Libby Bevin

Cyber Risk: Stay Ahead of Evolving Threats with Proactive Collaboration

Libby Bevin · August 1, 2021 ·

How can you stay ahead of evolving threats encompassed by cyber risk? The easiest answer is: by being proactive. In this session, Reciprocity GRC experts Jessica Gray and Dave Schmoeller will be discussing:

Best practices to identify risks, threats and vulnerabilities to an organization — as well as how to take action to reduce them
How best to educate your organization, to encourage collaboration and proactivity
Tips to put a BCP or risk plan together and manage it moving forward

Duration: 1 hour, 10 min

Watch Now

A Case for ZenGRC: CIOs Sleep Better, Even in a Pandemic

Libby Bevin · July 29, 2021 ·

Reciprocity Shortlisted for 2021 SaaS Awards

Libby Bevin · July 29, 2021 ·

Cloud adoption has exploded over the last few years and today, it is the expected cost-effective alternative to traditional IT solutions where you can leverage the cloud to increase flexibility and reach.

Gartner predicts that the service-based cloud application industry will be worth $143.7 billion by 2022. This is why we are so excited to share that Reciprocity’s ZenGRC platform is a finalist in the 2021 SaaS Awards Program for two key categories: Best SaaS Product for Health & Safety or Risk Management and Best SaaS Product for CSR or Sustainability.

The SaaS Awards is a sister program to the Cloud Awards, which has been recognizing and honoring industry leaders, innovators and organizational transformation in cloud computing since 2011. The awards are open to large, small, established and start-up organizations from across the entire globe, with an aim to find and celebrate the pioneers who will shape the future of the Cloud as we move into 2022 and beyond.

Jenny Victor, vice president of Marketing for Reciprocity, explains, “Managing risk and compliance is complex and resource-intensive, but with ZenGRC – which offers a central platform for an organization’s entire infosec ecosystem – we’re able to provide companies with continuous monitoring, as well as end-to-end risk management.”

Reciprocity’s ZenGRC solution is a cloud-based, information security risk and compliance management platform designed to tame today’s complex data universe for mid-market and large enterprises. It offers the largest library of pre-built integrations to third-party infosec apps to enable robust automation and continuous monitoring for audit, IT, risk and compliance teams.

James Williams, head of operations for the SaaS Awards, adds, “We’ve seen remarkably innovative solutions across all conceivable areas of industry, and it’s increasingly difficult for our team to identify the entrants that can’t make it past this shortlist stage. The shortlisted candidates announced today, however, have made it through that first round. They represent truly innovative thinkers in the SaaS industry, whether they’re freshly-funded disruptors or established names.”

Being named to the SaaS Awards shortlist reinforces what Reciprocity – and our customers – already know: ZenGRC is the industry’s best GRC solution, making it easy for CISOs, CROs and CCOs to manage their organization’s information security risk and compliance.

We can’t wait to hear about the final SaaS Awards winners on August 31, 2021!

Click Here to view the full shortlist.

NIST vs SOC 2: What’s the Difference?

Libby Bevin · July 28, 2021 ·

When the subject is cybersecurity compliance, the National Institute of Standards and Technology (NIST) is often the first reference that comes to mind. NIST has been around for decades, and its standards for the development of cybersecurity risk management programs are considered the gold standard.

There is, however, another standard that applies to service providers that handle customer data, as well as to those firms’ business partners: the SOC 2 audit.

SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) as a way to audit and document the effectiveness of a business’ internal processes and cybersecurity controls, to assure that certain customer data is adequately protected against cyber attacks and data breaches.

How do SOC 2 and NIST differ?

The principal difference between the two is that a successful SOC 2 audit leads to an organization obtaining independent documentation that it has achieved SOC 2 compliance — something that may be required by customers, business partners, or (depending on your business) the law.

In contrast, NIST is a voluntary framework that can be applied to a service organization’s IT systems to improve information security and solidify a cybersecurity program. But that doesn’t result in an independent audit report or any other certification of compliance.

Both NIST and SOC 2 are standards that aim to analyze an organization’s internal controls, but they place emphasis on distinct areas of data security.

What is the difference among the different types of SOC reports: SOC 1, SOC 2 and SOC 3?

SOC 1 is a review of financial controls and financial reporting, showing that management’s assertion that all financial data are protected from data breaches and handled in a safe manner is accurate.

SOC 2 is a report completed by an independent auditor showing that an organization’s cybersecurity risk management program as well as IT system and organization controls are effective and adequate.

SOC 3 is similar to SOC 2, in that both review cybersecurity controls. A SOC 3 report, however, ,summarizes the findings of the SOC 2 audit and describes the effectiveness of the controls in place, and how they apply to protect privacy and integrity of the data handled. A SOC 3 report tends to be more general and easier to understand for the public.

Together, SOC 2 and SOC 3 compliance reports are often used to show potential clients that your organization takes cybersecurity seriously. The reports address your cybersecurity objectives, the effectiveness of internal controls, and how committed management is to an organization’s cybersecurity risk management program.

For comparison, the NIST Cybersecurity Framework (CSF) lists best practices, standards, and guidelines to help a company do a thorough cybersecurity examination and risk assessment.

Let’s dive deeper into SOC 2

Developed by the AICPA, a SOC 2 report focuses on a company’s data processing integrity and whether customers’ sensitive information is adequately protected within the company and among its third-party vendors.

SOC 2 is not just SOC for cybersecurity; it focuses on five areas of data handling also known as trust services criteria:

Privacy: does the organization provide sufficient access controls, such as two-factor authentication?
Confidentiality: are encryption, firewalls, and other security controls in place and updated?
Processing integrity: how strong are the company’s internal assessment process and third-party vendor management?
Availability: how are potential cybersecurity breaches and incidents handled? Are there disaster recovery plans in place that will allow the company to recover and continue to operate if a data breach takes place.
Security: how effective are the controls put in place to detect intrusion? How effective is the internal cybersecurity reporting framework and its response to security events?

All SOC reports are performed by external auditors as a way to assure that management accurately describes the organization’s cybersecurity risk management and reporting framework.

Cybersecurity and compliance management tools

As you forge a path for your business in our highly regulated, highly interdependent world, many tools can help keep your business stay competitive while keeping cybersecurity and compliance top priorities.

ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before those risks manifest as real threats.

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.

What is Hybrid Cloud Security?

Libby Bevin · July 27, 2021 ·

Hybrid clouds are an elegant and adaptable technology solution for combining public and private cloud storage with more traditional IT infrastructure. While the hybrid cloud model provides a number of benefits, it requires a different security approach than private data storage options. Keep reading to learn more about the pros and cons of hybrid cloud computing, as well as the best security measures for protecting the data stored there.

What Is a Hybrid Cloud?

Your company may already be using a private cloud, but hybrid clouds are a slightly different concept. A private cloud is a cloud used solely by your own organization. A public cloud, as the name implies, is owned and managed by a separate company and is used by multiple organizations. The hybrid cloud model integrates both, as well as any on-premises infrastructure you may be using.

A hybrid cloud infrastructure integrates your private data storage (either physical servers or your own private cloud) with IaaS (infrastructure as a service) platforms such as Microsoft Azure or Amazon Web Services (AWS). Hybrid cloud systems can look different from company to company; this adaptability is one of the many benefits of a hybrid cloud.

Another benefit of a hybrid approach is the decentralization of data storage. By keeping data across multiple platforms, you can tailor security levels to your needs and assure that all of your data is not at risk in the event of a breach. Other benefits include easier access for remote workers, as well as the scalability of your storage to fit your future needs.

What Is Hybrid Cloud Security?

Hybrid cloud security is the means by which a company protects data that is stored and accessed across multiple cloud environments. New innovations in data storage require new innovations in data security, and if your company is moving to a hybrid cloud environment, you’ll encounter new cybersecurity considerations that need your attention.

If you’re in an industry such as healthcare (which requires adherence to government compliance guidelines) hybrid clouds can be more labor intensive because the cloud’s many connection points can create potential vulnerabilities. Any hybrid solutions you use must also be compliant, so before you enter any service level agreements (SLAs) with a cloud services provider, make sure that provider will work within your industry’s particular requirements.

You also have less access to, and therefore less control over, data that’s stored on an IaaS cloud service. On the other hand, this allows you to share security risks and remediation with the cloud service provider, which can free up time and resources in your own organization.

How can your company best address hybrid cloud security challenges? Consider the following:

Access management. Access to data should be granted to only those who need it. By tracking and minimizing access, you can prevent unnecessary vulnerability and react quickly in the event of a breach.
Endpoint security. The devices used to access your cloud services must be protected. Endpoints are particularly popular targets for malware and other security threats, so using password authentication and firewalls for these access points is a critical part of your security program.
Data encryption. Encrypting sensitive data can be an extra means of protection in case of unauthorized access.
Back up crucial data. Public clouds, like any technology, are occasionally subject to outages and failures. Any critical data should be backed up in case access to your cloud services is compromised.

ZenGRC Has Your Cloud Security Solution

Whether you’re using a hybrid model or your own private cloud solutions, ZenGRC has the tools you need to keep your compliance and risk management streamlined and optimized.

ZenGRC’s platform creates an integrated user experience that allows you to view all of your security controls and track risk in real-time, wherever your data is stored. Schedule a demo today and learn more about ZenGRC’s unique approach to cloud security and risk management.