Microsoft’s Supplier Security and Privacy Assurance Program (SSPA), formerly known as the Vendor Privacy Assurance Program, is an initiative designed to standardize and strengthen how Microsoft’s customer, partner, and employee information is handled by Microsoft vendors worldwide.

Compliance and Attestation

Organizations that are or want to become a Microsoft vendor must meet the requirements within the SSPA. This program requires that any vendor that collects, stores, or processes customer, partner, or employee information meet the reporting requirements.

All vendors must complete the annual Microsoft Personal Information (MPI) Inventory. Vendors are assigned an anniversary date where they will receive an email from Microsoft containing a hyperlink to the MPI Inventory. Depending on the type of data handled, per the inventory, the Microsoft SSPA Attestation reporting guidelines group vendors into three categories: high business impact, moderate business impact, and low business impact.

Low Business Impact

Low business impact organizations must complete the MPI Inventory within 30 days. Upon submission of the inventory, a data classification is assigned to the vendor.

Vendors handling data classified as having no personal information or low business impact require no further action. An anniversary date will be assigned based on the date of completion of the MPI Inventory, which will set the annual compliance cycle.

Moderate Business Impact

Moderate business impact data includes personally identifiable information (PII) that is not highly sensitive, such as (but not limited to):

• Name
• Address
• Email address
• Phone number
• IP address
• Racial information
• Ethnic information
• Political information
• Religious beliefs
• Sexual orientation
• Trade union membership
• Physical or mental health

After completing the MPI Inventory, all moderate business impact organizations must adhere to the Microsoft Vendor Data Protection Requirements (DPR) and are required to certify compliance to the DPR with a self-certification within 90 days of submission of the MPI Inventory during their second compliance cycle, and annually from that point on.

An anniversary date will be assigned based on the date of submission of the self-certification, which will set the annual compliance cycle.

High Business Impact

High business impact data includes the following, but is not limited to:

• Authentication/authorization credentials, such as private cryptographic keys
• Highly-sensitive PII, such as:
  • Financial transaction authorization data, such as credit card numbers
  • Financial profiles, such as consumer credit reports
  • Medical profiles, such as biometric identifiers

All high business impact organizations must also adhere to the DPR. Businesses that are considered high business impact must submit a letter of attestation from an approved third-party within 90 days of the submission of the annual MPI Inventory.

An approved third-party must be:

• A member in good standing with the American Institute of Certified Public Accountants (AICPA) or the International Federation of Accountants (IFAC)
• Qualified to conduct a Generally Accepted Privacy Principles (GAPP) assessment

Organizations that are high business impact must submit a letter of attestation after their third compliance cycle, and for all subsequent cycles. An anniversary date will be assigned based on the date of submission of the letter of attestation, which will set the annual compliance cycle.

Secure Your Summit

As a preferred assessor and approved third-party attestation body, A-LIGN has been vetted by Microsoft Procurement to perform a Supplier Security and Privacy Assurance (SSPA) assessment and empower your organization to meet SSPA requirements and conduct business with Microsoft.

If your high-impact organization requires a letter of attestation, our professionals can help you achieve compliance by assessing your organization’s controls, identifying gaps against SSPA requirements and completing your letter of attestation.

Let A-LIGN guide your journey from Information Security Management System (ISMS) to Privacy Information Management System (PIMS)

If ‎ISO/IEC 27001:2013 has been the gold standard for Information Security Management Systems (ISMS), then ISO/IEC 27701:2019 is the new gold standard for Privacy Information Management Systems (PIMS). ISO 27701 was developed to help organizations implement privacy controls against a certifiable framework to demonstrate a strong privacy program. Privacy has become a global zeitgeist with international and domestic privacy regulations driving the adoption of new privacy controls.

The General Data Protection Regulation (GDPR) has been driving international data privacy since it came into effect on May 25, 2018. The penalty for non-compliance is steep – €20 million or 4% of annual revenue. There have been dozens of fines in the past two years, including €50 million against Google and €99 million against Marriott.

Its home-grown cousin, the California Consumer Privacy Act (CCPA), came into effect for California in 2020 – enforcement began July 1. Time will tell how fiercely CCPA will be enforced, but if GDPR is any indication, then its advocates will be seeking to make an example out of companies that fail to comply. Case in point, Zoom has already been served a class action lawsuit for violating individuals’ CCPA privacy rights.

When privacy is such a premium, data controllers, data processors, and their partners have realized the value of demonstrating trust. Organizations want certification to prove they have done the hard work.

ISO 27701 is the first international privacy standard to provide a certification path for organizations to demonstrate their privacy systems and controls. ISO 27701 is a privacy extension to ISO 27001, which requires extending an ISMS into a PIMS. Compliance with privacy standards and regulations cannot be achieved without implementing appropriate technical and organizational security controls.

The Path to ISO 27701 Certification

To receive an ISO 27701 accredited certificate, organizations must either be ISO 27001 certified or undergo a series of initial audits conducted by a certification body. There are multiple parallels paths for ISO 27701 Certification, one for data controllers and one for data processors. Generally, a controller collects the data and directs it to be processed, whereas a processor processes the data for its controller. Controllers are assessed on their privacy notices, protections, principles, and processor requirements. Processors are assessed on their ability to limit processing, assist privacy protection, transfer disclosure, and subcontractor requirements. Additionally, both controllers and processors are required to demonstrate confidentiality agreements, risk analysis, oversight, training, processes, and records. Since ISO 27701 is an extension of ISO 27001, organizations should begin with a gap assessment and develop a plan to close the gap between their ISMS and their PIMS.

Consolidate Compliance with ISO 27701

ISO 27701 minimizes the burden of managing multiple privacy requirements through consolidation—a strategic approach to compliance. Consequently, organizations considering ISO 27701, should also consider where else they consolidate their compliance program, in an effort to conduct multiple audits at once.

A Strategic Partner in A-LIGN

A-LIGN enables organizations to elevate their strategic compliance initiatives with A-SCEND, its proprietary compliance management system that centralizes and streamlines workflows to eliminate duplicate work. As an ANAB accredited certification body, A-LIGN is one of a few companies that can issue an accredited ISO 27701 certification globally.

The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. Ensure you and your organization are up to speed on this important terminology by reviewing this list.

Federal Compliance Terms, A-Z

3PAO – Third-Party Assessment Organization

A Third-Party Assessment Organization (3PAO) is an organization that has been certified to help cloud service providers and government agencies meet FedRAMP compliance regulations. By utilizing FedRAMP approved templates, these organizations evaluate cloud-based providers’ systems to ensure transparency and consistency in data security strategies. Per the U.S. General Services Administration’s (GSA), a 3PAO must meet the following requirements:

1. Independence and quality management in accordance with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17020: 1998 standards.
2. Information assurance competence that includes experience with the Federal Information Security Management Act of 2002 (FISMA) and testing security controls.
3. Competence in the security assessment of cloud-based information systems.

ATO – Authority to Operate

As part of the Agency authorization process, a Cloud Service Provider (CSP) works directly with the Agency sponsor to review the cloud service’s security package. After the security assessment is completed, the head of the Agency—or their authorized designee—can grant an ATO. This process generally has four phases:

1. Partnership Establishment
2. Full Security Assessment
3. Authorization Process (during which the ATO status is approved)
4. Continuous Monitoring

CDI – Covered Defense Information

Covered Defense Information (CDI) is an umbrella term used to describe information that requires protection under DFARS Clause 252.204-7012. It is defined as unclassified Controlled Technical Information (CTI) or other information as described in the Controlled Unclassified Information (CUI) registry that requires safeguarding or dissemination controls. CDI will either be marked or otherwise identified in the contract and provided by DoD in support of the performance of the contract. Additionally, CDI may also be collected, developed, received, transmitted, used or stored by the contractor in the performance of the contract.

CSF – Cybersecurity Framework

A Cybersecurity Framework (CSF) is defined as “voluntary guidance, based on existing guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” It should be organized, adaptable, repeatable and effective, to best ensure marginal risks to valuable company data and information. There are four common kinds of CSFs:

1. Payment Card Industry Data Security Standard (PCI DSS)
2. International Organization for Standardization (ISO 27001/27002)
3. CIS Critical Security Controls
4. NIST Framework

CSP – Cloud Service Provider

A Cloud Service Provider (CSP) is a company that offers some component of cloud computing to other businesses or individuals. CSPs make their offerings available as an on-demand, self-provisioning purchase or on a subscription basis. There are three types of CSPs:

1. Infrastructure as a Service (IaaS): In this model, the CSP delivers infrastructure components to an organization that would otherwise exist in an in-house data center. Examples include servers, storage and networking as well as the virtualization level, which the IaaS provider hosts in its own data center.
2. Software as a Service (SaaS): SaaS vendors offer an assortment of business technologies, including productivity suites, customer relationship management software, healthcare IT software and more.
3. Platform as a Service (PaaS): A PaaS service provider offers cloud infrastructure and services that users can access to perform various functions—this type of CSP is most commonly used in software development.

CUI – Controlled Unclassified Information

Controlled Unclassified Information (CUI) is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies—but is not classified under Executive Order 13526 or the Atomic Energy Act.”

FedRAMP – Federal Risk and Authorization Management Program

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

FISMA – Federal Information Security Modernization Act of 2014

The Federal Information Security Modernization Act of 2014 (FISMA 2014) is legislation that directs federal government agencies to implement a cybersecurity program that includes independent assessments as well as NIST SP 800-37, Revision 2. FISMA assigns responsibilities to a variety of agencies to ensure the security of data in the federal government. The National Institute of Standards and Technology (NIST) outlines the nine steps towards compliance under FISMA:

1. Categorize the information to be protected.
2. Select minimum baseline controls.
3. Refine controls using a risk assessment procedure.
4. Document the controls in the system security plan.
5. Implement security controls in appropriate information systems.
6. Assess the effectiveness of the security controls once they’ve been implemented.
7. Determine agency-level risk to the mission or business case.
8. Authorize the information system for processing.
9. Monitor the security controls on a continuous basis.

JAB – Joint Authorization Board

The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB reviews and provides joint provisional security authorizations on cloud solutions using a standardized baseline approach. Its members include Chief Information Officers from the Department of Defense, the Department of Homeland Security and the General Services Administration. The defined duties for the JAB include:

1. Define FedRAMP security and authorization requirements.
2. Approve accreditation criteria for third-party assessment organizations (3PAO).
3. Establish a priority queue for authorization package reviews.
4. Review FedRAMP authorization packages.
5. Grant joint provisional authorizations.
6. Ensure that provisional authorizations are reviewed and updated regularly.

NIST 800-171 – National Institute of Standards and Technology

The National Institute of Standards in Technology is a physical science laboratory and a non-regulatory agency of the Department of Commerce. Founded in 1901, the agency was established to remove a second-rate measurement infrastructure that was causing the country to lag behind the industrial competitiveness of the UK, Germany and other economic rivals. Today, NIST measurements support the most innovative technology being developed ranging from microscopic medical monitoring devices to communication systems that span the globe.

One such measurement is the National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. Essentially, this standard defines how to safeguard and distribute material deemed sensitive, though not classified. Developed in a response to the passage of FISMA in 2003, NIST 800-171’s intent was to improve cybersecurity as the industry and the risks surrounding it continued to evolve.

P-ATO – Provisional Authorization to Operate

According to the FedRAMP website, a Provisional Authority to Operate (P-ATO) is permission given to an organization to operate at the Moderate impact level by the FedRAMP Joint Authorization Board (JAB). Essentially, a P-ATO is a preauthorization for an organization that then allows in-house monitoring and implementation of a cybersecurity system.

PMO – Program Management Office

A Program Management Office (PMO) is a group—either internal or external—that sets, maintains and ensures standards for project management across an organization. Their other responsibilities include ensuring that company procedures, practices and operations run smoothly—on time, on budget and all in the same way.

RMF – Risk Management Framework

Developed by NIST, a Risk Management Framework (RMF) is a set of information security policies and standards for organizations. A well-structured RMF provides an effective framework to facilitate decision-making to select appropriate security controls. There are seven recommended steps for implementing an RMF:

1. Prepare: The organization must examine its current security measures and identify areas of potential risk or weakness.
2. Categorize: Classify and label the information processed, stored and shared, as well as all of the systems the organization relies on.
3. Select: Review the categorization and select baseline security controls. Revise and add to the security control baseline as necessary, based on organization assessment of risk and local conditions.
4. Implement: Instill the security controls and integrate with legacy systems. Document how the controls are arranged within the system and their effects on the overall environment.
5. Assess: Evaluate the security controls to determine their quality and effectiveness.
6. Authorize: Top management tests and approves the secured system passed on the accepted risk appetite to operations and assets. Management should also consider the system’s overall impact on individuals and other organizations. Once the level of remaining risk has been identified, the framework can either be authorized or subjected to additional revisions.
7. Monitor: An organization should develop an ongoing monitoring and assessment schedule for the security controls. A thorough documentation of results is a must-have.

SSP – System Security Plan

A System Security Plan (SSP) documents the controls that have been selected to moderate the risk of a system. These controls are determined by the Risk Analysis and the FIPS 199. Federal systems—defined as any systems that are funded by federal money—fall into either a Low, Moderate or High category, per NIST’s guidelines. An SSP provides information regarding the system owner, name of the system and lists the security controls selected for the system. Each control listing includes a detailed description that allows the system owner or auditor to confirm the effectiveness of that control.

How A-LIGN Can Help

As a full-service security, compliance and privacy firm, A-LIGN provides organizations a variety of federal assessment services. Our team of assessors have experience in CMMC, FISMA, FedRAMP and NIST 800-171 assessments, and can help you determine which is vital for your organization. Together, we can determine the security requirements your organization needs for an ATO, as well as develop a holistic plan of action to protect your CDI and CUI.

Understanding the purpose and examination process of a SOC 2 audit an be confusing for first-time users and experienced customers alike. A simple Google search can give you the basics of a SOC 2 audit, but that generalized knowledge is only the beginning.

A-LIGN has taken numerous looks at what a SOC 2 is, what kind of organizations need one, and why this audit is important for security measures that meet today’s world’s exacting standards.

In our whitepaper, The SOC 2 Examination Process, we take an in-depth look at the SOC 2 audit and address topics including:

• Frequently asked questions regarding SOC 2
• The differences between a Type 1 SOC 2 audit and a Type 2 SOC 2 audit
• Why do organizations often benefit from a readiness assessment?
• The steps involved in a SOC 2 audit

The Types of SOC 2 Audits

• SOC 2 Readiness: Our readiness assessment provides your organization with the tools and confidence to prepare for the route ahead with the help of our experienced auditors.
• SOC 2 Type 1: A Type 1 report which delivers a description of your organization’s system and its ability to meet the relevant criteria set by the Trust Services Criteria at a specific date in time.
• SOC 2 Type 2: Type 2 reports include a description of your organization’s system along with the results of the auditor’s tests, as related to the Trust Services Criteria over a period of time. In addition, a Type 2 report gives a historical view of an organization’s environment to determine if the organization’s internal controls are designed and operating effectively

On September 3, 2019 HITRUST announced that they will be updating the HITRUST PRISMA Weights (HAA 2019-007) and the Scoring Rubrics (HAA 2019-009). These new guidelines will go into effect for any HITRUST certifications submitted and accepted on December 31, 2019 or later.

(more…)

Managed service providers (MSPs) provide a valuable service by enabling companies of all sizes to outsource their key information technology processes. Many of those companies who look to engage an MSP ask whether a SOC 1 or SOC 2 Examination has been completed to assess the MSP’s security posture.

Not sure where to start when a prospective customer asks you about a SOC report? Below are our top tips for determining if your MSP should complete a SOC 1 or a SOC 2 Examination – or both.

How Do I Know if My MSP Needs a SOC 1 or SOC 2?

Often, your clients will let you know which assessment they want your MSP to undergo. They might request a specific examination, such as SOC 1 or SOC 2, or they may be a little vaguer in their direction and ask for a third-party security audit to be completed by a CPA firm. If they’re less certain on which compliance assessment to complete, our SOC experts can review your MSP and its business practices to help determine the appropriate audit to undergo. Depending on the nature of your MSP, you might benefit from undergoing completing multiple compliance assessments concurrently in lieu of the overlap in process and requirements.

Who Should Get a SOC 1 Examination:

A SOC 1 audit is the ideal audit for MSPs that handle, process, store or transmit financial information. These industries may include:

• Payroll Processors
  • A payroll processor distributes an organization’s payroll funds amongst its employees per the terms of the employer’s agreements as a service. The services of a payroll processor directly impact the organization’s financial reporting, making a SOC 1 audit critically important.
• Collections Organizations
  • A collections firm collects money on behalf of another company as a service and records and transfers those funds back, reconciling the organization’s financial statements. Because of their direct impact on financial reporting, SOC 1 audits are vital for collections organizations.
• Data Centers
  • A data center allows systems and software to operate with maximum availability as a service for other firms. If those systems or software are used for functional finance transactions, then the loss of availability could impact those transactions and therefore impact financial reporting.
• SaaS MSPs
  • A software-as-a-service (SaaS) that offers a cloud service to an organization could be processing financial statements or reporting on statements that record to the general ledger, therefore impact financial reporting.

Who Should Get a SOC 2 Examination:

Organizations of all sizes and industries can benefit from a SOC 2 Examination, as the audit can be performed for an organization that provides a variety of services to its customers. A SOC 2 report highlights the controls in place that protect and secure an organization’s system or services used by its customers. Unlike a SOC 1, the scope of a SOC 2 Examination extends beyond the systems that have a financial impact, reaching all systems and tools used in support of the organization’s system or services. This assurance in the security of the environment can be provided thanks to the requirements within a SOC 2 Examination, known as the Trust Services Criteria (TSC). The TSC are based on upon the American Institute of Certified Public Accountants and consist of five categories:

• Common Criteria/Security (required)
• Availability (optional)
• Processing Integrity (optional)
• Confidentiality (optional)
• Privacy (optional)

MSPs that could benefit the most from SOC 2 Examinations include:

• Any Service Organization
  • Generally speaking, any MSP providing a service to a business, client or person should have a SOC 2 performed.
• Data Centers
  • A data center allows systems and software to operate with maximum availability as a service for other firms. Because of the critical role that data centers play, availability and physical security of the system is extremely important to the clients purchasing the infrastructure or platform. To confirm a certain degree of availability, a SOC 2 is often requested or recommended.
• SaaS MSPs
  • A cloud-based SaaS that is managed and hosted by a third party should complete a SOC 2 Examination to provide assurance on the security posture surrounding the in-scope system or service.

Read more: Leveraging a SOC 2 Examination to Differentiate Your MSP

Should Your MSP Conduct a SOC 1 and SOC 2?

As you may have noticed, some industries that MSPs serve recommend the completion of both a SOC 1 and SOC 2 Examination. Because the customer audience and value gained for a SOC 1 and a SOC 2 audit differ, it is often worth completing both a SOC 1 and SOC 2 Examination concurrently – especially considering a majority of the evidence and testing used in a SOC 1 can also be leveraged in the completion of a SOC 2 Examination. A-LIGN’s SOC experts will review the services offered to customers by your MSP in order to determine the best solution for you.

How A-LIGN Can Help

As customers begin to enhance their vendor management practices to secure their information, requests for compliance reports such as a SOC 1 or SOC 2 report will become more and more frequent. Working with a compliance service provider like A-LIGN, who has certified compliance professionals with extensive experience performing SOC 1 and SOC 2 audits, can set you on the right path in building credibility and trust with your customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

What is ISO 27701?

The ISO/IEC 27701:2019 standard was published on August 6, 2019, and provides the requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013. This extension replaces the development standard ISO 27552.

This extension will be most relevant for personally identifiable information (PII) controllers and processors but can be used by organizations of any kind, size, and location. ISO 27701 allows these organizations to improve their PIMS by enhancing their Information Security Management System (ISMS). Since ISO 27701 is an extension of the ISO 27001 standard, there will not be a stand-alone certification for ISO 27701.

As privacy concerns and requirements continue to increase globally, the addition of ISO 27701 to ISO 27001 certifications will become increasingly important to organizations.

ISO 27701 Standard Structure:

• Clauses 5 and 6: Provide additional specific guidelines related to privacy for ISO 27001 and ISO 27002
• Clause 7: Provides 31 controls that will be relevant to PII controllers and includes the following controls objectives:
  • 7.2 Conditions for collection and processing: To determine and document the processing is lawful, with legal basis as per applicable jurisdictions, and with clearly defined and legitimate purposes
  • 7.3 Obligations to PII Principles: To ensure that PII principles are provided with appropriate information about the processing of their PII and to meet any other applicable obligations to PII principles related to the processing of their PII
  • 7.4 Privacy by design and privacy by default: To ensure that processes and systems are designed such that the collection and processing (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose
  • 7.5 PII sharing, transfer, and disclosure: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations
• Clause 8: Provides 18 controls that will be relevant to PII processors and includes the following control objectives:
  • 8.2 Conditions for collection and processing: To determine and document that processing is lawful, with legal bases as per applicable jurisdictions, and with clearly defined and legitimate purposes
  • 8.3 Obligations to PII principals: To ensure that PII principals are provided with the appropriate information about the processing of their PII, and to meet any other applicable obligations to PII principals related to the processing of their PII
  • 8.4 Privacy by design and privacy by default: To ensure that processes and systems are designed such that the collection and processing of PII (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose
  • 8.5 PII sharing, transfer, and disclosure: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations
• Annex A & Annex B: PIMS specific control objectives and controls for PII controllers and PII processors respectively
• Annex F: Informal guidance on practical applications of ISO 27701

Impact of ISO 27701:

A primary operational impact of ISO 27701 is the inclusion of privacy concepts and, in particular, the incorporation of many articles from the General Data Protection Regulation (GDPR) into the ISO framework. Similar to the focus of the GDPR on the controller and processors processing of personal data, ISO 27701 places the responsibility of compliance on the PII controllers (the person or agency who determines the purposes and means of the processing of personal data) and the PII processors (the person or agency who processes personal data on behalf of the controller).

Requirements applicable to and impacting both PII controllers and processors:

• Security: Physical, operational and administrative controls are required to protect PII.
• Confidentiality and Integrity: A confidentiality agreement must be executed by any individuals authorized to access PII and the integrity of the PII data must be maintained.
• Risk Assessments: To identify risks associated with new processing of PII or changes to the existing processing of PII, a privacy impact assessment must be conducted.
• Roles and Responsibilities: An individual should be appointed to develop, implement, monitor, and maintain the organization’s governance and privacy program.
• Training: Any personnel that will have access to PII will be required to complete privacy awareness training.
• Incident Management: Policies and procedures need to be established and adopted to respond to and document any incidents, including but not limited to data breaches.
• Records of Processing: Processing activities involving PII, including transfers and disclosures, must be documented and maintained by organizations.
• Transmission of PII Data: Controls must be implemented to govern the transmission of PII data.

Controller-Specific Requirements:

• PII Principals Notice: A privacy policy detailing the collection, use and processing of PII must be provided to the PII principals.
• PII Principal Rights: Mechanisms must be in place to accommodate individuals’ right to access, correct, erase, or object to and restrict the processing of their PII, among others.
• Processor Contract Requirements: Written contracts must be in place with their processors that address specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.
• Data Minimization and Purpose Limitation: Limitations shall be placed on the PII collected to only include that which is relevant, proportional and necessary to the identified purpose, and limits the processing of PII to the purpose identified.

Processor-Specific Requirements:

• Processing Limitation: Processing of PII can only occur on the documented instructions of the controller or processor (depending on the role of the customer).
• Engagement of Subcontractors: In order to use a subcontractor to process PII, a written contract is required with the subcontractor authorizing the processing of PII and ensuring the implementation of appropriate controls.
• Infringing Instruction: Processing instructions received that are perceived to infringe on applicable legislation and/or regulation must be communicated to the customer.
• Assistance with Customer’s Obligations: Measures must be implemented that assist the customer in complying with the right of individuals.

Benefits of ISO 27701:

• Streamline compliance obligations for ISO 27001 and the GDPR by integrating privacy into your organizations ISMS
• Surpass the competition and attract new customers with a demonstration of increased security and privacy in your organization
• Maintain peace of mind for your current customers that their PII is protected
• Gain a better understanding of the Privacy Information Management Systems (PIMS) implementation process
• Avoid potential fines as the enforcement of privacy protection continues to increase

SOC 2 for startups may seem like a difficult endeavor given the moving parts involved in launching and maintaining a successful startup. From funding to revenue, it can be easy to neglect compliance examinations like a SOC 2 – or delay completing one until a future date. Since you cannot escape compliance requirements, the reality is that is no better time to undergo a SOC 2 examination, and it might help your startup reach new heights. Below are the top reasons why your startup should should consider SOC 2 compliance.

It Builds Credibility With Banks and Investors

Startups and banks can have a complicated and challenging relationship: while startups are fast-paced, young and agile, banks can be slower, more regulated and have complicated approvals to fund startups. Often banks and startups find themselves clashing over processes and cultures – which is why it’s important for startups to eliminate any roadblocks. Completing a SOC 2 as a startup is a fantastic way to demonstrate your security and ease security-related concerns that a bank may have. You’ll also be better prepared to answer the bank’s questions relating to security and compliance, as well as stand out from other startups in your field.

It Gives You a Competitive Advantage

These days, it seems like major security breaches are striking organizations large and small across the globe. Launching a startup can be difficult enough without worrying if you’re a target for a major data breach – but being prepared can be enough to differentiate yourself from your competition. Undergoing a SOC 2 Examination demonstrates to your current and prospective customers that your organization maintains a strong security posture that includes the implementation of controls to protect and secure a customer’s confidential and personal data – building trust in the marketplace early.

You’ll Develop Strong Policies and Procedures

One of the benefits of SOC 2 compliance is formally defining policies and procedures that describe the key processes and controls surrounding your organization and business operations. Departments and employees will know where to look if they have questions regarding their job role and how to complete their job responsibilities.  Not only do strong, formally defined policies and procedures impress banks, investors, employees and customers, they also help employees better understand how to perform their day-to-day operations (such as building performance review systems or client contracts) and help mitigate risks resulting from data breaches and hacks.

[Read more: Top Policies and Procedures for SOC 2]

It’s Easier to Do at the Startup Stage

It may be tempting to delay completing a SOC 2 assessment at the infancy stage of your startup, but the reality is that you’ll likely need one in the future – and going through the audit process will only get more complicated as your organization grows. The reason why is simple: during the SOC 2 audit, various departments and personnel across the organization will be needed to assist in gathering the requested evidence for the examination. This is significantly easier when your team is in a small room together where the audit requests can be addressed quickly. As you build your startup, going through a SOC 2 Examination during the infancy stages will help strengthen the controls environment and help your organization be better prepared for future compliance assessments – no matter what size your organization has grown into. A little work now can save you countless headaches in the future.

A SOC 2 Is More Affordable Than Compliance Failure Fines

At the startup stage, assets can be tight, and organizations need to keep their costs to a minimum – this leaves little to no room for costly, yet easily avoidable, disruptions to business operations. While some disruptions to business operations are inevitable, completing a SOC assessment can help identify the major vulnerabilities and control gaps. Significant business disruption can cost your organization thousands of dollars a month, and the average cost of a data beach for an organization is $3.62 million. You wouldn’t rent an office space and leave the doors unlocked because not doing so could cost you everything. Undergoing a SOC 2 examination similarly helps protect your organization by bringing to focus potential vulnerabilities and control gaps that can potentially disrupt business operations. It might cost time and money now, but it’s a worthy investment – one that can save you even more time and money down the road, several times over.

Why SOC 2 for Startups?

With almost ten years of average experience, our team of certified compliance professionals have extensive experience performing SOC 2 for startups and can set you on the right path as you build your credibility with customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

It is easy to feel uninformed with the number of cybersecurity myths that are frequently shared. The world of cybersecurity can be convoluted and confusing, but it doesn’t have to be. Arm your organization and yourself with facts about cybersecurity that will help you protect your personal, private information.

Myth #1: If the Wi-Fi You Are on Has a Password, It Means You Are Secure

Two instances that make organizations susceptible to public Wi-Fi network woes are shared workspaces and remote employees. Despite the illusion of security, password-protected Wi-Fi networks are still dangerous. Just about anybody can get their hands on your password and attempt to access your valuable files and information. The good news is that VPNs can help. VPNs allow typically vulnerable computer users to simulate being at work on a secure platform – regardless of where they are. Avoid accessing important information on any public Wi-Fi platform, password or not.

Myth #2: Cyberattacks Only Happen to Large Businesses

Every company is susceptible to attacks, regardless of size. In fact, Verizon reported in the Data Breach Investigations Report that small businesses account for 58% of data breaches. No one is free and clear from the potential threat of cyberattacks and that is precisely why prevention is so important. Ensuring that your organization, your employees and you are cyber-literate is essential towards the well-being and future of your organization.

Myth #3: Security Is Static and the Controls We Implemented Last Year Will Work This Year

Concerns for data protection are rising and the only solution is to be innovative and adaptive with the way you approach cybersecurity. Cybersecurity needs are different for every organization and they are not static, they are ever-changing. 2019 has been filled with cybersecurity breaches, from Facebook to NASA. As a leading cybersecurity and compliance firm, we at A-LIGN help our partners stay up-to-date on the latest threats and advances in the security ecosystem. Hacking and security is a never-ending game of cat-and-mouse, which is why our penetration testers modify their hacks and techniques frequently based on the latest news regarding hacks and patches.

Myth #4: Cybersecurity is Only About Defense

Cybersecurity is about defense, but it is also a major revenue-generating and trust-building business move. The average cost of a malware attack on a company is $2.4 million, and the average cost of time of a malware attack is 50 days. In fact, 60% of small businesses that suffer a cyber attack are out of business within six months. More than ever, clients and potential clients are attracted to organizations and service providers with a strong cybersecurity and safety posture – not only to know that their data is safe but as assurance that the organization will be around for the long term.

Equifax had a huge data breach in 2017 that affected 125.5 million people. Addresses, birth dates, social security numbers and driver’s license numbers were leaked, alarming customers and putting the focus on cybersecurity.

Myth #5: Cybersecurity Attacks Come From the Outside

From human errors to baleful intent, cyberattacks are not just from the outside. McKinsey & Company reports that insider threat is present in 50% of cyber breaches. All situations need to be considered in order to have a complete cybersecurity plan. For example, implementing a thorough exit plan for employees leaving the company and ensuring that all employees are trained on basic cybersecurity measures are two protocols every organization should consider implementing.

Myth #6: Strong Passwords and/or Wireless Encryption Are Enough to Keep a Company Safe from Hackers

A strong password or using strong wireless encryption like WPA or WPA2 used to be sufficiently secure, but hackers are becoming more advanced in their techniques to hack into someone’s account. One way to help combat this issue is to enforce two-factor authentication on any device that allow the user to look at sensitive content. Password manager apps and websites are also an excellent way to allow users to use more complex passwords without the responsibility of remembering all of them. Lastly, enforcing a timeline on how long a user can use the same password can help keep private information secure.

Myth #7: Assessments Are Not Necessary

Having a third-party examine your company’s internal controls can help you take a hard look at what your organization is doing right and what needs improvement. Assessments provide third-party assurance that your organization has appropriate controls in place to help mitigate risk. Additionally, regular penetration tests allow you to test your organization’s maturity over time and find potential flaws in your security infrastructure – before the bad guys do.

Stay Secure

The world of cybersecurity can be overwhelming. A-LIGN’s experience and commitment to quality can help your business achieve the cybersecurity and compliance goals it is seeking. We offer an extensive list of compliance and  cybersecurity services that can arm your organization from the various threats that businesses face.