SOC 2 for startups may seem like a difficult endeavor given the moving parts involved in launching and maintaining a successful startup. From funding to revenue, it can be easy to neglect compliance examinations like a SOC 2 – or delay completing one until a future date. Since you cannot escape compliance requirements, the reality is that is no better time to undergo a SOC 2 examination, and it might help your startup reach new heights. Below are the top reasons why your startup should should consider SOC 2 compliance for startups.

It Builds Credibility With Banks and Investors

Startups and banks can have a complicated and challenging relationship: while startups are fast-paced, young and agile, banks can be slower, more regulated and have complicated approvals to fund startups. Often banks and startups find themselves clashing over processes and cultures – which is why it’s important for startups to eliminate any roadblocks. Completing a SOC 2 as a startup is a fantastic way to demonstrate your security and ease security-related concerns that a bank may have. You’ll also be better prepared to answer the bank’s questions relating to security and compliance, as well as stand out from other startups in your field.

It Gives You a Competitive Advantage

These days, it seems like major security breaches are striking organizations large and small across the globe. Launching a startup can be difficult enough without worrying if you’re a target for a major data breach – but being prepared can be enough to differentiate yourself from your competition. Undergoing a SOC 2 Examination demonstrates to your current and prospective customers that your organization maintains a strong security posture that includes the implementation of controls to protect and secure a customer’s confidential and personal data – building trust in the marketplace early.

You’ll Develop Strong Policies and Procedures

One of the benefits of SOC 2 compliance is formally defining policies and procedures that describe the key processes and controls surrounding your organization and business operations. Departments and employees will know where to look if they have questions regarding their job role and how to complete their job responsibilities.  Not only do strong, formally defined policies and procedures impress banks, investors, employees and customers, they also help employees better understand how to perform their day-to-day operations (such as building performance review systems or client contracts) and help mitigate risks resulting from data breaches and hacks.

[Read more: Top Policies and Procedures for SOC 2]

It’s Easier to Do at the Startup Stage

It may be tempting to delay completing a SOC 2 assessment at the infancy stage of your startup, but the reality is that you’ll likely need one in the future – and going through the audit process will only get more complicated as your organization grows. The reason why is simple: during the SOC 2 audit, various departments and personnel across the organization will be needed to assist in gathering the requested evidence for the examination. This is significantly easier when your team is in a small room together where the audit requests can be addressed quickly. As you build your startup, going through a SOC 2 Examination during the infancy stages will help strengthen the controls environment and help your organization be better prepared for future compliance assessments – no matter what size your organization has grown into. A little work now can save you countless headaches in the future.

A SOC 2 Is More Affordable Than Compliance Failure Fines

At the startup stage, assets can be tight, and organizations need to keep their costs to a minimum – this leaves little to no room for costly, yet easily avoidable, disruptions to business operations. While some disruptions to business operations are inevitable, completing a SOC assessment can help identify the major vulnerabilities and control gaps. Significant business disruption can cost your organization thousands of dollars a month, and the average cost of a data beach for an organization is $3.62 million. You wouldn’t rent an office space and leave the doors unlocked because not doing so could cost you everything. Undergoing a SOC 2 examination similarly helps protect your organization by bringing to focus potential vulnerabilities and control gaps that can potentially disrupt business operations. It might cost time and money now, but it’s a worthy investment – one that can save you even more time and money down the road, several times over.

Why SOC 2 for Startups?

With almost ten years of average experience, our team of certified compliance professionals have extensive experience performing SOC 2 for startups and can set you on the right path as you build your credibility with customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

It is easy to feel uninformed with the number of cybersecurity myths that are frequently shared. The world of cybersecurity can be convoluted and confusing, but it doesn’t have to be. Arm your organization and yourself with facts about cybersecurity that will help you protect your personal, private information.

Myth #1: If the Wi-Fi You Are on Has a Password, It Means You Are Secure

Two instances that make organizations susceptible to public Wi-Fi network woes are shared workspaces and remote employees. Despite the illusion of security, password-protected Wi-Fi networks are still dangerous. Just about anybody can get their hands on your password and attempt to access your valuable files and information. The good news is that VPNs can help. VPNs allow typically vulnerable computer users to simulate being at work on a secure platform – regardless of where they are. Avoid accessing important information on any public Wi-Fi platform, password or not.

Myth #2: Cyberattacks Only Happen to Large Businesses

Every company is susceptible to attacks, regardless of size. In fact, Verizon reported in the Data Breach Investigations Report that small businesses account for 58% of data breaches. No one is free and clear from the potential threat of cyberattacks and that is precisely why prevention is so important. Ensuring that your organization, your employees and you are cyber-literate is essential towards the well-being and future of your organization.

Myth #3: Security Is Static and the Controls We Implemented Last Year Will Work This Year

Concerns for data protection are rising and the only solution is to be innovative and adaptive with the way you approach cybersecurity. Cybersecurity needs are different for every organization and they are not static, they are ever-changing. 2019 has been filled with cybersecurity breaches, from Facebook to NASA. As a leading cybersecurity and compliance firm, we at A-LIGN help our partners stay up-to-date on the latest threats and advances in the security ecosystem. Hacking and security is a never-ending game of cat-and-mouse, which is why our penetration testers modify their hacks and techniques frequently based on the latest news regarding hacks and patches.

Myth #4: Cybersecurity is Only About Defense

Cybersecurity is about defense, but it is also a major revenue-generating and trust-building business move. The average cost of a malware attack on a company is $2.4 million, and the average cost of time of a malware attack is 50 days. In fact, 60% of small businesses that suffer a cyber attack are out of business within six months. More than ever, clients and potential clients are attracted to organizations and service providers with a strong cybersecurity and safety posture – not only to know that their data is safe but as assurance that the organization will be around for the long term.

Equifax had a huge data breach in 2017 that affected 125.5 million people. Addresses, birth dates, social security numbers and driver’s license numbers were leaked, alarming customers and putting the focus on cybersecurity.

Myth #5: Cybersecurity Attacks Come From the Outside

From human errors to baleful intent, cyberattacks are not just from the outside. McKinsey & Company reports that insider threat is present in 50% of cyber breaches. All situations need to be considered in order to have a complete cybersecurity plan. For example, implementing a thorough exit plan for employees leaving the company and ensuring that all employees are trained on basic cybersecurity measures are two protocols every organization should consider implementing.

Myth #6: Strong Passwords and/or Wireless Encryption Are Enough to Keep a Company Safe from Hackers

A strong password or using strong wireless encryption like WPA or WPA2 used to be sufficiently secure, but hackers are becoming more advanced in their techniques to hack into someone’s account. One way to help combat this issue is to enforce two-factor authentication on any device that allow the user to look at sensitive content. Password manager apps and websites are also an excellent way to allow users to use more complex passwords without the responsibility of remembering all of them. Lastly, enforcing a timeline on how long a user can use the same password can help keep private information secure.

Myth #7: Assessments Are Not Necessary

Having a third-party examine your company’s internal controls can help you take a hard look at what your organization is doing right and what needs improvement. Assessments provide third-party assurance that your organization has appropriate controls in place to help mitigate risk. Additionally, regular penetration tests allow you to test your organization’s maturity over time and find potential flaws in your security infrastructure – before the bad guys do.

Stay Secure

The world of cybersecurity can be overwhelming. A-LIGN’s experience and commitment to quality can help your business achieve the cybersecurity and compliance goals it is seeking. We offer an extensive list of compliance and  cybersecurity services that can arm your organization from the various threats that businesses face.

Phishing scams are a serious threat to an organization, and they’re increasing in scope, complexity and number – but that doesn’t mean you’re helpless to defend yourself. In fact, it’s easier than ever to proactively protect your organization from threats by following some simple tips.

Phishing Scams on the Rise

According to Wombat Security’s 2022 State of the Phish survey, 83% of survey respondents said they experienced a successful email-based phishing attack in 2021, up 57% from 2020, with 11% noting 10 or more of these attacks were successful.

With the threat of phishing scams on the rise and showing no sign of stopping, there has never been a better time to review your organization’s policies and remind yourself how you can stop an attack.

Types of Phishing Scams

Deceptive phishing: The most common phishing scam and the type most people think of when they heard the word “phishing.” Deceptive phishing strikes victims by taking over a recognized email address (or impersonating a recognized one) to get access to information. These emails typically request that you:

• Make a payment
• Re-enter information, such as logins or passwords
• Request that you change your password
• Verify account information

Spear phishing: In recent years, spear phishing attacks have been on the rise. A more sophisticated form of deceptive phishing, spear phishing is a personalized attack that tricks you into thinking you have a relationship with the sender by utilizing full names, position information, addresses, phone numbers or other semi-private information. Once the URL in a spear phishing email is clicked, hackers have access to your account.

Whaling: As the name implies, whaling is a form of phishing that targets the big game. With whaling, also known as CEO Fraud, hackers target and attempt to gain access to executive or director information to access their email accounts. Unfortunately, this kind of attack can be the most successful form of a phishing scam, as executives often don’t undergo the same security training as lower employees.

Phishing calls: Web-based attacks are the most common form of phishing scams, but phone-based phishing scams have increased over the last few years. In these scams, phishers call and attempt to present themselves as a legitimate organization, such as your bank or credit card company to gain information. Typically, the calls begin by volunteering easily-researched information like your name or address to build trust. From there, phishers will drill down further by asking for personal information such as passwords or bank account numbers for “verification purposes.”

Know That Protection is Everyone’s Responsibility

While phishing prevention is often laid at the feet of the IT department, protecting the organization from phishing attacks is the responsibility of every member at every level – from interns to IT to executives. And while you might think your organization has to focus on training for older employees, a recent study found that millennials and Gen Z (23%) have fallen victim to phishing scams than Gen X (19%) or Baby Boomers (9%).

Before you shrug off responsibly, know that 55% of business owners to take the 2022 State of Phish survey, report taking disciplinary action against employees who fall for real or simulated phishing attacks.

Be Wary of Suspicious Emails

Most organizations employ copywriters, editors and/or digital marketers to carefully craft marketing emails, so any email from a brand or company that is riddled with typos and errors should raise red flags. Cybercriminals often make mistakes in emails – sometimes intentionally to slip past your email’s spam filters. Another telltale sign of a suspicious email is one featuring an impersonal greeting, such as “Dear Customer.”

If you don’t know the entity sending the email, don’t interact with the message by clicking links, downloading files or opening attachments. Doing so could open your computer, and your organization’s servers, up to a data breach.

Finally, look closely at the address. Phishing hackers often create addresses similar to ones you might be familiar with to mimic someone else – and if you don’t take a closer look at the sender, you might fall for it. For instance, the CEO of an organization might have the email [email protected], but phishers will employ an address named [email protected] or [email protected] to mimic the CEO in an effort to steal data or money.

Stay Updated on Phishing Attacks

Like any kind of scammer, phishers are playing a massive game of cat-and-mouse. As soon as a new technique is deployed or successfully utilized, word spreads and the public is educated – forcing hackers to develop new tricks constantly. If you’re not staying updated on new techniques and developments or undergoing security awareness training regularly, you’re easy prey for a phishing scam.

Undergo Penetration Tests

Penetration tests are a great way to test your information security posture by simulating a phishing attack. Designed to test the information security of the technologies and systems in place at an organization, penetration testing identifies specific vulnerabilities before the bad guys do, mitigating the risk of a data breach or phishing scam.

How A-LIGN Can Help

At A-LIGN, our penetration testers emulate the techniques of hackers by developing scenarios and strategies to breach your organization’s information systems, attacking your networks and applications. A-LIGN’s penetration test encompasses:

• API Testing
• Network Layer Testing
• Mobile Application Testing
• Web Application Testing
• Wireless Network Testing
• Facility Penetration Testing

What are the steps to ISO 27001 certification? Our assessors have completed assessments against several International Organization for Standardization (ISO) standards, and can provide your organization on insights on the process for achieving ISO certification.

Choosing the appropriate assessor

A certification audit can be performed by any company that understands the ISO standard relevant to your company. When selecting a certification body (CB), it is important to understand the difference between an accredited and unaccredited certification to ensure that it meets your organization’s needs.

Accredited certification body

Accredited CBs must undergo a rigorous evaluation process to ensure that the certification audit is performed in accordance with the ISO audit requirements. The evaluation process assesses the competence of the audit team, audit methodology used by the CB, and the quality control procedures in place to ensure that the audit and report are completed properly.

As an accredited certification body, each certificate that A-LIGN issues contains the ANAB or UKAS seal, which will be accepted globally by your customer and potential clients to demonstrate conformity with the appropriate standard.

Unaccredited certification body

Organizations can also receive certification through an unaccredited assessor, however, these CBs are never audited for their compliance with ISO certification audit requirements. When ISO certification is something your organization is undergoing to meet a client requirement, it is important to determine if the client requires an accredited certificate or if they will accept a certificate from an unaccredited CB.

5 Steps to ISO Certification

Step 1: Pre-assessment

The ISO pre-assessment process is designed for companies that will undergo the certification process for the first time and is only performed as an as-needed basis. A-LIGN simulates the actual certification audit by performing a review of your company’s scope, policies, procedures, and processes to review any gaps that may need remediation before your company goes through the certification process.

The pre-assessment can give your organization a head-start on the certification process by revealing any oversights or potential weaknesses that your organization may have ahead of the actual audit so that you can act on areas that require remediation or attention.

Step 2: Stage 1 audit

During the stage 1 audit, A-LIGN reviews your company’s documentation to confirm that it follows the relevant ISO standard, as well as check to see if the required activities have been completed or are scheduled prior to beginning stage 2.

The conclusion of the stage 1 audit will determine if your company is ready to move forward to stage 2, or if modifications are required to its policies, procedures, and supporting documentation before proceeding. Once stage 1 is complete, your organization will have a better understanding of your organization’s ability to meet the requirements and areas of improvement.

Step 3: Stage 2 audit

The stage 2 audit is performed to test the conformance of your system with the relevant ISO standard. During A-LIGN’s on-site audit, we will perform testing procedures including interviews, inspection of documented evidence, and observation of your processes. Upon completion of stage 2, A-LIGN will determine if your organization is ready to be certified.

If there are any major nonconformities, they will need to be remediated before a certificate can be issued.

Stage 4: Surveillance audit

Once your organization has achieved certification, A-LIGN is dedicated to your continued success. Over the two years following certification, A-LIGN will conduct annual surveillance audits to ensure your ongoing conformity with the appropriate ISO standard to give you the assurance that your systems and processes continue to be compliant.

Stage 5: Recertification

Your certificate is valid for three years after the issue date. Your organization will need to recertify before the issue date, which will then begin the certification process again. The recertification process differs from initial certification, as organizations do not typically need to go through the stage 1 audit again. Instead, organizations begin with stage 2 in order to achieve recertification and continue to receive surveillance audits following certification.

Getting started with ISO

For organizations seeking an internationally recognized framework, the ISO standards can provide your organization with a certification that is scalable to your needs. With our experience in assessing an organization’s cybersecurity, compliance, and privacy, A-LIGN can provide your organization with the experience and guidance needed to achieve certification.

A-LIGN’s Senior Manager Blaise Wabo recently returned to Reddit to hold another Ask Me Anything (AMA) Q&A session on Reddit’s /r/technology subreddit. Blaise fielded important questions on the state of healthcare security, HIPAA compliance and cybersecurity threats to sensitive health data.

Being a hot-button issue in the world of compliance and security, it didn’t take long for the AMA to amass hundreds of questions from curious Redditors. Below are the top questions, but we encourage everyone to read the full AMA here.

Q: Can you give a brief explanation of what’s changed with HIPAA and HITRUST regulations between the last time you were here and now? Additionally, how well have the companies affected by the seemingly-continuous massive data breaches adhered to those regulations? How much danger is the average citizen in when this info is leaked assuming the affected company encrypts the data? How about when they don’t?

I am glad to be back and doing this HIPAA AMA. So there has not been many changes in HIPAA but on February 11, 2019, HHS (Health and Human Services) announced two proposed rules to support the seamless and secure access, exchange and use of ePHI (electronic protected health information). These rules will focus on patient access to their records and APIs (application programming interfaces) with ePHI. This release was in conjunction with CMS (Centers for Medicare and Medicaid Services) and ONC (Office of the National Coordinator for Health Information Technology) announcing that they are extending the public comment period by 30 days for the two proposed regulations aimed at promoting the interoperability of health information technology and enabling patients to electronically access their health information.

Also, OCR (Office for Civil Rights) has concluded a record year in HIPAA enforcement activity. In 2018, OCR settled ten cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22%. In addition, OCR also achieved the single largest individual HIPAA settlement in history with $16 million from Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. As you can see, hackers are becoming more and more sophisticated and it is the responsibility of covered entities, business associates, patients and every other player in the food chain to secure PHI.

Regarding HITRUST, there has been the release of CSF v9.1, now v9.2 and v9.3 will be in Q3 of this year. Basically, HITRUST made their framework industry agnostic, so it is no longer specific to healthcare and any organization in any industry can now adopt the HITRUST CSF as their risk assessment framework. They have also added GDPR, NYCRR 500, California CPA, Singapore Privacy, and some other regulations to their framework.

Q: I’m an IT Director and currently evaluating 2 different vendors to perform a cybersecurity audit of our infrastructure and processes. One is providing CISSP and CISM certified resources while the other is not; their resources credentials include years of industry experience but no certifications. I’m inclined to choose the better-certified vendor. Any thoughts? The goal is to meet contractual obligations to clients and do our due diligence. We’re not doing it to meet compliance needs. Thanks!

I would say go with the firm that has certified assessors/auditors. You do not want folks that do not understand security to ask you questions.

Q: How often do you perform an audit, find significant problems and the organization does absolutely nothing about it?

It is not the auditor’s responsibility to ensure gaps are fixed; it is management’s responsibility to understand the risk and deploy controls to remediate the gaps identified. Auditors should be careful doing business with organizations that do not take security seriously as their license and reputation could be at risk.

Q: What is your position on PHI transmission before one officially becomes a patient? For instance, many people will email us, disclosing PHI in regular email or a contact form from our website. When and where does HIPAA compliance officially kick in?

It kicks in once that patient has had a diagnostic. If all you have is PII and not PHI as defined by HHS, technically HIPAA does not apply to you.

Q: The medical field is one of the fields that always seems to be out of the loop when it concerns adopting and upgrading the software of pre-existing systems. From what I understand, the certification requirements in the medical industry can make it difficult to be flexible in implementing security updates compared to other industries.

With major threats such as the newly discovered MDS vulnerability, the Spectre/Meltdown vulnerabilities discovered last year, and minor threats discovered on a weekly basis, how do security audits help prepare medical facilities against the constant onslaught of unforeseen threats? Can strict security certifications hamper the mitigation of newly discovered vulnerabilities? Do medical security audits give backend engineers the flexibility they need to quickly fix issues discovered in certified systems?

I would say before deploying any upgrades or fixes, you want to make sure it is tested in a test environment before being deployed to production. Also, security is always based on risk. Make sure a risk assessment is performed periodically to integrate any recently discovered vulnerabilities and implement controls to mitigate those risks.

Q: Can you give some tips for staying secure & HIPAA compliant in therapy sessions conducted online (like trustworthy video chat clients with location tracking), and for storage of therapy notes and records?

1. Use a trusted and secure platform
2. Ensure the sessions are encrypted including the voice recordings and any notes/chat
3. Always advise patients to keep any data confidential and be in a safe environment before initiating the session

Q: Despite more and more organizations taking cybersecurity seriously, breaches continue to happen. Why do you think this is? What is the most common missing control you encounter?

What do you believe is the best bang-for-your-buck control an organization can implement to increase their security posture?

Great question. No matter how secure your environment might be, your weakest link is always your people. So, we must make sure we dedicate a lot of resources to training our people on security awareness, social engineering, etc.

Q: There’s always a lot of attention paid to insufficiently strong security and data breaches but what do you think most healthcare providers do well in terms of cybersecurity (if anything)?

I think healthcare providers are taking security more and more seriously, but to your point, we have a long way to go. I suppose that is why there are laws like HIPAA and consequences for not doing due diligence to follow these laws.

Download our HIPAA checklist now!

Bridge letters are an important element of SOC 1 and SOC 2 examinations that you may not be aware of and can help provide your clients with additional confidence regarding the effectiveness of your organization’s controls environment at no additional cost or time.

What is a Bridge Letter?

SOC 1 and 2 examinations take a lot of preparation and time to ensure compliance, but as you may have noticed, SOC reports often cover only a portion of an organization’s fiscal year. What do you do if your organization’s SOC report doesn’t cover the entire fiscal year? Thankfully, there are bridge letters.

As the name implies, a bridge letter – also known as a gap letter – is a letter that bridges the gap between the end date of the review period from your most recently completed SOC report and the date of the bridge letter. For instance, if your organization’s most recently completed SOC 1 report covers the period from November 1^st, 2017 through October 31^st, 2018, but your organization’s fiscal year-end is December 31^st, 2018, you can provide your clients a bridge letter that states there has been no significant changes, issues or deficiencies to your organization’s controls between October 31^st and December 31^st. This notice gives your clients confidence that there have been no significant changes to their controls environment that could adversely impact the conclusions reached in their most recently completed SOC examination.

Note that a bridge letter is signed off by the organization itself and provided directly to its customers. The CPA firm who performed the SOC examination does not attest to anything in the bridge letter or sign the bridge letter, as they did not perform any additional procedures to verify whether the organization’s controls environment changed or continued to operate effectively since the actual SOC audit was completed.

How Long Can a Bridge Letter Cover?

A bridge letter normally covers a period of three months, as it is only meant to cover a short duration of time between the report period end date and the organization’s fiscal year-end. If you are wanting to use a bridge letter to cover a period of more than three months, you should consider whether it is time to perform another SOC examination. Because bridge letters are meant to cover a short duration, it is important that SOC examinations be regularly completed (at least annually), as they provide actual third-party assurance on the effectiveness of your organization’s controls environment.

What’s in a Bridge Letter?

There are a few important elements of a bridge letter including:

• The review period of the most recently completed SOC 1 report, including beginning and ending dates
• Any changes in the organization’s controls environment (if applicable). If there are no changes, the letter must state that the organization is not aware of any material changes in their controls environment
• A statement that, as of the date of the bridge letter, the service organization is unaware of any material changes, issues or deficiencies in the control environment that could change the opinion of the auditor who performed the SOC examination
• A statement that the bridge letter relates solely to the organization and may not be relied upon by any other entity

Protecting Your Organization and Business Relationships

By providing your clients with additional confidence in your organization’s compliance, a bridge letter can save your organization additional cost and time. While not a replacement for an actual SOC examination, a bridge letter can be a vital and helpful asset for your organization and its clients in between examinations.

Running an organization today means not only performing expected business requirements and generating revenue, but also defending yourself against an endless onslaught of cybersecurity threats. The NIST Cybersecurity Framework is designed to help you grow your organization while defending yourself from cyberattacks.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a framework to support businesses and combat cybersecurity threats. Created from an executive order in 2013, the National Institute of Standards and Technology (NIST) worked with over 3,000 people from diverse backgrounds including academia, industry, and government to create a voluntary framework to address threats and support businesses as a way of protecting the economy and boosting national security.

Originally designed for U.S. private-sector owners and operators of critical infrastructure, the NIST Cybersecurity Framework has since evolved to include global communities and organizations as its stakeholders.

As of 2015, 30% of U.S. organizations use the NIST Cybersecurity Framework, and a Gartner report predicts that 50% will use it by 2020. Companies large and small have adopted the framework into the cybersecurity policies, including JP Morgan Chase, Boeing, Intel, Microsoft, Bank of England and Ontario Energy Board.

How the NIST Cybersecurity Framework Works

The Cybersecurity Framework acts as a guide for organizations to follow. Because all organizations face different challenges, the NIST stresses that the framework should be customized to meet particular risks or industry needs.

At the heart of the Cybersecurity Framework are three components:

• The Framework Core: Using easily understood language and guidance, the Framework Core lists cybersecurity activities and outcomes to help organizations mitigate risk while complementing existing policies and procedures.
• Implementation Tiers: The Implementation Tiers give organizations the information needed to determine how aggressively they should be pursuing their cybersecurity initiatives. It’s often used to initiate organizational conversations regarding budget, mission priority, and risk appetite.
• Profiles: The Framework Profiles provide a unique comparison of an organization’s objectives, requirements, risk appetite, and resources against the desired outcome of the Framework Core. By contrasting the two, organizations can use the Profiles to identify and prioritize opportunities for improving cybersecurity.

Benefits of the NIST Cybersecurity Framework

While not required, more organizations are adopting the cost-effective NIST Cybersecurity Framework with every passing year. By using the framework, organizations can better understand and mitigate the risks facing them every day by maximizing the amount of money spent on cybersecurity. By doing this, organizations can see what activities are most important to critical service delivery and ensure that they’re allocating proper resources to protect themselves. Organizations that have used the framework have reported stronger protections and enhanced cybersecurity policies.

A Solution for Any Organization

The NIST Cybersecurity Framework is easy to personalize, allowing it to provide scalable solutions for organizations of any size and industry. Because of its detailed creation and its ability to be easily personalized, the NIST Cybersecurity Framework provides scalable solutions for organizations of any size and industry. As it continues to face wide-scale adoption and recognition, the NIST Cybersecurity Framework will only continue to improve cybersecurity policies and procedures for organizations in the decade to come.

IT security is an ever-growing concern from consumers and businesses. The last few years of breaches resulting from insecure IT environments have changed the buying process and selection criteria for many organizations. Securing a business’s critical information is a top priority and with companies outsourcing more and more of their IT services to third parties, there is a greater focus on the security in place at Managed Service Providers (MSPs). MSPs provide various IT services such as network security, backups, infrastructure and software as a service.

In the past, MSPs were able to self-attest to how secure their environment was, but as more companies outsource their IT functions to MSPs, more scrutiny and focus is being placed on having an independent assessment performed to assess the security in place in the MSP’s environment. Many forward-looking MSPs have determined the easiest way to show an independent assurance is to provide their customers with a System and Organization Controls (SOC 2) compliance report – this report is issued by an independently certified compliance firm that issues a formal assessment on MSP’s security controls. Note that as an MSP, you may be familiar with the acronym “SOC” standing for Security Operations Center; in the world of compliance, “SOC” is abbreviated for System and Organization Controls.

What is a SOC 2 Compliance Report?

A SOC 2 compliance report can differentiate your business by providing your customers with assurance regarding the IT controls in place that protects the systems and data critical to operations, as well as their sensitive data. The SOC 2 examination is built on five Trust Services Principles (TSPs): Security, Availability, Confidentiality, Processing Integrity and Privacy – with Security being required in all reports. Depending upon the services provided and the level of access you have to your customers’ data, you can choose one or all five principles to test against, based on the level of security and controls in your environment.

As an MSP, your customers have confidence that their sensitive and critical information is secured, made available and protected from unauthorized access. Although the ultimate accountability of customer information remains with the customer, as part of their vendor risk management program they will request evidence that appropriate controls are in place to protect their data and can be easily shown in a SOC 2 report. Please also note that the SOC 2 framework and requirements will change for SOC 2 reports having a report period end date after December 15, 2018. As part of the changes, the terminology is changing from Trust Services Principles and Criteria to Trust Services Criteria (TSCs).

See More: Managed Service Providers: Understanding Which Compliance Audit is Right for You

MSP Benefits From a SOC 2 Compliance Report

A SOC 2 compliance report provides many benefits for an MSP, including the following:

Accelerated business and market growth

One of the greatest benefits of completing a SOC 2 examination is the opportunity to accelerate business and market growth. Showing that your organization is SOC 2 certified opens doors to new opportunities for larger customers and differentiates your business from your competition. MSPs we have spoken with are leveraging their SOC 2 report as a marketing tool – whether it is for new business or to demonstrate to existing customers their continued focus on securing their environment. Further, many prospects see their MSP as a commodity and are not able to differentiate one from the other. Having the SOC 2 logo on your website, your marketing materials and sales proposals sets you apart.

Continuous improvement of your security program

Conducting a SOC 2 compliance report provides an independent assessment of how secure your environment is. The SOC 2 framework is thorough in its security requirements, from assessing overall governance to reviewing the system security controls.
Going through a SOC 2 examination helps formally establish the baseline internal controls in place that secure your environment as well as give you the ability to reassess how well those controls operate year over year.

Increased valuation of your MSP

The SOC 2 compliance report can lead to increased growth and sales. In certain instances, MSPs are acquired only to gain access to valuable customer listings. The SOC 2 assessment can be a major asset for your MSP – and can also be a major contributor to customer success and satisfaction.

Getting Started With a SOC 2 From A-LIGN

As customers begin to enhance their vendor management practices to secure their information, requests for compliance reports such as a SOC 2 report will become more and more frequent. Working with a compliance service provider like A-LIGN, who has certified compliance professionals with extensive experience performing SOC 2 examinations, can set you on the right path in building credibility and trust with your customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

The Death Master File (DMF) is a protected file that includes information regarding the deceased such as:

• Name
• Date of Birth
• Date of Death
• Social Security Number

Since November 28, 2016, organizations have faced a stricter certification process to be granted access to the DMF. In that time, A-LIGN has served as an Accredited Conformity Assessment Body (ACAB) that has submitted written attestation to validate that the appropriate controls are in place to maintain the confidentiality and security of DMF information. Senior Manager, Sue Wells, took the time to discuss the challenges that organizations face when seeking DMF certification and how A-LIGN can help.

Death Master File FAQ

What lessons have we learned from our DMF successes, as assessors, that we can utilize to help future clients that require DMF access?

Some of our DMF clients have never had any type of audit before, so there is a learning curve for those organizations to understand the process, such as document requests. For organizations that have never been certified before, they need to understand the steps to achieve certification:

1. A-LIGN conducts testing against the approved standard.
2. Once testing is complete, organizations must go to the National Technical Information Service (NTIS) website to pay the required fees. Organizations pay $1,575 annually for certification to NTIS, and an additional $525 every 3 years when 3^rd party certification must be completed again. These fees are separate from those paid to the ACAB for attestation, as they are paid directly to NTIS. Once fees are paid, the organization will be provided a processing number.
3. From there, organizations must obtain the attestation form from the NTIS website and provide A-LIGN with the processing number to complete the attestation.
4. A-LIGN files the attestation documentation.

What information do companies seeking DMF certification need to know regarding their vendors and how they may impact their ability to be certified?

If significant technical safeguards used to protect the DMF are provided by a third-party, they may have to obtain information directly from that third party to provide to A-LIGN, as the DMF attestation form does not provide for the ability to carve-out other organizations. In this event, the technical safeguards would need to be verified.

What standards can organizations certify against?

Since 2015, A-LIGN has successfully helped several organizations achieve certification by certifying against standards such as SOC 2, PCI DSS, and NIST 800-53.

Helping You Achieve DMF Certification

NTIS can conduct both scheduled and unscheduled compliance audits, and organizations that fail to comply with the set provisions may be subject to fines of up to $250,000 per year. As an ACAB, A-LIGN can attest to your organization’s ability to protect DMF information. We have extensive experience in testing the required controls and can guide your organization through the certification process with ease.