Libby Bevin

The Federal Risk and Authorization Management Program (FedRAMP) is meant to assure the security of cloud services used by the U.S. government. It standardizes the security assessments, authorizations, and continuous monitoring of Cloud Service Offerings (CSOs) used by federal government agencies.

With the help of FedRAMP’s guidelines and standards, federal agencies can assess whether a CSO can handle and protect sensitive government data and then decide whether the CSO’s Cloud Service Provider (CSP) is trustworthy.

All CSPs and CSOs that achieve FedRAMP certification are added to the FedRAMP marketplace, the official online repository of all FedRAMP-authorized CSPs and CSOs. Federal agencies seeking a CSO authorized for government use can find them on this marketplace.

The marketplace is also a goldmine of information about FedRAMP-certified CSPs, FedRAMP templates, and the authorization process. This guide unpacks the critical features of the FedRAMP marketplace and shows how federal agencies can use it to choose the CSO they need for their mission-critical requirements.

What Is FedRAMP?

The National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and many other agencies collaborated to develop the FedRAMP and its policies, controls, and procedures.

All federal agencies that use (or want to use) CSOs must use the FedRAMP’s assessment and authorization process. In addition, all CSPs that want to sell their offerings to federal agencies must achieve FedRAMP authorization. In short, FedRAMP is mandatory for both parties.

[Click here to read more about AWS and FedRAMP].

FedRAMP provides a “do once, use many times” Security Assessment Framework (SAF). Federal agencies can use the SAF to standardize the Federal Information Security Management Act (FISMA) application to CSOs.

What Is the FedRAMP Marketplace?

The FedRAMP marketplace is similar to an e-commerce website where a potential buyer can search for the products the buyer needs. It is the U.S. government’s online repository of all FedRAMP-authorized CSOs and their security packages.

Instead of conducting duplicative security assessments and creating multiple process monitoring reports, agencies can reuse security packages to assess CSOs and CSPs to accelerate their adoption of secure cloud solutions.

The marketplace is a convenient, one-stop-shop of cloud products and services that any federal agency can use to find the CSOs it needs. These CSOs have already gone through and completed the FedRAMP authorization process. Agencies looking to buy secure CSOs can do so from the FedRAMP marketplace, knowing that every product listed there already meets the government’s stringent requirements to protect sensitive government data in cloud environments.

FedRAMP marketplace home page

The FedRAMP marketplace home page provides lots of helpful information to guide agencies looking for FedRAMP-authorized CSOs, including:

• CSP name
• CSP service model: IaaS, SaaS, PaaS
• FedRAMP impact level: Low, Medium, High, or LI-SaaS
• Status: FedRAMP authorized, FedRAMP ready, FedRAMP in process

Similar to e-commerce sites like Amazon, a user can filter the results on the FedRAMP marketplace using multiple criteria:

• FedRAMP status: Authorized, Ready, and In process.
• Authorization type: JAB, Agency
• Service models: IaaS, SaaS, PaaS
• Deployment models: Government Community Cloud, Hybrid Cloud, Public Cloud
• Impact level: Low, Medium, High, LI-SaaS

A federal agency user can filter the results based on provider or agency name. With the latter, it’s easy to see which agency has implemented which CSO and from which CSP.

By the end of June 2022, more than 260 FedRAMP-authorized CSPs were listed on the FedRAMP marketplace. Dozens more were amid FedRAMP certification, and another 29 had expressed an interest in becoming a federal provider but still needed to go through the authorization process.

FedRAMP marketplace resources page

The FedRAMP marketplace also provides several valuable resources, including documents, templates, training materials, and information about FedRAMP security baselines. Templates are essential to the FedRAMP program and its security assessment framework.

The FedRAMP marketplace provides templates for:

• Plan of Action and Milestones (POAM)
• Readiness Assessment Reports (RAR)
• FedRAMP System Security Plan (SSP) Baseline Templates
• FedRAMP Control Implementation Summary (CIS) Workbooks

The marketplace also provides numerous checklists, toolkits, and playbooks to guide agencies and CSPs along the security assessment and authorization process.

Listing designations on the FedRAMP Marketplace

All CSPs fall under one of three listing designations on the FedRAMP marketplace:

FedRAMP Ready

This status indicates that an independent Third Party Assessment Organization (3PAO) has attested to the CSP’s readiness for the authorization process. The FedRAMP Program Management Office (PMO) also approves the Readiness Assessment Report (RAR), indicating the CSP’s ability to satisfy FedRAMP security requirements.

FedRAMP Ready does not mean that the CSP has achieved FedRAMP authorization. It only means the CSP has expressed an interest in becoming a federal provider and has shared information indicating that the vendor can meet baseline FedRAMP criteria.

In Process

This designation is given to CSPs working towards FedRAMP authorization either with the Joint Authorization Board (JAB) or a federal agency.

Authorized

This designation means that the CSP has completed the FedRAMP authorization process, and its security package is available for agency review and reuse.

How Do I Find FedRAMP-authorized Cloud Service Providers in the FedRAMP Marketplace?

To find FedRAMP-authorized cloud computing services and CSP in the FedRAMP marketplace, information systems and federal agencies should follow these steps:

1. Go to the FedRAMP Marketplace website at https://marketplace.fedramp.gov/ 
2. Use the search and filters to narrow options:
   1. Filter by moderate impact level
   2. Filter by deployment models like software-as-a-service
   3. Filter by cybersecurity posture and FedRAMP High standards
   4. Filter by Department of Homeland Security binds and FIPS alignment
   5. Search by cloud provider name
3. Click providers to view details on their FedRAMP authorizations and cloud offerings aligned to federal government security requirements from DHS and OMB.
4. Download authorization packages to review before granting an agency ATO allowing usage.

What Is the FedRAMP Certification Process to Get Listed On the FedRAMP Marketplace?

CSPs must complete the FedRAMP authorization and certification process to be listed on the FedRAMP marketplace. To achieve the authorization, the CSP can pursue one of two paths:

• A Provisional Authorization to Operate (P-ATO) through the FedRAMP Joint Authorization Board (JAB).

Or

• An Authorization to Operate (ATO) through a federal agency.

What Is FedRAMP ATO?

In the ATO path, agencies work directly with the CSP throughout the FedRAMP authorization process. The ATO is a formal declaration by an agency authorizing the use of a CSO.

When applying for the ATO, the CSP will provide a security authorization package to the agency, which will perform a risk review of the package following FedRAMP requirements.

Agencies can use a FedRAMP-accredited 3PAO or a non-accredited Independent Assessor (IA) to perform the CSO’s independent assessment before granting the ATO. FedRAMP recommends that agencies use a 3PAO from the FedRAMP 3PAO accreditation program.

The FedRAMP marketplace lists all FedRAMP-accredited 3PAOs, and each one includes:

• Number of assessments completed
• Types of CSOs assessed
• Names of CSPs assessed
• Federal agencies collaborated during the authorization process

After authorizing a package, the agency informs the FedRAMP PMO via email. The CSP then submits the package for PMO review. After confirming that the package meets FedRAMP requirements, the PMO will publish it on the FedRAMP marketplace. Other agencies can reuse the same package to grant their ATO to the CSP.

What is FedRAMP P-ATO?

A CSP can also get a P-ATO by providing its security authorization package to the JAB. The JAB does a risk review of all the documents in the CSP’s authorization package. After this review, an accredited 3PAO (mandatory to get P-ATO) will independently test, verify, and validate the package before the JAB grants the P-ATO.

After granting the P-ATO, the JAB will inform agencies whether a CSO has a recommended acceptable risk posture for agency use at the designated impact level. Agencies can then decide if they want to grant ATOs to that CSP and CSO.

The JAB also performs continuous monitoring to ensure the CSO maintains an acceptable risk posture per FedRAMP and government requirements. The “provisional” in P-ATO only indicates that the JAB has completed the risk review, not that it accepts the risk on behalf of a federal agency.

How do agencies use FedRAMP?

The standards and baselines established under FedRAMP allow federal agencies to standardize the authorization and certification process for CSOs and confirm that a CSO has implemented the FedRAMP baseline security controls.

All agencies must enforce the FedRAMP requirements through their contracts with CSPs. When granting security authorization to a CSP, agencies use existing authorizations as a starting point.

After granting the authorization, they submit that security authorization package to the FedRAMP PMO. They also prepare and file an ATO letter with the PMO.

All security packages that have completed PMO review are available on the FedRAMP marketplace for other agencies to reuse. Agencies must sponsor the CSP under the entire authorization process to use a CSO that still needs to be FedRAMP authorized.

The CSP will work with the agency for the security assessment and authorization process. When this process is complete, and the PMO approves the authorization package, the agency can deploy the CSO for their use.

FAQs for FedRAMP Compliance

Is Workday FedRAMP certified?

Yes, Workday holds a FedRAMP Moderate Authority to Operate (ATO) for Workday Finance, Workday Human Capital Management, Workday Procurement, and Workday Expenses cloud services. Workday achieved the FedRAMP certification in April 2021.

Is Google FedRAMP certified?

Yes, Google has achieved FedRAMP certification and authorization for several Google Cloud services, including Google Kubernetes Engine, BigQuery, Cloud Security Command Center, and more. You can find the list of Google’s FedRAMP-compliant services on the GSA marketplace.

Is Microsoft Office 365 FedRAMP certified?

Microsoft Office 365 is FedRAMP compliant through an agency Authority to Operate (ATO). Microsoft Office 365 received its FedRAMP ATO certification from the U.S. Department of Health and Human Services (HHS).

Simplify and Manage FedRAMP Compliance with RiskOptics ROAR

Whether you are preparing for a FedRAMP audit or aiming to maintain FedRAMP compliance, manual processes, and spreadsheets are not the best way to achieve your goals. What you need is automation coupled with pre-built content and continual compliance monitoring. You need ROAR.

ROAR is an all-in-one compliance, audit, governance, and risk management platform. See how ROAR can help you drive greater compliance efficiencies with minimal effort. Schedule a demo to get started.

The Sarbanes-Oxley Act (SOX) requires publicly traded companies to declare and adopt a framework that the business will use to “define and assess internal controls.”

In response, most publicly traded companies have adopted one of two frameworks that meet the SOX requirements: the Committee of Sponsoring Organizations (COSO) internal control framework and the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT). 

To be clear, SOX itself doesn’t identify any specific framework that companies must use, nor do any regulatory agencies like the U.S. Securities & Exchange Commission expressly endorse one. However, companies must select and implement some frameworks to comply with SOX, so businesses subject to the law should try to understand the COBIT framework and the COSO framework objectives and how they can use them together to achieve more effective IT governance.

What Is COBIT?

The COBIT framework created by the Information Systems Audit and Control Association (ISACA) was first published in 1996 by the Information Systems and Audit Control Association (ISACA), which creates globally recognized IT certifications and guidance for enterprises that use information systems. 

COBIT brings together global IT standards, such as the Information Technology Infrastructure Library (ITIL), the Capability Maturity Model Integration (CMMI), and the International Organization for Standardization (ISO) to set standards to assure the sound deployment of IT resources. 

Using the COBIT framework, organizations can improve the value of their IT processes and manage risk simultaneously.

The framework includes methods to determine whether IT practices meet business objectives and provides facilities for documenting and developing the tools, processes, and organizational structures required for effective IT management. 

Providing maturity models and various metrics to measure the framework’s achievement, COBIT consists of a variety of components, including:

• Framework: the IT team organizes governance objectives to implement best practices in processes and domains by linking business requirements with IT. 
• Process descriptions: using COBIT as a reference, these descriptions should include the stages of planning and building the framework, which is then operated and monitored by the IT team. 
• Control objectives: a total list of requirements upper management considers to create an effective IT business control. 
• Maturity models: used to assess the maturity of each process and its capability to address any gaps in the processes. 
• Management guidelines: used to assign responsibilities while measuring the performance of the processes. These guidelines help team members agree upon common objectives and improve the relationships with other processes in the organization. 

COBIT also provides a tool kit for compliance with SOX and other regulatory frameworks, including:

• An executive summary that gives an overview of COBIT’s founding principles. 
• The compliance framework with detailed descriptions of high-level IT control objectives and the required business requirements for information and IT input. 
• Objectives for control include statements of the purpose of each control objective and the desired results. 
• Guidelines for performing and passing audits with step-by-step guides for each control objective. 
• Primers for management: a summary of the methods employed by organizations that have successfully applied the COBIT framework in their environments and some related tools. 
• Reference materials include the IT Control Practice Statement, a detailed layout of the reasons for IT and operational risk assessment controls, and best practices for dealing with them. 

In addition to assuring regulatory compliance, COBIT helps IT better understand the needs of a business and defines which practices are needed for IT operations to be more efficient and effective.

Is COBIT a risk management framework?

Yes, the COBIT framework developed by the ISACA can be viewed as an IT-related risk management framework that aligns with business goals and processes. It provides tools and guidance to help organizations conduct risk assessments, define risk tolerance levels, implement risk response activities and controls, and monitor the effectiveness of risk management practices related to information systems and technology. While not solely focused on risk, COBIT incorporates comprehensive risk management concepts and activities as part of its IT governance and control approach based on the COSO framework.

Is COBIT an audit framework?

COBIT, created by the ISACA, is not strictly an internal or external audit framework but provides strong support for IT audit activities relating to security, risk, and control. The COBIT framework’s control objectives and guidelines serve as criteria for auditors to evaluate the effectiveness of IT governance, controls, and processes in enabling business goals. Specific ways COBIT supports auditing include:

• Providing a standard for audibility by defining comprehensive, enterprise-wide IT control objectives.
• Establishing maturity models to benchmark and measure process capabilities
• Offering mapping guidance to relate COBIT processes to other frameworks like COSO used in audits
• Supplying management guidelines for auditors on governance, responsibility, and performance

What Is the COBIT Framework Used for?

The COBIT framework serves multiple IT governance, management, and compliance purposes, including:

• Providing comprehensive IT control objectives and activities to govern and manage information and technology assets
• Setting standards for organizations to follow to ensure sound IT resource deployment
• Helping align IT with enterprise-wide business requirements, risk management policies, and delivery of value
• Offering guidance to manage risk, ensure regulatory compliance, and meet overall business goals
• Integrating multiple other IT best practice frameworks like COSO, ISO standards, ITIL, and CMMI

COBIT 2019 vs. COBIT 5

The current COBIT framework is known as COBIT 2019. It supersedes the previous version, COBIT 5, which debuted in 2012. 

COBIT 5 was created in response to the increasing number of organizations migrating to the cloud. This version gave companies a standard set of guidelines to combat the steady rise in risk from cloud-based technologies. 

COBIT 5 incorporates five strategic principles, which emphasize the elements of IT governance that match enterprise needs:

• Meeting stakeholder needs: introduces cascading goals to ensure that those receiving benefits and those bearing risks are considered in decision-making. 
• Covering the enterprise end-to-end emphasizes that an enterprise risk management (ERM) approach to IT must incorporate all information, technologies, and processes. 
• Applying a single integrated framework: maps multiple standards to a single governance and management framework for the enterprise. 
• Enabling a holistic approach integrates processes, organizational structures, culture, policies, information, infrastructure, and people to manage the interconnectedness of governance across the enterprise. 
• Separating governance and management: needs evaluation to distinguish between prioritized direction and tracking activities. 

COBIT 2019 is considered an update to COBIT 5, using the same foundation alongside new and more relevant developments. It gives organizations a more flexible framework to solve specific problems or can be adopted. 

ISACA lists the following as the most essential COBIT 2019 updates:

• Improved focus areas and design factors enable organizations to establish risk management practices quickly and place other governance protocols based on individual requirements. 
• More aligned with global risk management standards, security standards, other universal frameworks, and most protocols. 
• It comes with regular updates to ensure compatibility with new and upcoming technologies. 
• More prescriptive guidelines, which support more integrations with governance and risk management. 
• Open-source model that incorporates feedback into future updates to the framework, which are evaluated by the steering committee for consistency and quality.
• Stronger focus on newer technologies and methodologies and updated operational practices, including cloud-based systems and outsourcing.

Since its creation, COBIT has helped organizations improve their performance by managing their data, information, and technology. Overall, COBIT guides companies in developing a successful governance strategy while allowing businesses to tailor it to their operations.

What Is COSO?

Used for financial and internal reporting, the COSO framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides an applied risk management approach to internal controls. Updated in 2013, COSO integrates risk considerations into designing and implementing internal controls and strategic objectives. 

While COSO control objectives cover effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations, its primary role is fiduciary. 

Like COBIT, COSO consists of five interrelated components to convey the framework’s principles:

• Control environment describes the culture and ethics contributing to the framework’s ability to work effectively. This includes the overall organization but mainly refers to the behavior of top management–those responsible for implementing the controls in place. 

• Risk assessment: after establishing the control environment, your organization needs to address any risks and understand how they relate to your objective. A risk assessment will help you identify and implement controls against internal and external risks. Every organization’s risks differ depending on several factors, including nature, industry, objectives, etc. 

• Control activities: defining the processes and procedures that organizations implement against identified risks. Control activities are based on the type of risk they respond to. Commonly used control activities include authorizations, approvals, reviews, physical and digital security measures, verifications, reconciliations, segregation of duties, management, organization, etc. 

• Information and communication refers to the flow of information to the relevant authorities so that they may implement the appropriate control activities. Having the proper channels for information and communication with management and personnel is critical for implementing control activities. 

• Monitoring: once control activities are in place and communicated to management, you will need procedures to monitor them. Regularly reviewing and monitoring will help your organization identify deficiencies in your control activities and find a solution. 

COSO defines “internal control” as a process designed to ensure efficiency and effectiveness in achieving a company’s objectives and confirm the reliability of its financial reporting in line with relevant laws and regulatory compliance issues. Internal controls are an ongoing process affected by a commercial organization’s board of directors, management staff, and other team members. 

The COSO defines ” control ” as any proactive measure put in place by management to achieve an objective. Management’s objectives are intended to address risk, including the possibility of financial or operational loss. 

In addition to financial objectives, controls may address issues such as integrity, confidentiality, security, and broader operational aims like efficiency, stability, reliability, and scaling. 

Controls may take several forms, including:

• Automated: these are strong financial controls and are programmed with a comprehensive logic that should stand up to intense statistical testing. 
• Partially automated: these controls are implemented by people interacting with IT systems. Under the COSO framework, these systems are called “electronic evidence.”
• Manual: these controls are entirely dependent on human operations, with no IT element involved. 

Within the COSO framework’s control environment, management must first assess the risk associated with not being able to meet specified business objectives: a risk assessment. After a risk assessment, controls are implemented to address any identified risks adequately. 

Relevant data is captured and transmitted across the enterprise on an ongoing basis to maintain a practical overview of the organization and its control environment. In response to changing business conditions or changes in the compliance regime, the whole process is continuously monitored and modified as necessary. 

COBIT vs. COSO

COBIT and COSO may seem similar, but they perform different functions for organizations. 

COSO articulates key concepts organizations can use to enhance internal controls and avoid fraud. COBIT helps organizations achieve objectives, both through and regarding information technology. 

That said, COBIT and COSO can be used together to organize a company’s enterprise IT landscape.

COBIT and COSO also work together to create a controlled landscape and a risk and governance model that fosters compliance and information security. 

While ISACA explicitly references COSO’s fiduciary role, it also extends COBIT’s role to cover quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. 

COSO was initially designed to help with SOX compliance obligations for financial reporting and, therefore, is somewhat limited in considering an organization’s IT environment. COBIT explicitly addresses an enterprise’s IT landscape. 

The two frameworks complement each other as an organization develops an overarching risk, compliance, and governance program. 

COBIT and COSO also sometimes cater to different audiences. While COSO appeals to management at large, COBIT is intended for management, users, and auditors. 

Although COBIT specifically focuses on IT controls, both COBIT and COSO view control as an entity-wide process.

Why Use COSO and COBIT Frameworks?

There are several key benefits for organizations to use the integrated COSO and COBIT frameworks together to strengthen governance, risk management, and compliance:

• The COSO framework focuses on financial reporting controls. In contrast, the COBIT framework more broadly covers IT governance. Using both together provides comprehensive, enterprise-wide coverage of internal controls.
• COSO provides high-level principles and guidance for financial control objectives, while COBIT offers more granular and detailed control activities and IT process guidance. The two frameworks complement each other exceptionally well.
• Mapping relevant COBIT IT processes and control objectives to COSO principles enables better integration of critical technology controls into overall internal control frameworks.
• Leveraging COBIT allows validation that technology controls adequately support COSO compliance requirements around reporting, operational efficiency, and risk reduction.
• The integrated COSO/COBIT frameworks strengthen IT governance, risk management, and regulatory compliance practices organization-wide.

Do Organizations Need Both COBIT and COSO?

Whether an organization needs ISACA’s COBIT framework and the COSO internal control framework depends mainly on its regulatory environment, complexity, and business requirements around IT, compliance, and reporting.

COSO may fully meet the governance and financial control needs of smaller or less complex entities focused narrowly on financial compliance and external reporting.

However, for enterprises in highly regulated industries or those with very expansive technology environments, adopting COBIT as a complement to the COSO framework can provide immense benefits. Adding COBIT delivers more granular IT governance and control guidance tailored to managing technology risk and enabling performance. It also facilitates tighter control integration between IT and finance functions.

COSO and COBIT offer comprehensive and robust coverage supporting enterprise-wide governance, regulatory compliance, risk optimization, internal control, and audit preparedness. An integrated COSO/COBIT approach is highly advisable for most complex, global organizations.

Mapping COBIT to COSO

Mapping COBIT to COSO involves examining each framework’s objectives and determining how they best apply to one another. 

High-level mapping gives auditors a point of reference when reviewing technology’s role during an internal controls assessment, usually for financial reporting. 

For example, service organizations governing their compliance under COSO can map their principles to COBIT processes to determine which key practice goals include both. 

It’s essential that external auditors first select the relevant IT control objectives from COBIT when defining their SOX scope under the five internal control components. COSO should be the primary SOX reference for internal auditors, while COBIT should be a secondary resource.

Under COSO, organizations must assess risk to determine critical environments and assure mitigation. 

External financial reporting must reflect the underlying transactions and events as part of this process. COBIT aligns with this requirement by providing specific ways to assess IT risks. 

Ultimately, the specific definitions of controls within COBIT create strategic alignments to COSO that enable quality compliance and monitoring. 

As an example, the IT Governance Institute’s IT Control Objectives for Sarbanes-Oxley depicts an alternative view of the COBIT to COSO and presents the relationship between COSO, COBIT, and SOX sections 302 and 404 in the following table:

COSO Internal Control Components	COBIT Domains (With sample control objectives relevant to SOX)
1. Control Environment	Planning and Organization (PO):  PO 4.2 — Organizational placement of the IT function. PO 6.1 — Positive information control environment. PO 6.2 — Management’s responsibility for policies.
2. Risk Assessment	Planning and Organization (PO): PO 9.0 — Assess risks.
3. Control Activities	Acquisition and Implementation (AI): AI 1.4 — Third-party service requirements. AI 6.0-6.8 — Manage changes. Delivery and Support (DS): DS 5.0-5.21 — Ensure system security. DS 11.0-11.30 — Manage data*. *Application control evaluations and the American Institute of Certified Public Accountants (AICPA) SysTrust reports can supplement COBIT’s data management control objectives.
4. Information and Communication	Planning and Organization (PO): PO 6.0-6.11 — Communicate management aims and direction.
5. Monitoring	Monitoring (M): M 2.0-2.4 Assess internal control.

Beware that mapping COBIT to COSO’s internal control framework can only capture a high concentration of the associated processes. COBIT does not map 100 percent to COSO. 

This shouldn’t deter auditors from using existing frameworks alongside each other. Organizations should treat these frameworks as reference material and a basis for formulating their own integrated and customized control framework for SOX. 

The AICPA also provides an Excel spreadsheet to help visualize mapping and incorporates 414 rows that engage multiple COBIT alignments within each. 

However, Managing these controls’ compliance with mapping to COSO can quickly become overwhelming. Add mapping other compliance architectures to COBIT, and it becomes a nearly impossible task. 

How ZenGRC can help

Fortunately, there is a Governance, Risk, and Compliance (GRC) software solution that can help. 

ZenGRC from RiskOptics provides seed content, allowing organizations to onboard in as little as six weeks and align their controls to COBIT. 

Once controls are aligned, you can map them to COSO (or any other compliance framework) using ZenGRC’s gap analysis tool, which harmonizes controls across multiple standards to ease the compliance burden across frameworks. 

ZenGRC’s compliance dashboard also provides color-coded audit readiness markers, offering instant visual insight into organizational gaps. 

While COBIT requires organizations to engage enterprise-wide stakeholders with ongoing communication, ZenGRC eases the administrative burden by eliminating emails, allowing varied stakeholders to communicate more efficiently. 

Schedule a demo today to see how ZenGRC can help your organization map COBIT to COSO for compliance and more effective IT governance.

Most organizations have at least one thing in common: they generate and consume more and more data yearly. Dealing with all this data can be overwhelming, especially for those organizations that haven’t fully embraced the digital transformation and the cultural shifts that come with it.

As your data grows, so does the risk that your data will be exposed to unauthorized parties in a security incident called a data breach or a data leak. Today, data breaches are one of the most severe cybersecurity threats faced by organizations worldwide. Likely, the number and frequency of these events will only continue to soar in the coming years.

Data risk management is the process your organization uses throughout the data lifecycle to enforce data security and eliminate data risk. From creation to retirement and during acquisition, transformation, and usage, a data risk management program ultimately works to keep your data safe from internal and external cybersecurity threats.

One of the most important components of a successful data risk management program is Data Loss Prevention (DLP), a set of tools and processes to ensure that your organization’s sensitive data isn’t lost, misused, or accessed by unauthorized parties.

In this article, we’ll look at data loss prevention, discuss why it’s essential, and introduce some of the best practices for creating a DLP strategy and policy that protects your organization’s most sensitive data from cybersecurity threats.

What is Data Loss Prevention?

Almost every organization creates, transmits, and stores sensitive data. Sensitive data is information that must be protected against unauthorized access to safeguard the privacy or security of an individual or organization. This data might be intellectual property, databases, or entries on a spreadsheet containing Personally Identifiable Information (PII).

While PII, like names or birthdays, might not seem incredibly important to protect, they can be used by malicious actors to steal the identities of those whose PII was exposed. PII can also contain sensitive information, such as social security and driver’s license numbers, you wouldn’t want on the dark web. PII can belong to your employees, customers, or stakeholders; sometimes, it’s protected by law.

For example, the European Union’s General Data Protection Regulation (GDPR) protects consumers’ personal information in the EU, and the California Consumer Privacy Act (CCPA) protects the personal information of consumers who live in California.

These data privacy laws, and others, protect consumers from having their data unintentionally leaked or lost due to a malicious actor, insider threat, or unknowing employee. When an organization falls victim to a data leak or data breach, it usually results in significant financial loss, reputational damage, and any regulatory and legal consequences.

The average cost of a data breach was $4.2 million in 2021. While most money usually goes toward repairing reputational damages and loss of business, a lot goes toward paying the hefty non-compliance fines associated with the above regulatory and compliance standards and more.

Unfortunately, even with regulatory and compliance standards in place, it often takes organizations a long time to identify a data breach has occurred – about 197 days, to be exact. Even those organizations that do catch data leaks early often can’t do much about it because it’s already too late.

This isn’t good news for consumers. In 2021 alone, more than 281 million people were affected by some sort of data breach, surpassing the total number in 2020 by 17 percent. As more consumers are influenced by data breaches resulting from organizations’ poor or nonexistent data loss prevention strategies, their expectations about data privacy will only continue to increase. Organizations that want to stay relevant must prioritize DLP and transparency if they remain in business.

While most cybersecurity strategies to prevent data breaches focus on addressing external security threats like malware and phishing attacks with firewalls and antivirus software, data loss prevention strategies focus on addressing internal threats such as a disgruntled or negligent employee. Many organizations simply don’t realize or want to acknowledge that these types of insider threats can pose severe risks to their business.

Meanwhile, insider threats account for nearly 60 percent of all data breaches. For this reason and more, your organization needs a DLP strategy to help you detect and prevent potential data breaches by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest.

Types of Data Loss Prevention

Generally, there are four types of data loss prevention: endpoint DLP, storage DLP, network DLP, and cloud DLP. Your DLP strategy should address each of these types of DLP to ensure the security of your data.

• Endpoint DLP (data in use): this includes data residing on devices such as desktop computers, laptops, USB storage devices, or virtual desktops.
• Storage DLP (data at rest): this is usually unstructured data residing on a server or structured data residing on a database.
• Network DLP (data in motion) includes data that transits or leaves the network to the Internet, including emails.
• Cloud DLP includes data residing on the cloud or in personal email providers.

Which types of DLP you choose to prioritize will ultimately depend on your organization’s specific needs and should inform any decisions you make regarding which DLP solutions you select to automate parts of the process.

DLP Solutions

Ideally, your DLP strategy should integrate DLP tools, including DLP software, with a holistic program to protect your data from internal threats throughout your organization. This means you’ll need to create a DLP policy tailored to your business needs and address the added challenge of selecting the best DLP solution to help you implement and maintain your data loss prevention program.

Regarding DLP software, the core components haven’t changed much in the last few years, except cloud computing. Most DLP solutions are designed to discover and analyze the content and the context of your organization’s data to determine if it matches a pattern or expression. Once a pattern is reached, the software will generate and send a violation notification or alert to management for review.

Which patterns you define will depend on the types of data you’re most concerned with protecting. Still, it often includes easily recognizable data like social security numbers, credit card numbers, HIPAA terms, keywords, or any other alphanumeric patterns you want to define.

Most DLP solutions also utilize fingerprinting, which is performed by algorithms that map data to shorter text strings to create unique identifiers for their corresponding data and files- much like the human fingerprints used to identify individual people. Fingerprinting is especially useful for organizations that identify sensitive data within forms.

DLP products use a discovery engine that crawls your data, indexes it, and makes it accessible through an intuitive interface. This allows for quick searching for data, including information about its sensitivity and ownership.

Later, we will discuss in more detail how you should choose a DLP solution that supports your DLP strategy and can easily integrate with your DLP policy. Next, we’ll introduce some of the most common data loss prevention mistakes and how to avoid them.

Most Common Data Loss Prevention Mistakes

When it comes to DLP, a lot can go wrong. First and foremost, many organizations simply don’t understand that a DLP is intended to restrict the flow of information both internally and externally. Ultimately, this will categorically impact how business is done.

It’s a classic risk vs. reward situation: don’t implement DLP and face the risks, or do implement DLP and meet different types of risk. In most cases, implementing DLP outweighs the risk of not implementing DLP, and many organizations find that any business interruptions a DLP program might introduce are worth it in the long run.

While most organizations want to implement a DLP strategy, some security experts suggest they rarely make it to the blocking phase. This is because there is often too much focus on acceptable tuning DLP policies and procedures to eliminate false positives and insufficient actual blocking. Organizations implementing DLP can spend months or even years working to ensure that their DLP program only generates valuable information.

Today, most organizations generate insurmountable amounts of sensitive information, so you must decide which data to protect. Cast too broad of a net, and you’ll likely have more false positives. But cast too narrow of a net, and you’ll only be able to address one specific business area, leading to much-missed content.

Organizations with a DLP strategy must understand that there are better ways to stop data loss than DLP. It just isn’t designed to stop intentional leaks. But, it can help you find out about them.

At its core, DLP mainly acts as a deterrent for your staff and any other internal actors to let them know that you’re closely monitoring specific types of activity. There will likely be a noticeable decrease in threatening internal activity simply because people know you’re watching.

Now that you understand DLP better, why it’s essential, and some of the most common mistakes organizations make when implementing it, it’s time to introduce some of the most important best practices when creating and maintaining a DLP strategy for your organization.

Creating the Best Data Loss Prevention Strategy

Unfortunately, there isn’t a one-size-fits-all approach to data loss prevention. What you choose to monitor and how you choose to address DLP will ultimately depend on your organization’s specific needs. However, some data loss prevention best practices can be applied to any DLP strategy, regardless of your organization’s unique business processes.

Pick the Right Team

As with any business program, the first step is to ensure that you have the right people to put the technology in place and carry out the necessary processes. Who you put in charge of your DLP program will drastically affect the program as a whole, so choose wisely.

Start by creating an internal DLP committee composed of senior leaders, business unit managers, legal, and infosec management. Each party clearly defines its role and responsibilities in the DLP strategy. Specify who owns which data, which IT security officers are responsible for which aspects of security incident investigations, and so on.

Start with a Plan

This is where you’ll start to develop your DLP strategy, but before you put that strategy into writing with a DLP policy. A well-thought-out plan can mean the difference between failure and success, so put as much time and effort into this step as necessary.

Start by identifying your proverbial crown jewels, the most critical data your organization owns. This could be intellectual property, PII, or other sensitive information you must protect at all costs.

Then, you need to define your metrics. DLP is an excellent system to show how much data is getting flagged and where the most significant issues are, but before you get into data analytics, you need to decide what you’re monitoring for. Think about your business goals: what’s essential to your organization?

It’s important not to try to boil the ocean here. Go for small wins instead of aiming to check off every single policy available. Ultimately, you don’t want to overwhelm your system with massive incidents.

At the very minimum, here are the basic parameters you should define:

• Which organizational data needs to be protected.
• Where that data resides.
• The conditions for accessing different types of data.
• Actions to be taken in case of information security incidents.
• What information is to be archived, and when?
• Any threats to your data.

Build Out Your DLP Strategy

You’ll need to start with data identification and classification to identify some of the abovementioned parameters. Ultimately, before you protect your data, you need to know what critical data you have and where it lives.

Using data discovery technology to scan your data repositories and report on any findings will give your organization visibility into what you need to protect. Together, data discovery and data classification technology help organizations control user data access and avoid storing sensitive data in insecure locations, which can reduce the risk of data leaks and data loss.

You should also put strict controls in place to prevent users from falsifying classification levels. Access control lists (ACLs) are lists of who can access what resources and at what level. ACLs are often based on whitelists (allowed actions) or blacklists (prohibited actions).

Consider using encryption for critical business data at rest or in transit to keep your data safe. Securing all the places where sensitive data could reside, even temporarily, will help prevent breaches or leaks without a DLP policy. Finally, your organization should avoid saving unnecessary data at all costs.

A rigorous patch management strategy is also essential to data protection and cybersecurity. Patch management will help your organization ensure that all your operating systems and applications in your IT environment are current. Patches for critical infrastructure should also be thoroughly tested to ensure that no functionality is compromised and no vulnerabilities are introduced into the system.

Create Practical Policies and Procedures

Once you have a team, a plan, and a DLP strategy, it’s time to put it into writing with a DLP policy. This is where things often get tricky for organizations. Putting a DLP policy into place means finding the right balance between being too restrictive and too loose.

For example, suppose part of your business process involves one employee sending sensitive information to another employee. In that case, you’ll need to ensure there are ways to do this securely. If you’re going to replace old procedures with new ones, you need to make sure that they’re going to work for your employees and that they’re going to follow them.

After you create your DLP policy, you’ll want to test it. Conduct a proof of concept exercise to replicate functionality and test feature sets. This stage can be compared to a pilot test to ensure your policy and technology will meet your compliance needs and observe the deficiencies in your triage process.

Educate End Users

As mentioned above, simply letting your employees know you’re watching is often enough to deter intentional internal threats. Any successful DLP program should begin with an educational program. Your employees and stakeholders are much more likely to understand and accept any changes brought about by your DLP program if you tell them why it’s essential and what’s at stake.

Data loss often results from simple end-user mistakes, i.e., sending credit card info via email or losing a USB storage device containing sensitive information. In these cases, end users often don’t know they’re doing anything wrong. Sometimes, internal threats are made up of malicious actors, but DLP will likely deter many of those actions. The more protections you have, the less likely you will be targeted.

Shift the Culture

A successful DLP strategy will necessitate a cultural shift, as with most programs. You will likely require end users to take different actions than they’re used to, so there will be a learning curve. Teaching an old dog new tricks can be challenging, which is becoming especially apparent with cloud storage.

Unfortunately, many DLPs die when senior executives don’t support the cultural shift that comes along with them. A top-down approach means engaging executive and senior leadership to direct the DLP program by providing input on what’s critical to your organization.

In the end, if you make severe changes to business processes due to DLP, you also need to provide your employees with solutions to replace those no longer considered secure processes.

Monitor and Repeat

As part of your DLP program, you must regularly inform stakeholders of its state. Holding monthly or quarterly meetings will provide you with additional input to help continuously drive the program and ensure the quality of the investment is operating optimally.

Ultimately, the more DLP processes that can be automated, the better. That’s why choosing the right DLP solution is critical.

Choose Tools to Help

Implementing a DLP platform can be expensive. You should be sure that the capital investment is based on a sound cost-benefit analysis, risk assessment, and vendor assessment. Once you’ve determined how much you can afford, you should define your expectations for DLP software and start looking for vendors that meet your requirements.

Start by researching multiple vendors, and think about consulting with peers in your industry to find out who they use for DLP to gauge their satisfaction with support, incident workflow, and overall confidence level.

Which DLP software you choose will ultimately impact which data will be protected. For example, if your organization doesn’t manage unstructured data on-premise or in the cloud, it probably wouldn’t be wise to invest in an expensive enterprise DLP solution that offers an entire suite of DLP features.

Best practices for Data Loss Prevention (DLP)

Implementing an effective Data Loss Prevention (DLP) program requires careful audits, security policies for classifying data, and incident response plans for cyber attacks. Follow these best practices to help safeguard messaging apps, authenticate users, and protect confidential and financial data from hackers:

• Classify your data: Categorize data by sensitivity level per PCI DSS standards and establish Microsoft Windows permissions and policies to restrict unauthorized user access based on classification. This allows you to prioritize protection for your highest risk of data loss information.
• Discover where sensitive data resides: Scan databases, file shares, email systems, and endpoints to locate where confidential data is stored. Understanding real-time network traffic flow is critical to detecting suspicious activity.
• Establish user access controls: Permit access to sensitive data on a strict need-to-know basis aligned with your data loss prevention policy. Controls may include role-based access, encryption, masking financial data, etc.
• Set up DLP monitoring rules: Configure rules that detect potential hacker data breaches or policy violations in real-time. For example, set rules that see when users transmit healthcare data outside the network perimeter.
• Standardize data security tools and initiatives: Minimize complexity by standardizing DLP tools across the infrastructure per Gartner recommendations. Define standard data security protocols and configurations.

Prevent Data Loss with the ZenGRC Platform

As organizations generate and consume ever-increasing amounts of data, they often need help using it appropriately, storing, archiving, and destroying it. These days, manually managing the data lifecycle isn’t feasible. It is inefficient and resource-intensive, creating serious security and compliance risks.

The ZenGRC allows you to be more strategic with IT risk management by putting your business activities front and center. Discover a modern way to manage your risk posture with the ZenGRC Platform, allowing you to understand and act on your IT and cyber risks, all in a single unified platform.

Using AI, the relationships between assets, controls, and risks are automatically created, alerting you to changes in your risk posture and making it simple to grow and manage your risk programs. With dashboards and reports that provide contextual insights, it’s easier to communicate with key stakeholders and make informed business decisions with the ZenGRC platform.

Become more strategic with your IT risk management. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization manage risks and compliance.

For many organizations, the transition to the cloud for data storage is inevitable. 

Whether shifting operations entirely to a cloud environment or modernizing your systems using cloud-based applications, you must choose the best cloud computing platform with the best cloud security for your compliance program.

While you won’t need to manage physical servers or storage devices on the cloud, you will need to use software-based security tools to monitor and protect the flow of information into and out of your cloud resources. 

Cloud computing is less vulnerable to security risks than an on-premises data center. For this reason, you must use a Cloud Service Provider (CSP) that provides the best security to fit your needs.

A cloud service provider acquires and manages the infrastructure required for cloud services, runs the cloud software that provides the services, and delivers the cloud services through network access. 

Learn more about cloud computing security challenges and considerations here. 

What is Amazon Web Services (AWS)?

Amazon Web Services (AWS) is one of the more secure CSPs, helping organizations protect their data, AWS accounts, applications, and infrastructure from unauthorized access. 

AWS services constantly change, including Identity and Access Management (IAM), logging and monitoring, encryption and key management, network segmentation, and standard DDoS protection. 

One advantage of the AWS Cloud is that it allows you to scale up and innovate while maintaining a secure environment and paying only for the needed services. 

AWS security also offers some benefits, including visibility and control over services, easy integration, regular monitoring, data encryption services, and a large ecosystem of security partners. 

AWS compliance provides several enabling features, allowing organizations to achieve a higher level of security at the scale they need. For Chief Information Security Officers (CISOs), that’s appealing: cloud-based compliance offers a lower cost of entry and easier operations by providing more oversight, security control, and central automation. 

Using AWS means you benefit from its many security controls, which reduces the number of security controls your organization needs to maintain. 

Ultimately, a properly secured cloud environment results in a compliant environment. 

What is AWS compliance?

AWS compliance means that Amazon Web Services follows the necessary laws, regulations, and best practices for security and data protection in the cloud.

As a primary cloud provider handling sensitive customer information, AWS must comply with many privacy and cybersecurity regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation (GDPR), and others.

AWS compliance includes securing its infrastructure, data centers, and services, putting identity and access controls in place, completing independent audits, and helping customers stay compliant when using AWS. AWS has dedicated teams that keep tabs on new regulations and update their offerings to remain compliant.

By building an extensive, compliant foundation, AWS enables customers to move sensitive workloads to the cloud while reducing the customer’s audit costs and risks. Customers can access AWS compliance documentation through AWS Artifact. Relying on AWS’s compliant infrastructure allows organizations to focus more on their core business goals.

AWS Regulatory Compliance Examples

To help customers verify cloud compliance with industry and government requirements, AWS engages with external certifying bodies and independent auditors to provide detailed information regarding the policies, processes and controls it establishes and operates. 

AWS is certified compliant with global standard-setting bodies, including Cloud Security Alliance (CSA), PCI DSS, and System and Organization Controls (SOC), as well as specific U.S. regulations, including FedRAMP, HIPAA, National Institute of Standards and Technology (NIST), and more. 

However, this does not necessarily mean that the way data is stored within AWS is compliant. Moving your IT infrastructure to an AWS cloud environment means you must share responsibility for securing your data and information with the CSP.

The shared responsibility model reduces the burden on your organization because AWS operates, manages, and controls IT components from the host operating system and virtualization layer to the physical security of the facilities where the services are used. 

At the same time, AWS customers must comply with regulations on using services, consuming applications, and storing data in the cloud. 

Essentially, AWS is responsible for the security of the cloud. Its customers (meaning you) are responsible for security in the cloud. 

AWS customers manage the guest operating system, including installing updates and security patches. They are also responsible for managing associated application software, as well as the configuration of the AWS-provided security group firewall. In other words, AWS provides security tools, but your enterprise must activate and configure them.

Responsibilities vary depending on the AWS services your organization chooses, how you integrate those services into your IT environment, and applicable laws and regulations. 

To securely manage your AWS resources, you need to do the following:

• Asset inventory: Know what resources you are using. 
• Secure configuration settings, patching, and anti-malware: Securely configure the guest OS and applications on your resources. 
• Change management: Control changes to the resources. 

AWS Assurance Programs are grouped into three categories:

1. Certifications and attestations. A third-party independent auditor performs certifications and attestations, and certifications, audit reports, or attestations of compliance are based on the result of the auditor’s work. 

• Laws, regulations, and privacy. These are specific to your industry or function. 

1. Alignment and frameworks. AWS provides security features and documents such as compliance playbooks, mapping documents, and whitepapers. 

AWS and PCI

In addition, AWS provides tools to help its customers stay compliant. For example, PCI cloud compliance requirements and tools include:

• PCI DSS Requirement 8 asks application owners to “identify and authenticate access to system components.” AWS Cognito is an authentication service that allows configuration of authentication and authorization for users and other AWS services and is commonly used to comply with this requirement. 

• PCI DSS Requirement 11 discusses the tracking and monitoring of all access to network resources and cardholder data. AWS CloudWatch and AWS CloudTrail are monitoring tools that can be used to achieve this requirement. 

AWS environments are continually audited, and the infrastructure and services are approved to operate under several regulatory compliance standards and industry certifications throughout geographies and industries. 

These certifications can be used to validate the implementation and effectiveness of security controls. AWS continually adds programs. 

AWS and SOC

AWS SOC reports are independent third-party examination reports demonstrating how AWS achieves critical compliance controls and objectives. 

These reports help you and your auditors understand the AWS controls established to support operations and compliance. 

There are three types of AWS SOC reports: 

• SOC 1 provides information about AWS’ control environment that may be relevant to Internal Controls over Financial Reporting (ICFR), as well as information for assessment of the effectiveness of your ICFR. 
• SOC 2 independently assesses AWS’ control environment relevant to system security, availability, and confidentiality. 
• SOC 3 provides an independent assessment of AWS’ control environment and provides information about system security, availability, and confidentiality without disclosing AWS’s internal data. (A SOC 3 report is similar to a SOC 2 but can be widely shared)

AWS gives your organization the control to comply with regional and local data privacy laws and regulations, no matter where your information is stored. 

AWS and GRC

GRC stands for governance, risk management and compliance – all the rules and safeguards companies set up around security, ethics and safety protocols. As the cloud becomes crucial for business operations, organizations tap into AWS’s solid GRC offerings to confidently pursue growth and innovation on compliant infrastructure.

 

AWS bakes responsible governance into how their global cloud infrastructure runs and delivers services. By handling baseline GRC, AWS enables customers big and small to operate critical workloads with minimum hiccups. Specifically, think state-of-the-art physical security, API access controls, activity logging with AWS CloudTrail, continuous monitoring, and verified ISO 27001 and PCI DSS compliance frameworks.

 

Leaning on AWS’s leading governance, risk and compliance resources allows both executives and technical squads to drive cloud innovation aligned to core objectives and regulatory requirements. AWS helps customers automate GRC with AWS Artifact, AWS Config and more so they can focus on their business goals instead of daily security tasks.

 

FAQs for AWS Compliance

Does AWS Have a Compliance Team?

As the largest cloud provider, AWS employs extensive compliance programs over infrastructure, services, and security standards to satisfy healthcare, finance, government, and other highly regulated customers. Squads of experts maintain legal policies, audits, and controls so AWS customers can build compliant workloads that meet regulations and focus on core business goals rather than compliance costs. 

Is AWS Compliant with GDPR?

AWS shapes up on GDPR – Europe’s strict data protection laws around personal information. Their engineers designed top-notch privacy settings, access limits, data tracking, and encryption to safeguard personal info as required. AWS stays current as GDPR evolves, too. Third parties even audit them regularly just to stamp that seal of ISO 27001 approval. So, if you use AWS in the EU, you can be confident any data housing and handling looks good to regulators.

What Are the Benefits of AWS Cloud Compliance?

By migrating to AWS’s securely configured cloud infrastructure, companies offload compliance burdens to AWS experts and save hugely on related security tools and auditing. Users focus on business goals with confidence that AWS updates configurations along with evolving laws to sustain compliant workloads. AWS provides a reliable launch platform with baked-in compliance frameworks, continuous risk monitoring via AWS Config, and verifiable security standards that build trust with regulators.

ZenGRC Can Help You Meet Your Compliance Goals

As your organization’s cloud environment grows, it will encounter more compliance challenges and need more oversight. If so, you may need more detailed AWS compliance reporting. 

This is where governance, risk, and compliance tools can help. 

ZenGRC is designed to continuously monitor cloud configurations for real-time changes, enabling you to map these configurations to pre-built compliance templates for regulations, including ISO, SOC 2, HIPAA, PCI DSS, NIST, and GDPR. 

Suppose your organization does need to document multiple compliance attestations as part of your AWS cloud compliance. In that case, ZenGRC can help you store all necessary documentation in a “single source of truth” repository. 

ZenGRC also tracks compliance with all your frameworks simultaneously, helping you avoid duplicating tasks. 

Using color-coded dashboards to show you where your cloud security is compliant and where you fall short, ZenGRC also helps you track your workflows so you always know the status of each compliance task. 

ZenGRC also conducts unlimited, one-click self-audits so you can assess your cloud security efforts. 

Worry-free AWS cloud security compliance is the Zen way. Contact us today for a free demo and consultation.