The HITRUST CSF pulls from many major pre-existing frameworks to provide a complete, certifiable security standard.  Learn about the many different cybersecurity frameworks that can be incorporated into your organization’s HITRUST assessment to help streamline your approach to compliance.  

Confusing.  Difficult.  Expensive.  Overwhelming.  Do you associate these words with the plethora of cybersecurity assessments available today?  Many organizations are unsure of where to start and what assessments or audits will best prove to their customer that they take data security seriously.   

While there are a variety of different audit options for any organization, the HITRUST CSF provides comprehensive, scalable, flexible and prescriptive solutions for organizations.  By pulling from many major pre-existing frameworks and working with organizations to better understand their needs, the HITRUST certification provides a complete, certifiable security standard.  Let’s first define HITRUST CSF and then take a look at the many frameworks that can be incorporated into the assessment.  You’ll see how beginning with HITRUST CSF will streamline your approach to compliance!  

What is HITRUST CSF?  

The certification provides an integrated, prescriptive framework that works primarily with the needs of the healthcare industry in order to comply with the necessary cybersecurity standards.  However, this framework is able to be scaled for various sizes and types of organizations in any industry and their control systems.     

It also allows for the tailoring and scaling of controls with HITRUST oversight to ensure that the integrity of the systems remain intact, and applications remain consistent.  With a comprehensive framework for organizations of any size, system, or regulatory requirement, the HITRUST certification allows for organizations to easily assess their current compliance while providing implementation requirements based on an organization’s risk factors.  

What are the types of HITRUST assessments?  

HITRUST has two methods to approach complying with the HITRUST CSF with each providing their own unique benefits, depending on the needs of an organization. They include the self-assessment, and a validated assessment, which leads to HITRUST certification. They each function on varying degrees of assurance based on the cost, effort level, and time required. The benefits of any type of HITRUST CSF Assessment include:   

• Scalability for organizations of any size    
• Understand their current level of compliance with the CSF and areas of general risk  
• Stay up-to-date on the latest security risks  
• Save time on numerous compliance audits  

HITRUST self-assessment

 The HITRUST CSF is designed to be completed by an organization in order to minimize time and resources when demonstrating compliance with the CSF. The self-assessment can also be used as a stepping stone to a validated assessment. The benefits include:  

• Low to medium level of effort needed to complete  
• Can be quickly completed  
• Lower investment in terms of budget and time  

However, one of the drawbacks of a self-assessment report is that it provides the lowest level of assurance, as no validation comes from the self-assessment: it simply results in a HITRUST issued CSF Self-Assessment report.  

Validated or certified assessments  

A validated assessment is a more rigorous assessment process, with an increase in assurance level performed by a CSF third-party assessor firm to validate the information gathered by the organization. One of the benefits of receiving a CSF Validated Assessment includes providing an increased assurance level to the relying entity.  

The process is more rigorous due to testing conducted and authorized by an external CSF assessor at the organization. A validated assessment requires a medium to high level of effort for completion, due to the rigorous testing procedures. Upon completion, HITRUST reviews the complete assessment and issues a validated report as the outcome if the organization has failed to receive a rating of ‘3’ or higher on any of the controls. If an organization received at least a ‘3’ on HITRUST’s scale and has shown a high level of maturity they will receive a certified assessment.  

The benefits of receiving a CSF certified assessment include:  

• A report that is good for two years, with an interim assessment completed at the one-year mark  
• The most complete assurance level certified by HITRUST  
• Results in an official certification to provide to clients, partners, etc.  

A certified assessment is only earned once an organization successfully demonstrates that they are able to meet all of the controls in the CSF required for certification at the appropriate level based on organizational needs.  

The HITRUST framework & cybersecurity assessment integrations 

HITRUST did a great job of mapping CSF requirements to existing standards for other cybersecurity assessments.  Once an organization earns HITRUST certification, they may have already covered all of the requirements for a variety of other frameworks.  If your organization uses a firm (like A-LIGN) to conduct your audits, you avoid hiring multiple auditors to earn other cybersecurity certifications.   

The external assessor firm has the ability to conduct multiple audits at once, de-duplicating tasks.  For example, if you use an external assessor firm that handles multiple security frameworks, and are working toward your HITRUST CSF, your auditor can also complete all of the tasks for SOC 2, NIST 800-53, ISO 27001, FedRAMP, PCI DSS, and many more.  Starting with the HITRUST certification and treating the assessments as one data collection process, rather than one-off assessments will save your organization a great deal of resources, time and budget.    

HITRUST & SOC 2  

SOC 2 reports describe the internal controls at a service organization, based on the American Institute of Certified Public Accountants (AICPA)’s Trust Service Criteria:  

• Security (Common Criteria)  
• Availability  
• Processing Integrity  
• Confidentiality  
• Privacy  

SOC 2 reports provide users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report.  The SOC 2 is widely used by service organizations that provide services to other business entities.  

HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria.  This allows licensed CPA firms, who are also CSF assessor firms to issue a SOC 2 plus HITRUST report that includes both the SOC 2 criteria and HITRUST CSF.  This makes HITRUST and SOC 2 complimentary services through this converged reporting model.   

HITRUST & PCI DSS  

PCI DSS is a payment card industry standard used to protect payment card data. Founded by the five major card brands, Visa, MasterCard, American Express, Discover and JCB, PCI DSS defines controls to enhance credit and debit card security.  

HITRUST used the PCI DSS methodology in the creation of the HITRUST healthcare standard. To correctly map the two frameworks, HITRUST received input from their board of directors, who are industry experts from major healthcare organizations, to tailor the framework to the industry’s needs.  The tailoring of this framework resulted in numerous factor overlaps between the two certifications, making PCI DSS easily attainable once HITRUST CSF is achieved.    

HITRUST & ISO 27001/ NIST 800-53  

HITRUST recognizes the complex, global nature of the healthcare industry and the need for an industry-specific approach to information protection. Because of this, ISO/IEC 27001 and NIST SP 800-53 were chosen as the foundations upon which the HITRUST CSF was built upon due to both being an international standard for information security.  

ISO 27001 differs from the HITRUST CSF, as ISO 27001 is not control-compliance based, but is instead a management/process model for the Information Management System that is assessed. One of the key differences between NIST 800-53 and the HITRUST CSF is that NIST 800-53 does not address the specific needs within the healthcare industry.  While ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.  The HITRUST certification covers many more factors than ISO 27001 and NIST 800-53, making both certifications easily attainable under HITRUST CSF.  

HITRUST & FedRAMP  

The Federal Risk and Authorization Management Program (FedRAMP) serves to increase confidence in the security of cloud service providers (CSPs) utilized by the federal government.   

 FedRAMP certification is incredibly valuable for vendors working with the U.S. government.  If you are working with the state level and not truly working with the federal government, you can easily map FedRAMP requirements to the HITRUST CSF framework.  Organizations that are interested in pursuing FedRAMP certification could consider adding it to their HITRUST assessment to benchmark whether they are prepared and to mature their controls as needed but should note that adding FedRAMP to a HITRUST assessment is not the equivalent of achieving FedRAMP certification.  

HITRUST & GDPR  

The General Data Protection Regulation (GDPR) aims to enhance the protection of personal data of European Union (EU) residents. The GDPR not only impacts organizations within the EU, but also any organization that processes the personal data of EU residents.  Failure to comply with the Articles outlined within the GDPR may not only present a reputational risk for organizations, but also the potential for the following enforcement actions:  

• Restricted access to data  
• EU Commission-directed data protection audits  
• Fined 4% of annual worldwide revenue  

HITRUST has mapped the EU’s GDPR into the HITRUST CSF comprehensive privacy controls.  By doing this, HITRUST helps its customers identify and lessen gaps and risks in their existing programs, ultimately helping them grow their cybersecurity compliance.   

HITRUST & CCPA  

The California Consumer Privacy Act of 2018 (CCPA) allows consumers to have more control over the personal information that businesses oftentimes collect.  California consumers now have the following privacy rights:  

• The right to know what information is being collected and how it will be used  
• The right to delete personal information collected (with a few exceptions)  
• The right to opt-out of the sale of the personal information  
• The right to non-discrimination for evoking these rights  

The HITRUST certification includes comprehensive privacy controls and maps back to CCPA, similar to how the HISTRUT certification maps back to GDPR.  The HITRUST certification will help organizations identify and mitigate gaps in their current compliance programs, allowing them to meet the growing regulatory requirements and customer expectations regarding their data usage.  

Getting started  

While there are a variety of different audit options for any organization, the HITRUST CSF provides scalable, prescriptive solutions for organizations of any type. By pulling from major pre-existing frameworks and working with organizations to better understand their needs, the HITRUST CSF provides a complete, certifiable security and privacy standard.  Are you ready to get started?  The best way to set yourself up for success when it comes to a HITRUST assessment is to make the time and resource investment upfront.  After all, proper planning equals HITRUST success.  Before diving in, review our expert list of do’s and don’ts when getting started with your HITRUST certification.   

There is no one-size-fits-all solution for security so the best way to lessen the threat surface is to implement a zero trust architecture.  To determine if pursuing a zero trust architecture is the right move for your organization, you need to understand its purpose, benefits and challenges. 

Traditional attempts to protect the perimeter have shown that they are no match for today’s increasingly sophisticated threat actors. After all, humans are still the weakest link; it’s far too easy for someone to fall victim to a phishing attack, granting access to an internal network.   

While zero trust has been an intimidating topic for many organizations due to the well-known challenges associated with implementing such an approach into an existing organization’s frequently complex network, the benefits shouldn’t be overlooked. Even the Federal Government is recognizing the importance of this approach as indicated in the recent Executive Order on Cybersecurity from President Biden which states, “The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model…”   

To determine if pursuing a zero trust architecture is the right move for your organization, you need to understand its purpose, benefits and challenges.   

What is Zero Trust?  

Zero trust is a collection of concepts and ideas that are designed with the principle of least privilege for information systems. Basically, it’s about restricting access to resources to only the people who need them.   

Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are. For example, if a user needs to read the details from a document to do a portion of their job, they will only be granted privileges to  read  the document; they will not be able to edit or modify that document in any way.   

This restriction around privileges is done intentionally. After all, a zero trust architecture uses zero trust principles to manage workflow and is designed to assume that an internal network is already infected with various threats. This is a unique mental hurdle for many organizations since most people just assume that an internal network is protected.   

So how do you start implementing a zero trust architecture into your own network?   

The Gold Standard of Zero Trust: NIST 800-207  

Organizations looking to implement a zero trust architecture need to first identify the framework they want to follow. The NIST Special Publication 800-207 Zero Trust Architecture is widely referred to as the “gold standard” of zero trust. It is, perhaps, the most thorough framework an organization can follow to implement a true zero trust architecture. 

According to NIST 800-207, “zero trust (ZT) is the term for “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”   

The transition to a zero trust architecture is a significant task that cannot be achieved by simply updating or implementing new network security solutions. For that reason, many organizations pursue zero trust architecture in phases, oftentimes having components of zero trust incorporated in the organization’s infrastructure paired with perimeter-based security solutions.   

The Benefits of Zero Trust   

The greatest benefit of a zero trust architecture is obviously security. But there are three distinct components within network security that are worth highlighting.   

1. Lessening the Threat Surface   

Implementing a zero trust architecture is similar to implementing a brick wall against a traditional attack. This approach requires constant authentication, measurement, and verification to ensure the users who are granted access are who they say they are, and that they don’t abuse the access they’ve been given.   

2. Visibility and Accountability   

If organizations follow proper guidance, they should have logging and monitoring in place to know when anomalies happen. Though this is not a unique element to zero trust, limiting user access and accurately logging and monitoring activities allows organizations to gain greater visibility into user activities.   

3. Securing the Remote Workforce   

Clearly, the rapid shift to a remote workforce was both unprecedented and unexpected. Also unexpected was the speed with which new security concerns arose as a result of the increased presence of a distributed workforce, where employees began accessing the organization’s internal network from wherever they chose to work. 

 Consider, for example, if a user’s laptop was infected and they connected to the organization’s internal network through the virtual private network (VPN). With a zero trust architecture, it wouldn’t be as easy for the infected machine to infect the network because even the internal network is not automatically treated as an implicitly trusted network.   

Based on this short list, it may seem like a no-brainer to implement a zero trust architecture into your organization, but there are some challenges to consider.    

The Challenges of Zero Trust 

The challenges around implementing zero trust architecture largely revolve around user experience and expertise.  

Productivity and Performance   

When it comes to productivity and performance, a zero trust architecture can unintentionally impact a user’s ability to get their job done. It can be tricky to find the delicate balance between locking down your assets as tight as possible and making employees unproductive.   After all, humans are the weakest link when it comes to network security. Limiting each user’s ability to interact with organizational data and information according to least privilege principles makes sense, until it prevents them from getting their job done in a timely and efficient manner.   

Implementation Expertise   

One of the biggest challenges organizations encounter with implementing a zero trust architecture is the amount of time and deep security knowledge required to implement it, especially for an already established organization.   

A deep understanding of how an organization’s network operates and how the business runs is just the beginning. To effectively implement a zero trust architecture an organization must think ten steps ahead. For example, you’d need to think about the architecture in use today, how it can be modified while in use, and what long-term changes would need to take place.   

Troubleshooting  

Part of implementation planning is troubleshooting. Before a zero trust architecture is even implemented, the security team needs to consider all the possible scenarios that could require troubleshooting.   

What if something stops working when zero trust is implemented? Who has enough functional knowledge of every component within an organization’s network to effectively troubleshoot something if or when something stops working?   

Ultimately, this highly specialized skillset requires someone who is technically aware and geared toward managing and troubleshooting a zero trust environment.   

What Zero Trust Steps Can you Take Today  

Organizations have become increasingly complex making traditional network security solutions less effective on their own. This, coupled with the increasing sophistication of threat actors, illustrates a very real need to explore an approach that lessens the threat surface.   

I strongly believe it’s time for organizations to start having zero trust conversations and think about what it would look like to begin the migration process.   

To do so most effectively, leverage an existing methodology or framework, like NIST 800-207, as a blueprint for pursuing your zero trust mission. Create a checklist and a Q&A test plan to ensure you understand what the implementation could look like.   

And remember, hacks happen from gaps that are often overlooked. Whatever framework you decide to pursue for your zero trust mission, follow it completely.   

A-LIGN created a list of the do’s and don’ts to better prepare you for the HITRUST assessment. 

Most organizations would agree that HITRUST sets the standard for safeguarding information for organizations worldwide. Originally founded to help healthcare organizations better manage information security systems and protect their data, the release of CSF 9.2 in 2019 allowed the HITRUST CSF certification to be used to support compliance reporting against other widely-recognized privacy and security standards and requirements.

Needless to say, pursuing a HITRUST Assessment can be daunting. Though some organizations can become HITRUST certified in just a few months, the readiness process requires a significant investment in both time and resources. To be truly ready for a HITRUST assessment means there are no shortcuts. It comes down to this: proper planning equals HITRUST success.  

To help organizations successfully get started with HITRUST, A-LIGN created a list of the do’s and don’ts to better understand where additional attention is needed and how to prepare for the assessment. To more easily navigate this list, we’ve broken it down into three sections: internal factors, external factors, and the process. 

Internal factors 

Get executive sponsorship & support  

Regardless of the reason you’re pursuing HITRUST, whether it’s a contractual obligation, competitive advantage, or to increase overall security posture, you want to ensure you have executive buy-in. Having the sponsorship and support of the Executive team ensures the proper tone is set as you embark on the process to prepare for the assessment. This also translates to ensuring you have the resources and budget to get started.  

You don’t want to find yourself in a position where you need to convince the team to support the efforts after you’ve already started or to try to find the resources and budget later on.  

Summary:

DO ensure you have a strong commitment from management. 

DON’T pursue unless you have a committed C-level sponsor for the activity. 

Leverage experience & training  

It might seem obvious, but you can’t do an assessment for a framework you don’t understand. Spend some time before you get started to ensure you understand what HITRUST is and what it requires. This will also help you properly budget the time and resources needed. 

Specific areas you need to ensure you’re familiar with include: 

• The goals and purpose of HITRUST 
• How long the certification is good for 
• How to understand the Scoring Rubric 
• The HITRUST assessment methodology  

Summary:

DO contact a HITRUST External Assessor Firm or HITRUST staff personnel to educate and inform key stakeholders. In addition, you may want to train one or more key employees in the HITRUST Academy Certified CSF Practitioner (CCSFP) course.  

DON’T begin the Validated Assessment Certification process without experience or training in the HITRUST CSF, the Scoring Rubric, and the HITRUST assessment methodology. 

Involve internal stakeholders  

Preparing for a HITRUST assessment is not just a job for the IT department or the security compliance team. It requires involvement from almost every department within an organization to some degree, including HR, finance, legal, privacy, and even engineers and developers.  

To ensure everyone understands their roles in the process, be prepared to communicate those needs to each department properly and explain why they are uniquely qualified to assist in providing the necessary information.  

Summary:

DO involve cross-functional teams including HR, training, finance, facilities, maintenance, and more to ensure collaboration and understanding. 

DON’T assume that IT and security teams will be the only ones involved in implementing and assessing the HITRUST risk management framework. 

External factors 

Select the right assessor firm 

Engaging with an external assessor is a critical part of the process to get ready for your HITRUST assessment. In fact, the earlier you start to engage with the assessor firm, the better. Since you will be working with them closely for a long time, it’s helpful to fully understand what the assessment process will look like and what will be required.  

But the most important part of engaging with an assessor firm is to find the right assessor firm. You want to ensure they understand your industry and your business and that they are the right culture fit. For example, you do not want to hire a firm that doesn’t have experience in a number of security frameworks and proven success in HITRUST. 

When looking for the right HITRUST assessor firm for your organization, consider the following:  

• Confirm they are licensed and accredited 
• Ask how many HITRUST assessments they have successfully completed 
• Ensure they are appropriately staffed and qualified 
• Determine if they use technology to expedite the audit process  
• Verify they respond within 24 hours 
• Review the quality of their work 
• Review their services offered  
• Ask to speak with customer references 

Summary:

DO take the time to properly vet an assessor firm to ensure they have the necessary experience with the HITRUST CSF Assurance Program and the technical expertise to understand your industry and business. 

DON’T rush the selection of a trusted partner for Readiness and Validated Assessments. While many firms offer HITRUST services, some do not submit Validated Assessments to HITRUST regularly and may be unaware of important changes to the framework and certification process. 

Purchase an annual MyCSF subscription 

Perhaps the second most important thing to do, behind hiring the right assessor firm, is selecting and purchasing the CSF subscription that best fits your company.  

Sometimes, organizations that have gone through previous assessments, like SOC 2 or ISO, for example, believe that HITRUST will be a simple process. However, HITRUST requires a very different approach to documentation and leverages a scoring rubric that is a different concept than other assessments.  

Obtaining a MyCSF subscription provides access to tools and information that will allow you to manage and perform risk assessments more easily while supporting Corrective Action Plan (CAP) management. A subscription also provides organizations with advanced analytics for managing risk posture and benchmarking data, in addition to authoritative source reporting, including a fully customizable view of the HITRUST CSF.  

Summary:

DO get an annual subscription to MyCSF. On average, an organization going through a HITRUST Validated Assessment for the first time takes between nine and 24 months to get certified. 

DON’T underestimate the time it takes to complete a HITRUST certification. HITRUST certification takes several months to complete and submit.  

The process 

Properly scope the HITRUST process 

It can be easy to assume you have all the pieces you need to move forward with your assessment. But you don’t want to discover mid-way through an assessment that you forgot to include something important. After all, HITRUST has a 90-day maturation period that requires new controls to be implemented for 90 days before testing. So, if you implement a new control at any point during the assessment, it will reset your testing time frame. 

Invest the time early on to complete a thorough scope of the HITRUST process so you understand every piece that will be required. Proper scoping with your assessor firm from the beginning will set you up for success. 

Summary:

DO engage with a HITRUST External Assessor Firm for assistance with scope definition and related exclusions. Note that HITRUST does not certify processes, locations, people, or mobile applications — only implemented systems. Someone must also define other organizational, geographical and regulatory factors if your organization is required to report on additional security and or privacy frameworks, such as SOC 2, ISO 27001, PCI-DSS, NIST 800-171, GDPR, etc. 

DON’T define the scope of a first-time HITRUST Validated Assessment on your own. Changing scope late in the assessment process can result in long delays or months of remediation and rework, so it’s important to define the scope accurately from the beginning. 

Start with a readiness assessment  

Working with your assessor firm to leverage a readiness assessment can help identify gaps and provide tangible recommendations to remediate those gaps. This is all about preparation; it is invaluable to learn to recognize the areas where you may experience setbacks or delays and work to fix them before they impact the overall assessment.  

Summary:

DO have a HITRUST-approved External Assessor Firm guide you through a comprehensive Readiness Assessment to learn about the assessment process, review and discuss requirements, identify gaps, provide remediation recommendations, and adequately prepare for a Validated Assessment. 

DON’T assume that other compliance audits, such as SOC 2, ISO 27001, or PCI DSS, will adequately prepare you for a HITRUST Validated Assessment. 

Continuously monitor & improve 

HITRUST is not a one-and-done certification. Though the certification is good for two years, it’s a continuous improvement and monitoring assessment. Therefore, during your interim year, spend the time working through CAPs to show HITRUST you’re doing remediations so you can maintain your certification.

It can also be helpful to build a calendar to ensure you can clearly map out the requirements for your certifications. This, coupled with an internal governance committee, can help the organization understand how to move through the calendar year and meet the various requirements for certification. 

Summary:

DO dedicate resources to ongoing efforts. For example, develop a compliance calendar to monitor controls and ensure continuous improvement with no control degradation. 

DON’T view HITRUST as a “one and done” certification. 

Prepare for HITRUST today 

The best way to set yourself up for success when it comes to a HITRUST assessment is to make the time and resource investment upfront. Hire an external assessor firm that understands your business and industry and has proven HITRUST certification success. Spend time with your assessor to ensure you understand everything you’ll need for your HITRUST assessment with a thorough scoping effort. And create a calendar that helps you understand the requirements for each of your certification efforts.  

After all, proper planning equals HITRUST success.  

Download our HITRUST checklist now!

A-LIGN’s SVP of Marketing, Brian Gladstein, has been sharing ideas and best practices for getting the word out about your cybersecurity assessment. As the final post in this series, Brian discusses sharing your cybersecurity assessment with your professional community and how to promote your commitment to their security.

Recently I’ve been sharing ideas and best practices for getting the word out about your cybersecurity assessment, and how your SOC 2 report, ISO 27001/27701 assessment, or FedRAMP certification can demonstrate to customers and business partners the commitment you make to their security. If you’ve been following along, you first learned how to announce your cybersecurity assessment with a press release.  Then, we talked about how to best feature this assessment on your website and next we dove into how to win more deals by arming sales with your assessment.  If you haven’t been following along, take a few minutes to check these articles out!

As my final post in this series, I would like to share with you one more method – perhaps the most rewarding method because it’s the most personal. It’s time to talk about sharing your cybersecurity assessment with your professional community.

Why should I share our assessment with my professional community?

At first you might think, why would I do that?  What you may not realize is that not everyone has been through the cybersecurity audit process.  Many members of your community may be new to the idea, unsure of where to start and feeling a bit overwhelmed. Audits can be intimidating. Chances are, you learned a lot during this process – and others starting down the path will no doubt benefit from the wisdom you’ve acquired.

As security professionals, we are all eager to learn, improve and do better.  Since you’ve successfully navigated an assessment, you now have something to contribute to not only your community but conversations occurring on social platforms, like LinkedIn or Twitter.

I’d go so far as to say: it’s your obligation to contribute and teach others what you’ve learned. That’s what we do in cyber.

Talk about your security program, without actually talking about your security program.

I’ve been in the cybersecurity industry for a long time and, as a marketer always trying to get customers to provide a testimonial or participate in a case study, one hard reality about the security industry is that people are extremely hesitant to talk about their security program publicly. It’s understandable because of the inherent risks associated with sharing too much information. Why give an advantage to the adversary? If you disclose, for example, what products you use, you might open yourself up to an attack from a hacker who has an exploit for that particular product. It can be scary stuff.

This overarching concern sometimes does a disservice to the cybersecurity community because people may not share important lessons learned that can actually make a difference. That’s where your assessment opens a door.

Your assessment gives you a way to talk about your security program without actually talking about your security program.  Use your cybersecurity assessment to publicly discuss controls, best practices, policies, incident response, problems you’ve solved, and more.  In the context of the report, you find a rich supply of information and a way to discuss it that doesn’t require the disclosure of sensitive information or how you are operating your security apparatus.

You get to share important lessons learned in a safe way – it’s a win/win for everyone.

Cybersecurity professionals: Detectives, problem solvers, heroes

Listen, attackers need to work together. We are stronger when we do.

The bad guys are working together – there’s an entire dark economy out there that of malware, exploits and botnets that can be assembled to execute attack after attack. Smart defenders know that to protect against these coordinated, complex threats, we need to do the same thing on our end.

By nature, security professionals want to share their intel, knowledge and best practices with each other – it’s what we do!  As a cybersecurity professional, you are a detective, a problem solver, a hero. Get out there and tell your story.  Your community needs to know and we will all be better for it!

Four practical ways to share your cybersecurity assessment

There are a number of ways to share your security assessment with your community.  Here are four that come to mind:

1. Speak to other professionals, one on one. Discuss what you learned during your assessment, where your gaps were and how you addressed the gaps.  Answer questions that people are asking individually. You’ll quickly learn what to say and what not to say so you keep sensitive information to yourself, while still passing on your knowledge.
2. Give a talk at a local chapter meeting of ISACA, (ISC)², OWASP, or any other regional security meetup. It’s a safe setting where people gather to learn directly from each other and hey, it’s what members are there for.  Lay out some of the core elements of your security program and how you and your auditor worked together to provide assurance.
3. Microblog on social media. LinkedIn and Twitter are great places to drop little pieces of your story and lessons learned. You’ll help others and build your own reputation while creating buzz for your company.
4. Apply for speaking engagements and ‘calls for papers’at larger conferences. You may have a story that lots of people want to hear, and events like Blackhat and the RSA Conference are great venues for just that.  Don’t feel comfortable taking the stage alone?  Find a trusted vendor and they will almost certainly help you create slides, tell your story, and network with people at the event.

As a cybersecurity professional, you are on the front lines protecting information, protecting our families, protecting our businesses. Your assessment report demonstrates that you are doing the right things, and there are thousands of people out there who can benefit from your knowledge.  Get out there and tell your story. And as always, if you need help, give me a shout!

When researching regulations and requirements in the healthcare industry, many organizations come across both HITRUST and HIPAA. As a result, they may ask themselves: “What are the differences between HITRUST vs HIPAA and which should I choose?”

It’s not an apples-to-apples comparison. Here’s why:  

• HIPAA is a U.S. law that includes a set of safeguards that covered entities and business associates must follow to protect health information.   
• HITRUST is a certifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. HITRUST has also been mapped against over 40 other standards such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA),  Federal Information Security Modernization Act (FISMA), PCI DSS, and ISO 27001) that could be added to the scope of the HITRUST certification.   

Trying to determine if HITRUST or HIPAA is better for your organization is actually the wrong question. Instead, ask yourself, “What is the best method for demonstrating HIPAA compliance within my organization?”  

Let’s look a little closer at HITRUST vs HIPAA and why you might choose the HITRUST CSF as a means to achieve HIPAA compliance.    

What is HIPAA?   

HIPAA is a U.S. federal statute signed into law by President Clinton in 1996. In addition to giving workers the ability to carry forward health insurance coverage between jobs, HIPAA defines requirements that covered entities (i.e., health plan providers, healthcare providers, and healthcare clearinghouses) and their business associates must follow to protect patient information.  

These information security and privacy requirements are defined according to three rules:  

• The HIPAA Privacy Rule: Sets national standards for when patients’ protected health information (PHI) may be used and disclosed.   
• The HIPAA Security Rule: Outlines measures that covered entities and business associates must take to protect patients’ electronic protected health information (ePHI).  
• The HIPAA Breach Notification Rule: Requires that covered entities notify affected individuals, the U.S. Department of Health and Human Services (HHS), and the media in the event of an information breach.  

Important updates to HIPAA  

Recently there have been several important updates related to HIPAA that are worth noting. One is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was signed into law on February 17, 2009 by President Obama. The HITECH Act encourages the use of electronic health records (EHR) by providing financial incentives for healthcare organizations that can prove they have implemented EHR. The HITECH Act also allows for more severe penalties to be levied against covered entities and their business associates for HIPAA noncompliance.   

Another important update to HIPAA, the HIPAA Safe Harbor Bill, was signed into law on January 5, 2021 by President Trump. This law amends the HITECH Act so that the HHS and the Office of Civil Rights (OCR) must recognize and encourage security best practices for HIPAA compliance. Specifically, HIPAA Safe Harbor reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove they’ve had “recognized security practices” in place for at least one year.  

How can an organization prove HIPAA compliance?   

Though HIPAA requires organizations to conduct annual self-audits, it does not provide an official framework or methodology for verifying compliance with the law.   

So how can an organization prove HIPAA compliance? There are two primary frameworks we recommend for organizations that handle PHI to maintain compliance with HIPAA regulations:  

• A Systems and Organization Controls (SOC) 2 examination + HIPAA - This allows an organization to examine the necessary safeguards in order to validate HIPAA compliance. The organization going through the examination develops management’s controls to address the proper safeguards. A SOC 2+HIPAA examination can only be performed by a Certified Public Accounting (CPA) firm.   
•  HITRUST CSF - This is a comprehensive security and privacy framework that can be used to certify HIPAA compliance, as well as other standards and regulatory requirements. Unlike SOC 2, the HITRUST CSF necessitates the prescriptive controls that must be in place to achieve HIPAA compliance based on the organization’s risk factors. In addition, the HITRUST CSF certification is the only official certification that proves HIPAA compliance.   

What is HITRUST and HITRUST CSF?   

HITRUST was founded in 2007 to help healthcare organizations better manage information security systems and protect their data. HITRUST is perhaps most well known for developing the HITRUST CSF, described above, which is used by thousands of organizations around the world to efficiently manage regulatory compliance and risk management.   

The HITRUST CSF was originally tailored for the health industry, but with the release of CSF 9.2 in January of 2019, it transitioned to better align with other existing international privacy frameworks by adopting a more industry-agnostic approach. Prior to 2019, every HITRUST CSF examination included HIPAA compliance by default, but now it is an optional regulatory factor that must be selected as part of an assessment.   

Regardless, HITRUST CSF remains one of the premier security frameworks used to demonstrate HIPAA compliance. HITRUST has even released official documentation demonstrating that the HITRUST CSF meets all the requirements outlined in the HIPAA Safe Harbor Law.   

The HITRUST CSF “assess once, report many” approach also allows organizations to choose the frameworks and controls they want to initially be tested against and add more in the future if they choose.   

Why choose HITRUST for HIPAA compliance?  

When not contractually obligated to use the HITRUST CSF, some organizations opt for SOC 2+HIPAA or a self-assessment because of the higher cost and somewhat significant time and resource requirements of HITRUST CSF.   

However, there are benefits to leaning on HITRUST CSF for HIPAA compliance. Because of its strict and prescriptive nature, the HITRUST CSF has established itself as a gold standard for organizations to demonstrate they have the necessary controls in place for data protection.   

Additionally, leveraging HITRUST CSF includes other benefits, such as:  

• Extended duration: Organizations have a two-year certification with the HITRUST CSF, compared to SOC 2 validation which requires annual completion.   
• Social proof: The HITRUST CSF has developed a widespread positive reputation for compliance.  
• Options to easily adopt additional regulatory standards due to the fact that it is comprehensive, scalable and flexible: The HITRUST CSF has mapped controls to more than 40 standards across various industries worldwide and, with a dedicated research team that is specifically tasked with mapping security frameworks, can quickly get up to speed on any new laws and regulations.  

As a growing number of privacy laws continue to roll out internationally, HITRUST CSF will likely continue to expand and map to new legislation. In fact, the HITRUST research team mapped the General Data Protection Regulation (GDPR) within six months, and HITRUST has applied to become the premier certification body for GDPR. This is also why organizations in industries such as travel and hospitality, utilities, energy, etc., are adopting HITRUST.  

HITRUST vs. HIPAA: Asking the right question  

As mentioned before, asking if the HITRUST CSF or HIPAA is better for your organization isn’t the right question. The more appropriate question is, “What is the best option for demonstrating HIPAA compliance within my organization?”   

HITRUST CSF is one reliable way to achieve HIPAA compliance. In fact, it is the only way to become officially certified in HIPAA compliance. For this reason, the HITRUST CSF is often utilized and sometimes required by organizations in the healthcare industry.   

If you’re preparing your organization to be HIPAA compliant, HITRUST CSF certification may be a valuable investment. 

Download our HITRUST checklist now!

Download our HIPAA checklist now!

ISO/IEC 27701 is the first certification for privacy. By combining ISO 27701 and ISO 27001, organizations can build trust, prepare for privacy regulations, and more.

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issue many guidelines and frameworks for organizations. These can range from cybersecurity readiness to business continuity standards and beyond. 

In 2019, ISO expanded ISO 27001 a popular and longstanding cybersecurity framework, with ISO 27701, a new standard focused on creating a Privacy Information Management System (PIMS). The standard has generated excitement in the compliance world, as it is the first certification for privacy. In other words, ISO 27701 represents the first way an organization can actually become certified by a third party in privacy best controls, rather than compliant with standards and regulations.  

However, ISO 27701 is not a standalone standard. Rather, the original ISO 27001 cybersecurity framework serves as a foundational chassis, and organizations can add on additional ISO standards, such as ISO 27701, that work well for the specifics of their business.  

Organizations may wonder: what are the benefits of combining ISO 27701 and ISO 27001?

We will walk through four key benefits of adding the new ISO 27701 standard onto the core ISO 27001 framework. 

1. Builds Trust with External Stakeholders 

Today, much of our personal lives and our work happen on the internet, whether through applications, websites, or other form factors. Everyone is concerned about their personally identifiable information (PII), and no one wants it to fall into the wrong hands.  Each year there are data breaches that raise new security and privacy concerns. Consent, transparency, and security are more important than ever. 

As privacy concerns continue to grow amongst regulators and consumers alike, organizations are increasingly interested in improving their privacy policies and offering proof that they take privacy seriously. While there are many cybersecurity frameworks covering data privacy, none of them provide a dedicated privacy certification. Organizations can demonstrate compliance, however, they don’t get an official certification from a governing body. 

ISO 27701 is the first certification for privacy. 

For organizations, having a certification for privacy can help build trust with partners, vendors, customers, and other stakeholders. Having ISO 27701, in combination with the internationally-respected ISO 27001 framework, demonstrates your organization’s commitment to privacy. Organizations that hold an ISO 27701 certification must undergo surveillance audits each year, so your external stakeholders can feel confident that your organization is executing against best practices in accordance with ISO standards with a formal PIMS in place. 

Organizations are recognizing the value of ISO 27701 and ISO 27001. For example, Microsoft accepts ISO 27701 and ISO 27001 as a replacement to their own Supplier Security and Privacy Assurance (SSPA) program requirements. This demonstrates Microsoft’s strong trust in ISO’s frameworks and in ISO 27701’s privacy controls and data protection measures in particular. 

2. Strategically Certify Parts of Your Business 

Data moves through organizations in different ways depending on multiple factors. No two organizations are quite the same, and in some situations, the same organization can be both the controller and the processor of PII simultaneously.  

Some of the factors influencing an organization’s status as a controller and/or processor can include: 

• Industry (or industries) served 
• Business model, such as software-as-a-service (SaaS) 
• Regional or international presence 
• Partnerships and subcontractor relationships 
• And more 

However, because an organization may be both a controller and a processor of data at the same time, their data may not be subject to the same controls, depending on how it intersects with specific business activities. 

ISO 27701 is beneficial because it can be applied only to specific portions of an organization. In other words, an organization can carve out compliance as a controller or a processor of data—it does not have to get a blanket certification for the entire business. This is helpful for organizations with complex business models, where different sets of data may or may not require the same controls, include PII, etc. 

This feature differentiates ISO 27701 from regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which apply to the entire organization. In these laws and regulations, the organization as a whole must be compliant, regardless of the type of data or the organization’s role in generating, storing, or working with the data. ISO 27701 also differs from other standards, such as ISO 27018, which is an unaccredited standard and only applies to privacy in a public cloud — a much narrower range of applications. 

Together, ISO 27001 and ISO 27701 enable organizations to strategically certify the portions of their business that require the strictest privacy protection. 

3. Supports Several Privacy Laws and Regulations 

As noted, privacy is a growing concern for regulators and consumers alike. The rise of new privacy laws and regulations has forced organizations to think differently about their privacy programs.  

In fact, our research found that 48% percent of organizations claimed privacy regulations generated extra work. This rise is also making organizations more aware of the controls they need: 35% said they needed a higher level of cybersecurity controls. 

ISO 27701 maps against several key privacy regulations, which enables companies to more easily and strategically meet key regulations.  

For example: 

• ISO 27701 and the GDPR: ISO 27701’s privacy controls can help an organization demonstrate compliance with certain aspects of the GDPR, though it does not equate with GDPR certification. However, ISO 27701 does map to this landmark regulation in several ways. For example, the GDPR includes certain Articles that can be mapped back to the roles, responsibilities, and controls put forth in ISO 27701.  
• ISO 27701 and CCPA: Driven by the state of California in the U.S., the CCPA includes articles and language very similar to GDPR, which has become the gold standard on which many up-and-coming privacy regulations are based. ISO 27701 doesn’t specifically map directly to the CCPA. However, due to the law’s similarities to the GDPR, ISO 27701 can help organizations comply with the controls and requirements of CCPA. 

For organizations working to comply with GDPR, CCPA, or other privacy regulations and laws, ISO 27701 and ISO 27001 provide the scaffolding to build a strong compliance program. Again, it is not a replacement for any of these privacy laws and regulations, and it does not guarantee compliance. However, it can help your organization build an information security management system (ISMS) and a PIMS that can meet some of the requirements of the GDPR, CCPA, and others.  

4. Integrates with Your Existing Audit 

Many organizations are completing numerous audits every year — in fact, our 2021 Compliance Benchmark Survey also found that 85% of respondents conduct more than one audit each year. With a busy slate, the last thing anyone wants is more audits and assessments. 

Because ISO 27701 only exists in tandem with ISO 27001, the standard does not add significantly to the auditing process. Organizations with ISO 27001 in place can simply integrate ISO 27701 into their existing ISO audit and assessment.

For organizations looking to complete the core ISO 27001 framework for the first time, adding ISO 27701 is not a huge undertaking. It can be worked into the overall process of creating an ISMS, collecting the necessary evidence, and assigning responsibilities to key personnel. 

5. Grows with Your Organization 

As organizations grow, the type of data processed may expand and can result in additional compliance obligations. For example, fast-growing organizations may: 

• Expand to new geographic areas 
• Bring on new partners, vendors, or subcontractors 
• Drive business in new industries or sectors (some of which may include PII and be highly regulated, such as healthcare) 
• Work with distributed teams across countries 
• And more 

Meeting cybersecurity and privacy requirements is an ongoing process that can be made easier by building a framework that can be expanded as regulatory requirements continue to evolve.  

Having a PIMS in place is an excellent way to ensure your organization has a defined management system that can adapt to new cybersecurity and privacy obligations. As new workstreams start-up, regulations come into play, and data enters the company, you will already have the framework needed to handle everything smoothly. Together, ISO 27701 and 27001 create that framework to handle increasingly complex compliance requirements.  

ISO 27701 and ISO 27001: Better Together 

ISO 27701 and ISO 27001 represent a powerful package with many benefits to organizations. With the underlying framework of ISO 27001 creating a strong ISMS and ISO 27701 ensuring a certifiable commitment to privacy controls, organizations can clearly demonstrate their maturity relative to cybersecurity and privacy. This can give peace of mind to stakeholders such as customers and vendors. Enhance your privacy by combining ISO 27701 and ISO 27001, and continue your compliance journey. 

Get started by downloading our ISO 27001 checklist.

Your sales team is one of the most powerful tools you have to get the word out about your cybersecurity assessment.  A-LIGN’s SVP of Marketing, Brian Gladstein, describes how to arm them with your audit report and teach them how to use it so they can win more frequently and close more deals. 

In this post, I’ll continue to explore ways of getting the word out about your cybersecurity assessment – SOC 2, ISO 27001, HITRUST, FedRAMP, or any of the others – once that report has been delivered. Third-party cybersecurity assurance is fundamental in ensuring that businesses can trust each other when it comes to sensitive data or private information. So if you aren’t including your final report as part of your sales and marketing efforts, it’s almost as if you never completed it in the first place. 

So far we’ve talked about announcing your assessment with a press release and featuring your audit report on your website. Those are both very important steps, but they don’t necessarily deliver your report to a prospect at exactly the time it’s needed – nor are they able to relate the audit to the specific nature of the business partner sitting across the table from you. For that, you need to turn to one of the most powerful tools you have in your arsenal – your sales team. 

Your sellers are on the phone and in email, having one-on-one conversations with customers every day. They shape the discussion and frame the competition. They provide compelling answers to specific questions with finesse. If your cybersecurity assessment is a weapon, your sales team is the army that can most effectively wield it. 

Don’t “Throw It Over the Wall” 

Sales people are generally creatures of habit. They look for signals of success in the relationships they maintain and rely on proven patterns to drive opportunities forward and ultimately close deals. That can make it difficult to introduce something new to your sales team, especially if they don’t instinctively know how to use it and where it fits.  

I’ve spent most of my career as a marketer working closely with sales, and I’ve learned over and over again (sometimes painfully) that the best way to ensure your new materials are ignored is to “throw it over the wall” to sales. So don’t do that. 

Instead, you need to work hand-in-hand with your counterparts in sales. Understand the process they go through and how they use various tools at their disposal to overcome challenges and objections. What you will likely find is that there are a few places where your assessment can easily fit into their process. I’ll get into the most likely candidates below – but the point is that by understanding their needs, and fitting into their workflow, you can make it easy for them. 

Work With Sellers to Understand What They Need 

In most sales teams you’ll find a few individuals who love to experiment and try new things. It can be hard to change the behavior of a full team, but if you lock arms with these scrappy sellers and get a couple successful examples under your belt, the rest of the team will look to duplicate those patterns and it’ll make adoption much easier. 

Generally, it won’t be difficult to figure out who these team members are – just ask around. Once you do, grab some time with them, explain how a cybersecurity assessment can be used to put your competition at a disadvantage, and explore how they might use the report. Here are some questions to ask: 

• Do customers ever require us to fill out a security questionnaire? 
• When in the sales process do we normally position our technical strengths? 
• At a typical customer, what roles care about security the most? 
• Which competitors haven’t gone through their audit process – and how do we use our report against them? 

Build Your Sales Enablement Plan and Materials 

A productive conversation with those key sales reps should help you put together everything you need for enabling the rest of the team, including: 

• Specific language that describes the report and its benefits that the sales team can use in emails, messages, and phone calls 
• Where in the sales process a rep would most likely introduce the report 
• An understanding of why the sales rep will benefit – for example, closing deals faster or winning more against a key competitor 

From there, you’ll want to prepare your materials. The following items are a good example of what you might need, but obviously your plan will depend on the specific needs of your organization. 

Messaging & Sales Tool: Capture all the relevant information into a single tool that sales can use. Include messaging that articulates how reps should describe the report, as well as ways to handle questions or objections that may come up. Include links to where they can download the report when needed, and your own contact information for when they need additional help.  

Presentation Slide: Most sales teams have a standard presentation deck they use when meeting with customers. Prepare a slide to include in the presentation that displays your report and includes high-level information about the nature of the report and who your independent auditor is. Be sure to articulate the benefits to the customer – materials like this should always speak directly to what the customer cares about.  

Sales Process: Help your sales team understand when and how to introduce your audit report by incorporating appropriate steps into their sales process. It’s not a bad idea to describe this in the sales tool you create (above). Most sales teams manage their process through a CRM that allows reps to access documents and trigger processes they need at exactly the right time on a customer-by-customer basis. If you have a Sales Operations team they should be able to help here. 

Proposal Template: Finally, include a reference to your audit report in your standard proposal template. This single document tends to be the culmination of all your strong selling points combined with the actual financial proposal that goes out to the customer. It’s a great place to provide a succinct statement on how you take your customers’ security seriously. 

Train the Team and Roll It Out 

Take a few minutes in a weekly sales call to train the team. Show them where all the resources are, walk through the messaging and the process, and ask that pioneering sales rep who helped you understand the dynamics of the organization in the first place to help bridge the gap. 

Once the team has been trained, check in with them every so often to see how it’s going. Make adjustments where needed and celebrate any wins in a public way to reinforce the value that your cybersecurity assessment provides.  

Working with sales teams and playing a role in winning business can be exhilarating. I always love talking about this, and any other aspect of marketing your audit report. Contact us if you’d like to chat more! 

Less than one year after the CCPA took effect, California passed another consumer privacy law: the CPRA. Here are six changes to help you understand the differences between CPRA vs. CCPA. 

In 2018, the state of California passed the California Consumer Privacy Act (CCPA), a landmark piece of legislation that secured several privacy rights for California consumers.  

Just over a year later, in November 2020, Californians voted to approve Proposition 24, creating the California Privacy Rights Act (CPRA) of 2020. The CPRA can be thought of as a more comprehensive version of the CCPA, updating, modifying, and extending certain rules and stipulations to increase the rights of California consumers.  

Wondering what the differences are between CPRA and CCPA?  

We have highlighted six key differences that we’ll explore in this post. Read on to find out the impact the CPRA may have on your organization. 

Difference #1: Updated Criteria for Qualifying as a Business

Under the CPRA, an organization can classify as a business if they are a legal entity that is operated for profit, involves the collection of California consumers’ personal information (PI), determines the purposes and means of processing PI, and satisfies one or more of the following conditions: 

(A) Has an annual gross revenue of over $25 million in the preceding calendar year 

(B) Alone, or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households 

(C) Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information 

Most notably, the CPRA doubles the CCPA’s threshold criteria of 50,000 California consumers or households within condition B. It also expands the CCPA’s definition in criteria C, including annual revenue derived from sharing PI in addition to selling it. 

Potential Impact 

This change in criteria means that some small to midsize businesses that have to comply with the CCPA may not fall under the scope of the CPRA. Because the CPRA increases the number of consumers or households in criteria A (from 50,000 in the CCPA to 100,000 in the CPRA), the new law may actually reduce the number of businesses that qualify under that threshold. However, the inclusion of “sharing” related to deriving 50% or more of annual revenue from selling or sharing consumers’ personal information in criteria C may potentially increase the number of organizations that would qualify as a business under that threshold. 

Difference #2: A New Category of Highly Protected Data  

The CPRA introduces a new category of protected data: sensitive personal information (SPI). This concept is very similar to Article 9 of the General Data Protection Regulation (GDPR)—”Processing of special categories of personal data”—which calls for a greater level of data protection due to the sensitivity of the personal information. The addition of this new data category may require businesses to implement additional technical and operational controls to process such data and to limit the use and disclosure of SPI according to consumers’ rights under the CPRA.

The CPRA imposes specific requirements and restrictions on SPI, giving users expanded rights to control businesses’ use of their personal information. These new requirements include: 

• Updated disclosure requirements 
• Purpose limitation requirements 
• Opt-out requirements for use and disclosure 
• Opt-in consent requirements after a previously-selected Opt-out 

Potential Impact 

The introduction of SPI means that businesses, as defined by the CPRA above, must be especially vigilant to protect this class of data and respond accordingly when a consumer decides to opt out. If a business intends to process consumers’ SPI as defined within Section 1798.121 and 1798.135 of the CPRA, then there are additional requirements that must be implemented. For example, businesses that store SPI must include a clear and conspicuous link on their websites titled “Limit the Use of My Sensitive Personal Information” that enables consumers to restrict the processing of their SPI.

Difference #3: New and Expanded Consumer Privacy Rights 

There are five consumer privacy rights that are present in the CCPA that have been modified under the CPRA. These rights are:  

• Right to Opt-Out of Third-Party Sales and Sharing: The CCPA allows consumers to opt-out of businesses selling their data. The CPRA expands this right to include the sharing of personal information, in addition to selling. The CPRA defines sharing as “disclosing, disseminating, making available, transferring, …  a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration …”  
• Right to Know: The CCPA requires that businesses respond to consumer requests to know personal information that was collected within the prior 12 months. The CPRA extends this timeline, enabling consumers to potentially request personal information collected beyond the prior 12-month window under certain circumstances.   
• Right to Delete: Through the CCPA, California consumers can request that a business delete their personal information if it is no longer needed to fulfill one of the purposes listed in Cal. Civ. Code Sec. 1798.105 (e.g., security needs, debugging).  The CPRA will also require businesses to send the request to delete to third parties that have bought or received the consumer’s personal information so that all parties are aware that it must be deleted, subject to some exceptions. 
• Right to Data Portability: The CCPA includes a “right to know”, which means that consumers have the right to receive a copy of their personal information by mail or electronically. Now, under the CPRA, a consumer can request that a business transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.” 
• Opt-In Rights for Minors: The use of minors’ data is a general concern within the law, and the CCPA requires that businesses obtain opt-in consent to sell the personal information of a California consumer under 16 years of age. The CPRA goes one step further, mandating that businesses wait 12 months before asking a minor consumer for consent in selling or sharing their personal information after the minor has declined. It also states that the opt-in right must explicitly include the sharing of data for cross-context behavioral advertising. 

In addition to expanding several of the CCPA’s consumer privacy rights, the CPRA also introduces four brand–new consumer privacy rights that are not present in the CCPA:  

• Right to Correct Information: A consumer has the right to request that a business correct any inaccurate personal information. 
• Right to Limit Use and Disclosure of Sensitive PI: A consumer has the right to limit the use and disclosure of their SPI to that “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.” 
• Right to Access Information About Automated Decision Making: A consumer has the right to request “meaningful information about the logic involved in those decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”  
• Right to Opt-Out of Automated Decision-Making Technology: A consumer has the right to opt-out of being subject to automated decision-making processes, including profiling. 

Potential Impact 

Businesses must ensure that they are prepared to comply with the CPRA’s new and expanded consumer privacy rights. They will need to develop strong processes and controls to ensure they are both capable of and prepared to respond swiftly to consumer requests. Many businesses may need to make significant changes to their existing security and privacy-related controls, hire additional personnel, or contract third-party services to help them prepare for CPRA compliance.  

Difference #4: Adoption of Select GDPR Principles  

The GDPR has served as a template for many new privacy regulations, including the CPRA. For example, the GDPR enforces the concepts of data minimization, purpose limitation, and storage limitation. These principles are not included in the CCPA, but they are now codified as part of the CPRA:  

• Data minimization: The requirement that “a business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”   
• Purpose limitation: This requires that businesses “only collect consumer’s personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumer’s personal information for reasons incompatible with those purposes.” 
• Storage limitation: This requirement addresses “the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”

Potential Impact 

By codifying these principles explicitly in the CPRA, California has authorized the state regulator to enforce, and potentially penalize, a business’s failure to 1) reasonably limit the collection of personal information to what is necessary for the purpose for which it was collected, and 2) limit the retention of personal information to the least amount of time necessary to fulfill the purpose for which it was collected.  

Difference #5: Expansion of Legally Actionable Data in a Breach 

Data breaches are a serious concern for businesses of all sizes. When a breach occurs, hackers can extract sensitive information, which puts both the business and consumers at risk. In the event a data breach occurs, the CCPA gives consumers the private right to take legal action if their nonencrypted or nonredacted personal information becomes exposed because a business failed to implement reasonable security procedures and practices appropriate to the nature of the information processed. While the CPRA does not explicitly alter this right, it does add consumer login credentials to the list of personal information categories that may be actionable under the law. 

Potential Impact 

Many organizations suffer as a result of a data breach, as hackers gain access to personal information and exfiltrate that data from the boundary of the system. The CPRA’s expansion of scope to include login credentials as a legally actionable personal information security breach may be a response to the wave of authentication hacks affecting consumers in recent years. In addition to more advanced layers of data encryption, many businesses may want to require multi-factor authentication as an additional security layer.  

Difference #6: Creation of a New Privacy Enforcement Authority 

The CCPA was originally enforced by the California Office of the Attorney General (OAG). The CPRA shifts this authority by establishing the California Privacy Protection Agency (CPPA) and granting it investigative, enforcement, and rulemaking powers. 

Potential Impact 

The CPPA’s outlined role in enforcing the CPRA is a notable change from the CCPA. The codification in Section 1798.199.10 provides instruction regarding the CPPA including, “[t]he agency shall be governed by a five-member board, including the chairperson. The chairperson and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.” It remains to be seen how this new agency will wield its authority, but we expect that we will see an increase in the number of investigations and enforcement actions taken by the CPPA. 

Start Preparing for CPRA Compliance Today 

Although all aspects of the CPRA do not take full effect until January 1, 2023, organizations that do business in California should start laying the groundwork for CPRA compliance throughout the course of 2021 and 2022. If you currently have measures for CCPA in place, now is the time to perform a gap assessment based on the information available regarding the CPRA.  

To prepare for the CPRA, organizations can take proactive steps such as: 

• Conducting a data-mapping exercise to identify and document what PI will fall under the scope of the CPRA.
• Updating privacy notices to reflect the new and modified consumer privacy rights and related disclosure obligations.  
• Reviewing downstream data-sharing practices and informing third parties that they may be required to comply with these new regulations.  

By understanding the full scope of the CPRA and designing a thoughtful roadmap toward full compliance, companies can avoid the potential impacts of non-compliance once the CPRA is fully operative.  

A cybersecurity assessment like a SOC 2 or an ISO 27001 certification is a statement about your commitment to protecting information. This post looks at examples of how leading companies give that report a permanent home on their websites and provides best practices so you can do the same. 

A cybersecurity assessment like a SOC 2 examination or an ISO 27001 certification is much more than just a document – it’s a statement. Specifically, these reports communicate to your customers, prospects, and business partners that you take cybersecurity seriously, and you can be trusted with their sensitive information. So, it’s a great idea – in fact, a competitive advantage – to spread the word. 

In my last post, I talked about that first step – announcing your assessment with a press release. But your report lives beyond that initial announcement, which means you need to give that report (or some form of it) a permanent home on your website where it can be accessed any time it’s needed. We’ll look at some real-world examples of how companies do just that. 

Isn’t my compliance report a “need-to-know” document? 

You might say, “My compliance report should only be given to a customer on a need-to-know basis after an NDA is signed. It’s too much information to put on a website.” 

There’s a lot of truth to that – in a literal sense. Some documents are meant to be public (like a SOC 3 report, for example), but in general, compliance reports are reserved for specific situations where a non-disclosure agreement is in place. You may even find explicit instructions on what the report should be used for, such as the Restricted Use section of a SOC 2 report. 

However, none of that precludes you from talking about the fact that you have completed cybersecurity assessments and discussing the security principles and policies behind them. Today’s companies, surrounded by a barrage of reports about breaches and data leaks, want to trust the companies they transact with. Your reports are the meaningful, widely accepted evidence that backs up your claims. 

Let’s look at some examples 

I think one of the best ways of understanding how you can feature your assessments on your website is to look at examples of some great companies who have done an excellent job at this. Let’s check out four. 

Example 1: Snowflake 

Snowflake is a fast-growing data platform company that made news in September 2020 as the largest-ever software IPO (SNOW). As a company that provides customers with a cloud-based data warehouse, you can imagine how important it is for Snowflake to demonstrate trust to all its business partners. 

Snowflake has created a Security and Trust Center, with several different options for learning about various aspects of Snowflake’s approach to security throughout its platform, including a dedicated page listing its security and compliance reports. From here, a short description explains each report, with instructions on how to obtain them – specifically, acquiring an NDA and filling out a contact form. Note the following: 

• Snowflake displays all its certification badges proudly across the main trust center page 
• Includes simple, clear explanations of each of the certifications they go through 
• Provides a straightforward process for requesting a report, conditioned on meeting specific criteria 

Example 2: Salesforce 

Salesforce, the original SaaS company, is the 800-pound gorilla when it comes to anything related to customer relationships. Those relationships are sacred, so obviously Salesforce needs to demonstrate to their customers how seriously they take security.

Salesforce has a much larger library of certification reports given the breadth of their business and has taken a more direct approach to presenting their certifications. Looking at their site, one might assume they expect visitors to know what they are looking for, so all the certifications are laid out in an easy-to-navigate grid form, with little additional context, so the user can drill down and get exactly what they need. Some observations: 

• The Salesforce compliance center sits on its own domain: compliance.salesforce.com 
• Each report is broken down by product, date, and infrastructure 
• Access to most reports is protected with your Salesforce credentials 

Example 3: Asana

Asana is a popular project management application – in fact, my marketing team here at A-LIGN depends on Asana for almost all our projects! Since Asana’s customers, like us, rely on the tool every day to coordinate teams and keep work moving, we need to know that our information is protected. 

Asana’s approach is to communicate a message of trust to their customers. Personally, I’m a big fan of customer-focused messaging, and I appreciate how Asana has laid out their story. They place their certification badges at the bottom of their page, providing links to publicly accessible reports. In particular, they provide a link to their SOC 3 report, which as the AICPA states, is “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report.” Some things to notice: 

• Everything, including the URL asana.com/trust, speaks directly to their customer commitment 
• They use clear language and graphics to explain their entire approach to security 
• They focus on publicly available resources to instill confidence in their security program  

Example 4: Freshworks 

Finally, let’s check out Freshworks. Freshworks is an engagement platform for employees and customers, so like some of our other examples, it’s pretty clear why protecting information related to those groups is so important.

Freshworks has a very advanced Security Center on their website, with multiple pages for different audiences (customers and developers), a trust center, best practices, resources, and even an area for responsible disclosure. What I like most about their site is how thought-through it is, with so much information and such a high degree of transparency. In website terminology, we call this a microsite – an entire area devoted to one concept, with a defined purpose and its own navigation and structure. Here are some things worth pointing out: 

• The microsite contains a rich FAQ area with answers to common questions 
• It includes a breakdown of many of their security processes and how they impact different audiences 
• They include a bug bounty hall of fame to promote responsible disclosure 

Putting it all together 

 Hopefully these pages gave you some good ideas for how to use your compliance reports on your website. My biggest takeaways: 

• Share your approach to security and relate it to your customers and business partners 
• To whatever extent you are comfortable, be transparent with some of your core security and compliance processes 
• Include some of the best practices you follow (encryption, penetration testing, etc.) 
• Guide your visitors through the process of requesting a report 
• Feature your auditor, as their credibility will translate to your customers 

Compliance is all about the customer 

When you put your cybersecurity attestations on your website, you can frame a message that’s all about your relationship with your customers. There’s plenty you can talk about without giving away the details of your security program to your customers, so finding that balance is important. And remember – most people don’t natively understand security, so be clear and simple in your language and explanations. 

Most importantly, remember that your assurance program is an opportunity to engage in a dialogue with people who are interested in how you do business. It’s much more than just the document – it’s a representation of who you are as a business and how you treat your customers.  

I’m always happy to speak with people about how to best market their cybersecurity attestations. If you are interested in a conversation, or anything A-LIGN has to offer, please drop us a line!