this new framework, ENISA continues to highlight its recommendations for customers and suppliers to minimise the risk of a supply chain attack, whether they use blockchain solutions or not.

Recommendations for customers include:

  • Identifying and documenting service providers and suppliers.
  • Defining risk criteria for different types of suppliers and services (for example, supplier and customer dependencies, critical software dependencies, and single points of failure).
  • Continuous monitoring of supply chain risks and threats, this includes architecture and supported systems.
  • Managing suppliers throughout the complete lifecycle of a product or service, including end-of-life products or components.
  • Classifying assets and information that are shared with (or accessible) to suppliers, defining relevant procedures for accessing and handling them.

As for suppliers, ENISA recommends:

  • Confirming that the infrastructure used to design, develop, manufacture, and deliver products, components and services follow proper cybersecurity practices.
  • Implementing consistent product development, maintenance and support processes.
  • Continuous monitoring of security vulnerabilities reported by internal and external sources, including used third-party components.
  • Maintaining an inventory of assets that include patch-relevant information.

A-LIGN can help mitigate risk

No one security posture can keep you safe. Organisations should not rely on security processes or frameworks alone. For maximum protection, you must put your security controls to the test.

Penetration testing is designed to assess the cybersecurity of your organisational technologies and systems. A-LIGN’s OSEE, OSCE, and OSCP Certified Penetration Testers employ automated and manual techniques to find weaknesses in servers, end-user workstations, wireless networks and web-based applications. They also assess security awareness, and the human-layer and physical facility controls to provide a complete picture of an organisation’s level of protection.

If you would like to test your organisation’s systems, contact A-LIGN today.

Today’s hackers are setting their sights on cloud resources. Just recently hacker group Cloaked Ursa – also known as APT29, Nobelium, and Cozy Bear — executed a massive effort targeting Google Drive and Dropbox.  

Cloud breaches are leaving companies across industries vulnerable to hacks. In the last few months of 2022, password manager LastPass suffered a data breach when hackers gained access to a third-party cloud storage service and HR software maker Sequoia reported a breach of its cloud storage repositories, which put customers’ sensitive personal data at risk.  

How can you prevent something similar from happening within your organisation? The most important thing to do is to identify vulnerabilities exist. For most organisations, that includes: 

  1. The Human Element (People)  
  1. Logging and Monitoring procedures 
  1. App integrations and 3rd party components or libraries 

In this blog, we’ll provide cloud security tips to help your organisation strengthen these vulnerable areas to decrease the likelihood of an attack.  

Cloud Security Tip #1: Educate Employees to Prevent Social Engineering Attacks 

Many breaches involve a form of social engineering, where hackers exploit the human element to trick people within an organization into providing some sort of access to sensitive data. In fact, in a recent survey, 75 percent of respondents cited social engineering/phishing attacks as the top threat to cybersecurity at their organization.  

Phishing is a very common strategy and most often takes the form of emails, website forms, or phone calls that encourage readers to click a link that is used to install malware or reveal personal information like credit card numbers, social security numbers, or account login credentials. Hackers have become quite sophisticated in their efforts, impersonating colleagues or other reputable sources to deceive employees.   

Organization’s must prioritize educating their employees about these attacks, so breach attempts can be more easily identified and thwarted. It’s helpful to share examples of phishing attempts throughout your company so employees can better identify authentic communications.  

It’s also important to educate employees on an ongoing basis. Hackers are constantly updating/changing their methods — they switch methods once a new one is proven to be effective. With that in mind, your education efforts for employees (also known as security awareness training) should focus on relevant current attacks/threat vectors being used by bad actors.  

Cloud Security Tip #2: Use Automation to Mitigate Logging and Monitoring Vulnerabilities 

Hackers often take advantage of insufficient logging and monitoring procedures, which give them more time to penetrate systems unnoticed. This is a huge advantage for them. With more time to discover exploitable vulnerabilities, hackers can increase the likelihood of maximum damage.  

While hackers poke around your systems, your organisation may not even notice a system anomaly that needs to be investigated.  

The most common insufficiencies we see across organisations include: 

  1. Logging level configuration issues. When logging levels aren’t set correctly or are set too low, you can miss alerts about unexpected activity that require investigation. 
  1. A lack of log sources configured or onboarded. Without log sources, your organisation has no visibility into critical areas of your infrastructure — and therefore can’t detect suspicious activity.  
  1. Insufficient error messages. When error messages lack key details, it’s impossible to contextualize anomalies and decide if they need to be investigated. 

Consider using automated solutions to improve your logging and monitoring processes. This will allow you to notice and respond to anomalies at scale. 

Cloud Security Tip #3: Conduct Penetration Tests to Secure App Integrations 

Web applications are particularly vulnerable to attacks. Nowadays there are so many integrations that threat actors can take advantage of. Particularly, threat actors have been able to move laterally across the cloud with applications that were either not developed securely or have vulnerabilities within the integrations themselves. 

To monitor your app integrations, it’s essential to conduct regular penetration tests. Your organization should regularly test to identify weaknesses in web applications before an attacker identifies them. This includes testing to ensure integrations are supported and updated.  

A penetration test will show if there are unintended vulnerabilities that can be used to move laterally across different parts of your organisation’s cloud, so you can perform the necessary remediations immediately. 

Secure Your Cloud Resources Today 

Don’t wait to secure your cloud resources. Hackers continue to become more sophisticated with new strategies to discover vulnerabilities within any environment and target sensitive information. A breach can cause financial losses, reputational damage, and result in expensive GDPR fines and penalties for your organization.  

Start the process to protect your resources today by conducting a penetration test to identify your biggest areas of concern.  

Watch this video so you know what to expect during the process then contact the experts at A-LIGN to set up your first test. 

Over the last couple years, more and more organisations conducting business throughout the European markets have been seeking a SOC 2 assessment in addition to the ISO 27001 certification. So much so, many have begun to speculate whether the US originated SOC 2 audits will replace the need for the international ISO 27001 certification in these EMEA markets.   

The short answer: Not quite. 

While both provide some level of assurance to clients and regulating bodies, a SOC 2 assessment and an ISO 27001 certification by definition are two different processes.  

ISO 27001 is an internationally recognised standard with a framework of controls that can be applied to any organisation, regardless of the size or sector, with a pass/fail certification decision.   

A SOC 2 assessment is an audit standard created by the American Institute of Certified Public Accountants (AICPA) in which a CPA (Certified Public Accountant) will review your policies, procedures, and systems against five categories called Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). The independent assessor’s detailed SOC 2 report contains their expert opinion of how well the organization meets the selected criteria in regard to protecting all aspects of its systems.

Why the speculation?  

The rising use of SOC 2 in the US over the past decade is due to many large companies becoming more proactive about their cybersecurity risk management. These organizations began setting forth requirements stipulating that their vendors must have a SOC 2 report ready as part of the due diligence process. 

Over the past two years, a similar chain of events has started to play out in Europe. Increasingly, companies in certain key industry sectors require SOC 2 reports so they can determine whether organisations along the supply chain have the necessary controls in place to protect the data of all parties involved.  

The SOC 2 report is more in-depth than an ISO 27001 certificate. With the result of a SOC 2 assessment being an extensive attestation report up to 150+ pages in length, it tends to give a company’s partners and clients a higher level of detail about their security posture compared to the result of an ISO 27001 audit which is simply a one-page certification letter. This is one of the leading reasons why the cybersecurity compliance norm in Europe is beginning to welcome SOC 2 as an excellent supplemental security framework.    

Which is better: SOC 2 or ISO 27001?  

Because the two differ in scope and function, identifying one as superior over the other isn’t the correct way to think about it. Depending on the organization’s goals and capabilities, one may be better to prioritize as the first approach to security. Identifying which one is right for your organization can be done by consulting with an information security governance, risk and compliance management consultancy firm.  

You may find that leveraging both a SOC 2 assessment and an ISO 27001 certification only increases the efficacy and durability of your cybersecurity posture, enabling you to tap into the US and EMEA markets with a greater competitive edge. Utilising audit management software such as A-SCEND allows organizations to easily satisfy multiple audit requirements by deduplicating evidence collection, saving time and resources during the completion of both audits.  

Different Markets Require Different Compliance Needs 

In addition to SOC 2 and ISO 27001, there are several different certifications and standards that organizations can leverage to remain compliant in their region of operation and improve their security posture. For organizations who wish to do business in the UK, attaining a Cyber Essentials (CE) Certification (a certification developed by the UK Government and industry to help protect organizations against common online attacks) is a must. Additionally, compliance with the Data Protection Act 2018 is another compliance requirement unique to the UK. 

Equally, operators of essential services (OES) and related digital service providers (RDSPs) in the EU must adhere to the NIS Directive (Directive on security of network and information systems). Any company conducting business and/or processing EU residents’ personal information must comply with the GDPR (General Data Protection Regulation). 

Strengthening Your Business’s Compliance Programme    

Ensuring the privacy of consumer data and the protection of information will continue to be of utmost importance for your organisation in the coming years. If you’re looking to fine-tune your business’s compliance programme in order to abide by the latest regulations, while also winning new business, A-LIGN can help. Our expertise spans privacy impact assessments, GDPR-related services, ISO 27001 Certification and SOC 2 examinations. We have everything needed to take your compliance program to new heights. 

Are you confident in your organisation’s personal data because of the security measures, policies and procedures you have in place? For many organisations, this is a false sense of security. Establishing policies and procedures is not a one and done task. Cybersecurity efforts should involve your entire organisation from the top down and be treated as an ongoing effort.

With the shift to remote work came a drastic increase in data breaches, making cybersecurity more important than ever before. In this article, we will review the importance of data protection and establish how zero-trust architecture will help to better secure your European organisation’s personal information.

Data Protection- The Baseline to Cybersecurity

Data protection concentrates on the data itself, closely tracking who is using it and where it’s being sent, and blocks access based on certain conditions previously set. Establishing these conditions are the baseline steps to help to protect your organization against cybercrime. 

Since hackers can only steal information that is accessible to them once they gain access, one of the most effective ways to mitigate risk is to limit the data collected. For example, you shouldn’t collect any information that is not directly relevant to your business. If you must collect the data, be sure to set a retention time holding policy to direct staff on when to purge the data. This organisational practice applies not only to data stored on premise, but also in the cloud.

Employee education also directly ties into data protection. The majority of employees will trust they are purging data when they simply remove the documents from their desktop, not realising duplicate files are also located within their computer. Learning how to properly dispose of data will drastically minimise the amount of data that can be compromised if hit by malicious threat actors.

Data protection is a common practice for European organizations. We are now seeing the U.S.-driven approach of zero trust gaining traction in the E.U. as an additional layer of cybersecurity. In response to the SolarWinds attack in 2020, the National Cyber Security Centre (NCSC) encouraged the widespread adoption of zero-trust security frameworks.

What is zero trust?

Establishing a zero-trust architecture means that your organization will restrict access to resources to only employees who need them. Every time an employee wants to access data or a resource, they must reauthenticate and prove who they are and that it’s necessary to their job function. Zero trust uses the methodology of least privilege, never trust, always verify.

Adding a zero-trust architecture to your data protection protocols will help to strengthen the security of your European organisation. The zero-trust principles assume that an internal network is already infected with many threats and creates an additional wall of protection to stop the spread and avoid becoming a cybersecurity event.

Driven by the SolarWinds attack, the General Data Privacy Regulations (GDPR) and the recent COVID-19 pandemic, European organisations need extra layers of security to best mitigate the threat environment.

Harden Your Organization’s Cybersecurity

Assuming a European organization has already established data protection standards and a zero-trust architecture, they should identify and highlight threat and risks with penetration testing and vulnerability scans to minimize the attack surface.  

Penetration tests (pen tests) are simulated cyberattacks performed by ethical hackers to assess the cybersecurity posture of your technology and systems. The process is carried out on real systems and data using the same approach a malicious hacker would use. It’s important to note that the data or personal information collected is not sold or distributed in any way.

To add an additional layer of security, consider undergoing a vulnerability scan. This exercise checks an organization’s network and systems against a database of known vulnerabilities. If your organization pairs a vulnerability scan with a pen test, you’ll have a more holistic view of your security posture to remediate any known vulnerabilities.

Prepare for a Cyberattack

It will be no surprise that human error is cited as the number one cause of data breaches and cybersecurity events. Examples of human error include default password usage, lost devices, unlocked devices, incorrect disclosure procedures, failure to manage system patches etc. As you can tell from this list, cybersecurity education for all employees is necessary and can help to prevent data breaches caused by human error.

When it comes to keeping your organization secure, it’s not a matter of if but when a cyberattack will occur. It’s important to take a proactive approach to cybersecurity by establishing your data protection plan and zero-trust architecture, then hardening your security posture with penetration testing and vulnerability scans. Putting all these tools in place now will help your organization avoid a costly cybersecurity attack in the future.

Is your European organization ready to implement zero trust? Our certified experts can help you today.

January 2023, HITRUST releases the HITRUST CSF v11. This latest upgrade comes with a series of changes that are said to both increase effectiveness while reducing certification efforts by 45% from its predecessor CSF v9.6. The reduction in efforts toward HITRUST Certification through greater efficiency is because of improved control mappings and precision of specifications afforded through CSF v11.  

To achieve these added efficiencies, CSF v11 introduces a threat-adaptive portfolio of assessments which moves the r2 baseline to the i1 requirements and includes i1 requirements as ‘Core’ on an r2 assessment. These overlaps in requirements enable organizations to use work completed on lower assessments towards more robust ones in the future.  

CSFv11 also welcomes the addition of a cybersecurity essentials assessment and the i1 Rapid Assessment to the list of HITRUST services. Here is everything you need to know about the new CSF v11, along with its new assessments and guidelines for Third Party Risk Management (TPRM).  

The new essentials, 1-year (e1) assessment  

This new assessment is designed to enable low risk organizations of any size to assess the general cyber hygiene of their operations against new and emerging threats and demonstrate the implementation of any necessary controls. The e1 assessment certification carries 44 Curated Requirements from the HITRUST CSF and is good for one year and annual renewal. Organizations may obtain certification after completing the e1 assessment and necessary conditions are met.  

This new assessment includes:  

  • A readiness self-assessment   
  • Controls and mitigations designed to defend against new and emerging threats  
  • Notifications for assessed entities of relevant changes in control guidance and mitigations to evaluate the current effectiveness of specific control implementations  
  • A streamlined assurance program that minimizes the burden on assessed organizations   
  • The ability to electronically distribute results as opposed to requiring a PDF report   

To maintain an adaptive set of controls for this framework, HITRUST will leverage its Cyber Threat-Adaptive Approach that frequently evaluates current Indicators of Attack (IoA) and Indicators of Compromise (IoC) against the controls currently in place.  

Updates to the i1 assessment CSF v11  

In addition to the new e1 Assessment, HITRUST announced a new version of the i1 Assessment, which includes a new i1 Rapid Assessment.  

The updated i1 Assessment under v11 will replace the existing i1 Assessment under v9.6 and will now include around 170 to 190 required control statements. This comes as a reduction in requirement statements from the existing i1 Assessment, which had 219 requirement statements.   

HITRUST explains the reasoning for this reduction comes from a refreshing of source mappings and from a better understanding of the current threat climate, allowing a more streamlined set of requirements that maintain a high level of security.  

The new i1 Assessment under v11 will have a Rapid Assessment option which provides an accelerated means for recertification by demonstrating your control environment has not materially degraded. Control degradation is defined by HITRUST as issues in the performance of a controlled operation of a control that exists when performing a rapid certification that was not present during the initial i1 assessment a year ago. Should any controls come back as degraded, you have options:  

  • For two or fewer below passing scores, you are allowed to renew and not deemed degraded  
  • For three or four below passing scores, you may expand your sample of requirement statements to try again or convert your rapid to a full i1 assessment   
  • For five or more below passing scores, you will need to convert your rapid assessment into a full i1 assessment.  

This new i1 rapid assessment option can only be used every other year. After being used for one year, the organization will need to complete a full i1 assessment.   

To be eligible for an i1 Rapid Assessment, organizations:  

  • Must hold an i1 certification using CSF v11 or later the previous year  
  • Must assess the same scope as their last assessment  
  • Must have no critical change in any security infrastructure from their last assessment  

New third-party risk management quick-start guidelines in CSF v11  

The latest changes to the HITRUST Third-Party Risk Management guidelines are meant to simplify the assurance process for third parties and those who rely on them. The Quick-Start Guide helps organizations implement the information security-related components of a comprehensive third-party risk management program. It is designed to:  

  • Streamline usage of the HITRUST TPRM Methodology  
  • Distill the broader methodology into clear actionable steps  
  • Provide clear guidance on computing inherent risk, classifying vendors, and selecting the appropriate level of third-party assurance  
  • Summarize alternative approaches to satisfy requirements and associated risks   
  • Provide links to reference material for continuous education  

You can learn more about the HITRUST TPRM here.  

HITRUST legacy CSF version sunsetting timeline  

HITRUST also plans to sunset older versions of CSF Assessments in the coming years. Here is what to expect.  

For older r2 Assessments:  

  • September 30th, 2023: The ability to create a new v9.1 – v9.4 r2 Assessment will be disabled.   
  • December 31st, 2024: The ability to submit v9.1 – v9.4 Assessment objects will be disabled.  
  • March 31st, 2026: CSF v9.1 – v9.4 libraries will be removed from MyCSF. Note that CSF versions 9.5 and 9.6 will remain available in the CSF libraries.  

i1 Assessments will transition to v11 :

  • March 31, 2023: The ability to create a new v9.6.2 i1 Assessment objects will be disabled  
  • June 30th, 2023: The ability to submit v9.6.2 and earlier i1 Assessment objects will be disabled.   

Proper planning = HITRUST success  

With the constant changes to the digital threat landscape and the evolving HITRUST CSF updates, A-LIGN knows HITRUST certification better than anyone. As one of the top HITRUST assessors in the world, we’ve helped more than three hundred clients successfully achieve HITRUST certification.  From readiness to certification, A-LIGN can ensure your organization achieves HITRUST success. Get in touch today.   

Download our HITRUST checklist now!

HITRUST is a standards organization focused on security, privacy and risk management. The organization developed the HITRUST CSF to provide healthcare organizations with a comprehensive security and privacy program. This program was specifically designed to help organizations manage compliance and reduce risk.  

Although the HITRUST CSF has been around for more than a decade, many organizations still struggle with knowing if it’s the right certification for them.  

Here’s what you need to know before your organization decides to complete a HITRUST assessment.   

What is the HITRUST CSF?  

The HITRUST CSF is a comprehensive, flexible, and certifiable security and privacy framework used by organizations across multiple industries to efficiently approach regulatory compliance and risk management.  

This standard provides customers with confidence in knowing their data and confidential information are secure.  

HITRUST vs. HIPAA: What’s the difference?   

While HITRUST and HIPAA may seem similar on the surface, it would be inaccurate to truly pit the two of them against each other.   

HITRUST CSF is acertifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. 

HIPAA, or the Healthcare Insurance Portability and Accountability Act, is a U.S. law that details a set of safeguards that covered entities and business associates must follow to protect health information.   

However, a more productive question to ask is “What is the best method for demonstrating HIPAA compliance within my organization?”    

If you’d like to learn more about why you might choose the HITRUST CSF as a means to achieve HIPAA compliance, check out our blog post explaining the benefits of this approach.   

Who must comply with HITRUST CSF? 

The HITRUST CSF was originally designed specifically for the healthcare industry. However, in 2019, HITRUST made the CSF industry agnostic, enabling organizations in any industry to pursue the certification.     

HITRUST Certification is not mandated by the Federal government but is considered to be the most comprehensive framework because of its mapping to many other standards, including HIPAA, SOC 2, NIST, ISO 27001 and  more. 

What are the benefits of HITRUST?   

Many organizations choose to undergo a HITRUST assessment because of how the CSF:  

  • Satisfies regulatory requirements mandated by third-party organizations and laws   
  • Accelerates revenue and market growth by differentiating your business from the competition  
  • Saves your organization time and money by leveraging a solid and scalable framework that includes multiple regulatory standards   
  • Unifies over 40 different regulatory requirements and recognized frameworks (such as ISO 27001, NIST SP 800-53, HIPAA, PCI DSS, etc.)  

What are the types of assessments?  

There are three types of HITRUST CSF Validated Assessments, each with its benefits. They are as follows:  

HITRUST CSF e1 Assessment, HITRUST CSF i1 Assessment and HITRUST CSF r2 Assessment. The e1 Assessment is a new Assessment type that HITRUST released January 2023.  

HITRUST CSF e1 Assessment 

The e1 is the cybersecurity essentials assessment with 44 control requirements and is meant for low-risk organizations that want to ensure they are maintaining good cybersecurity hygiene. It will provide a low level of assurance but can serve as a stepping stone for more robust HITRUST certifications like the i1 and the r2.  

More details on this new product can be found in our recent blog post.   

HITRUST CSF Implemented, 1-year (i1) Assessment   

The i1 Assessment  focuses on leading security practices with a more rigorous approach to evaluation than other existing assessments in the marketplace.   

The i1 Assessment provides moderate assurance. Although meeting all requirements of an i1 Assessment will lead to a 1-year certification, it does not have coverage for the 40+ regulatory factors in the HITRUST CSF.  

HITRUST made changes to the i1 Assessment as of January 2023. The new i1 Assessment is based on the new CSF v11 (also released January 2023) and has fewer controls than the current i1 Assessment. There are 182 control requirements in the new i1 Assessment vs. 219 in the previous version. Also, once the HITRUST i1 certification is obtained, the organization would have the option of doing an i1 rapid recertification in year 2 instead of an i1 full certification, if requirements are met.  More details on the new i1 Assessment and the rapid recertification option can be found in our recent blog post

HITRUST CSF Risk-based, 2-year (r2) Assessment  

Formerly known just as the CSF Validated Assessment, the r2 Assessment focuses on a comprehensive risk-based specification of controls. It also takes a very rigorous approach to evaluation, which is suitable for the high assurance requirement. This certification is issued for two years, and  an Interim Assessment must be completed at the one-year mark.   

Although this assessment provides the highest assurance level certified by HITRUST, the completion process is costly and requires a high level of effort and resources.  

If you’d like to learn more about the key differences between HITRUST i1 and HITRUST r2, read our blog post to learn about which assessment is best for your organization.  

What is the HITRUST assessment process?   

The HITRUST Assessment process is composed of five steps:  

  • Step 1: Define Scope. During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo.  
  • Step 2: Obtain Access to MyCSF portal. The organization (the entity being assessed) contacts HITRUST to get access to the MyCSF portal. After receiving access, the organization should create its assessment object and engage an approved third-party assessor firm.   
  • Step 3: Complete a Readiness Assessment/Gap-Assessment. The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks gaps in your organization by risk level, allowing you to remediate any gaps before the validated assessment.  
  • Step 4: Validated Assessment Testing. During the validated assessment (either the e1, i1 or r2 Assessment) testing phase, assessors review and validate the client scores, then submit the final assessment to HITRUST for approval. HITRUST will then decide whether to approve or deny your organization certification. The HITRUST QA stage in the process (before issuing the certification) can take anywhere from four to ten weeks, depending on the assessment and the assessors’ level of responsiveness.  
  • Step 5: Interim Assessment Testing. If certification is obtained as part of the r2 Assessment, an interim assessment is required to be conducted at the one-year mark  to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the e1 or i1 Assessment.  

To view a comprehensive, step-by-step guide to the HITRUST CSF Assessment process, download our HITRUST CSF Companion Guide.    

What are the HITRUST policies and procedures?   

The biggest challenge many organizations face in obtaining a HITRUST CSF Certification is establishing policies and procedures that satisfy the HITRUST requirements. This is more  challenging for r2 Assessments. It is important to note that some policies and procedures are still required to be tested in an e1 and i1 Assessment, even though the tests performed will be less rigorous than for the r2 Assessment.  

HITRUST policies and procedures must be created, documented, and in place for at least 60 days prior to the validated assessment to achieve full compliance. Policies are established guidelines and rules an organization and its employees must follow to achieve a specific goal, whereas procedures are the documented steps for the organization to meet the defined policies.  

For a full description of the specific policies and procedures  to obtain HITRUST CSF certification, read our blog post on the subject.  

Which policies and procedures does my organization need to document? 

The HITRUST CSF is a flexible and scalable security framework that is adapted to each organization’s compliance needs so the policies and procedures required will depend on your scope. 

You must have policies and procedures in place that address at least 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a scale from 1-5) for each control domain to earn HITRUST r2 certification. The HITRUST CSF control domains are: 

  1. Information Protection Program 
  2. Endpoint Protection 
  3. Portable Media Security 
  4. Mobile Device Security 
  5. Wireless Security 
  6. Configuration Management 
  7. Vulnerability Management 
  8. Network Protection 
  9. Transmission Protection 
  10. Password Management 
  1. Access Control 
  2. Audit Logging and Monitoring 
  3. Education, Training, and Awareness 
  4. Third-Party Assurance 
  5. Incident Management 
  6. Business Continuity and Disaster Recovery 
  7. Risk Management 
  8. Physical and Environmental Security 
  9. Data Protection and Privacy 

Why is it important to choose HITRUST-compliant vendors and partners?  

After receiving a HITRUST CSF Certification, continue managing risk by assessing exposure from third-party business partners.    

With cybersecurity compliance constantly evolving as new threats emerge, it doesn’t matter how great the security is if third-party vendors do not also have great security creating a risk exposure vector to your organization.   

In fact, many large healthcare corporations, including Anthem, Health Care Services Corporation (HCSC), Highmark, Humana, and UnitedHealth Group sent a memo to most of their downstream vendors to achieve HITRUST Certification. This was enacted to ensure the safe handling of all sensitive information.      

When selecting vendors, be sure to perform a risk assessment to confirm they have a risk mitigation strategy in place. This is the first step to ensure that they can protect the data that might be shared with them. Requesting a security compliance report, like a HITRUST Validated Assessment, SOC 2, PCI DSS, or NIST 800-53, among others, is a good approach to meet this objective.       

For more on how to properly vet HITRUST-compliant vendors, read our blog on the topic.  

Can HITRUST certification satisfy other requirements?  

In short, yes. HITRUST CSF Certification draws from several major pre-existing frameworks to provide a complete, certifiable security standard. The nature of this foundation may simplify the steps an organization needs to take to satisfy other requirements.  

Three major requirements HITRUST CSF Certification can help satisfy include SOC 2, ISO 27001/NIST 800-53 and FedRAMP.  

HITRUST and SOC 2 

A SOC 2 report describes the internal controls at a service organization, providing users withmanagement assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report. Service organizations that provide services to other business entities commonly use SOC 2 reports.    

HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria. This converged reporting model makes HITRUST and SOC 2 complimentary services.     

HITRUST and ISO 27001/NIST 800-53   

The foundations of HITRUST CSF were actually built upon ISO 27001 and NIST SP 800-53. However, ISO 27001 is not control-compliance based, and is instead a management/process model for the Information Management System that is assessed.   

Unlike HITRUST CSF, NIST 800-53 does not address the specific needs within the healthcare industry. This means that while ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.    

Fortunately, HITRUST Certification covers many more factors than ISO 27001 and NIST 800-53, making both assessments easier to attain after being HITRUST CSF Certified.   

HITRUST and FedRAMP   

The Federal Risk and Authorization Management Program (FedRAMP) is a certification that serves to raise confidence in the security of cloud service providers (CSPs) utilized by the Federal government.     

 FedRAMP requirements can be easily mapped to the HITRUST CSF framework. Organizations interested in pursuing FedRAMP certification should consider adding it to their HITRUST assessment. This provides a FedRAMP benchmark and reveals areas to mature, but  is not the equivalent of achieving FedRAMP Certification.    

For a complete list of requirements that HITRUST CSF Certification can assist with, read more here.   

Get started with HITRUST Certification 

HITRUST Certification may seem daunting, but it doesn’t have to be. There are many steps organizations can take ahead of time to streamline the process.   

The best way to set yourself up for a successful HITRUST Assessment is to make the time and resource investment upfront. This means hiring an external assessor firm that understands your business and industry, and has proven HITRUST Certification success. Thoroughly scope the project with your assessor to understand everything needed for the project.   

For more on the do’s and don’ts of beginning your HITRUST journey, check out this blog post.    

How long is HITRUST Certification valid? 

The HITRUST e1 and i1 certifications are valid for one year while the r2 certification is valid for two years if the Interim Assessment is completed successfully and timely.  

Note that the HITRUST certifications should be treated as a continuous improvement and monitoring assessment and not a static once and done type of assessment. And this is because the threat landscape is always evolving and so the HITRUST CSF. 

How much does HITRUST cost? 

HITRUST Certification greatly varies in price from approximately $40,000-$200,000, depending on the size, risk profile and scope of the assessment. 

The cost will be determined by the number of controls tested and the scope of the environment.  

Note that self-assessments are much less expensive but do not carry the same level of assurance because the process does not involve a third-party assessor. 

What’s an example of HITRUST Certification in the real world?  

Below are customer case studies in which the organization earned HITRUST Compliance to drive revenue, build customer trust and better their security posture.  

What’s the history of HITRUST CSF? 

HITRUST was founded in 2007 to make information security a focus of the healthcare industry. HITRUST has now moved beyond healthcare and is a widely adopted, industry-agnostic framework. 

Start your HITRUST journey  

With more than 400 successful HITRUST Assessments completed, A-LIGN’s team of HITRUST experts is here to answer any question you might have through every step of the process by responding to all inquiries within 24 hours. With A-LIGN, you’re on the right path to HITRUST Certification success.   

Speak with an expert at A-LIGN today!