ZenGRC Team

Difference Between GDPR and ISO 27001

ZenGRC Team · November 17, 2020 ·

Many countries around the world have begun to pass legislation that regulates how businesses can collect and use consumer data, and that imposes certain standards of privacy and security that companies must meet while in possession of that data.

One landmark piece of legislation arrived in 2018 when the European Union’s General Data Protection Regulation (GDPR) went into effect. The GDPR applies to all member states of the EU and the European Economic Area (EEA).

Additional privacy regulations have emerged since then, and understanding what each one requires and whom it affects can be cumbersome. Today we want to bring some clarity to the discussion by explaining the difference between GDPR and ISO 27001.

What Is GDPR?

The GDPR mandates that all companies doing business within the EU or that collect the data of EU citizens must comply with strict rules to protect that personal data. It encourages organizations to manage their data security in line with prescriptive best practices and requires compliance of data controllers (businesses that collect the data) and data processors (companies that process data on behalf of others).

What Is ISO 27001?

ISO 27001, or ISO/IEC 27001, is an international standard for information security management systems (ISMS) that organizations can adopt.

ISO 27001 was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and later revised in 2013 and 2017.

The standard includes requirements for creating, executing, managing, and improving a company’s information security management system. This ensures that organizations will secure their information assets and protect against data breaches.

All organizations that can meet the ISO 27001 specifications can seek certification from an accredited institution that will conduct an audit to ensure the organization’s compliance.

How Are ISO 27001 and GDPR Different?

ISO 27001 is a voluntary certification that requires organizations to take a risk-based approach to how they manage sensitive data. In contrast, the GDPR aims to protect the personal data of EU citizens, and compliance with the GDPR is mandatory for most organizations working in Europe or with EU citizens.

Both ISO 27001 and the GDPR do revolve around risk, and both direct organizations to identify certain risks and controls that can bring those risks to an acceptable level.
Regarding personal data, ISO 27001 incorporates encryption as part of business continuity management as well as the capability to restore data when necessary, in a timely manner. Along similar lines, the GDPR views personal data as something that all organizations must strive to protect.

Where the two regulations differ are in their requirements. For example, the GDPR includes the right of a consumer to have his or her data removed, as well as the right to control how the data is shared with third parties (also known as data portability). ISO 27001 doesn’t directly include such provisions.

Does ISO 27001 Cover GDPR?

The two are similar, but not identical. Here are a few examples of where ISO 27001 and the GDPR overlap, where compliance with ISO 27001 can help an organization to meet GDPR standards.

ISO 27001 and GDPR both require breach notification, but at different levels.

Under both ISO 27001 and the GDPR, companies must notify supervisory authorities of a breach of personal data within 72 hours of discovering it. ISO 27001 also contains standards designed to assure that information security incidents are handled in a consistent way.

The main difference, however, is that the GDPR stipulates that consumers (or data subjects) be notified when the breach poses a high risk of infringing upon their individual rights.

Incident management and infosec solutions like those offered by ZenGRC help organizations be better equipped to detect, report, and manage personal data incidents; and to maintain compliance with the GDPR.

GDPR and ISO 27001 BOTH mandate all regulatory and contractual requirements to be laid out.

To obtain an ISO 27001 certification, organizations must make all legislative and contractual requirements related to their business and their customers available to auditors, so that the audit team can confirm compliance.

GDPR similarly mandates that all statutory and contractual requirements be made available to ensure compliance.

ISO 27001 risk assessment can help organizations avoid GDPR fines

The monetary penalties associated with violating the cybersecurity and data processing requirements outlined in the GDPR can be up to 4 percent of an organization’s global revenue. With consequences so painfully high, companies can’t afford to neglect appropriate risk assessment.

In fact, the GDPR mandates data protection impact assessments, which require organizations to assess privacy risks and vulnerabilities. ISO 27001 requires that same sort of risk assessment too. Therefore, by gaining ISO 27001 certification, an organization can simultaneously assure compliance with GDPR and reduce the chance of costly fines.

The asset management requirements of ISO 27001 help to ensure compliance with GDPR

ISO 27001 treats personal data as information security assets. As such, those assets are subject to constraints around storage, length of storage, collection, and access. Those are also requirements of the GDPR.

The future of GDPR requirements indicate that privacy will be built into business processes in alignment with ISO 27001

Data privacy regulation is getting more complex, not less; with additional provisions and protections being added every year. Looking forward, businesses that want a strategic advantage over competitors will have to incorporate security standards into all aspects of their business.

Companies aiming to comply with ISO 27001 (and other ISO standards like ISO 27701 and ISO 27000) will be well prepared to meet those future expectations since the ISO standard is all about how to protect information assets-personal data or otherwise.

Conclusion

The GDPR mainly revolves around how personal data is collected, where ISO 27001 provides guidance about how data that has been collected can remain confidential and secure.

Furthermore, GDPR’s main directive is to protect the right to privacy for individuals and gives consumers certain rights to see how data of theirs is collected, stored, and shared. ISO 27001, on the other hand, is concerned more with the security controls around data.

If you’d like to learn more about how you can ensure compliance with GDPR or ISO 27001 in your organization, contact us for a demo to see how we can help guide your organization to confidence in infosec risk and compliance.

Vendor Offboarding Checklist for Compliance

ZenGRC Team · November 12, 2020 ·

Every vendor relationship your company strikes allow your business to save money and exploit new opportunities more efficiently. What’s more, every vendor relationship can develop into more ways for you and your supplier to increase value and grow the business.

That said, every vendor relationship should also follow a natural lifecycle— one that begins with initial review and onboarding, and ends with the termination of the supplier’s contract and offboarding.

Procedures for onboarding new third parties are a key part of your third-party risk management program, and hence they are discussed constantly.

Equally important, however, is offboarding. If done poorly, it can leave your company exposed to data breaches, compliance failures, unnecessary costs, loss of valuable equipment, and potential litigation.

That’s why it’s important to have processes in place to identify when and how to end your relationships with third-party vendors and to ensure you complete the procedures associated with terminating those relationships in the right way. (Ideally, you should automate these processes across your company.)

What is Vendor Offboarding?

Third-party vendor offboarding is the process of removing a vendor from your administrative and finance records when you end a contract or a relationship with that vendor. Only conduct vendor offboarding, however, after the vendor has fulfilled all its essential contractual and residual obligations, such as after-sales support and warranties.

You can eliminate potential risks to your company by making certain that you handle offboarding appropriately. This includes ensuring that the vendor can no longer access your physical property or IT systems and that the supplier destroys all your data in its possession. You should also notify your finance department to stop payments to the vendor.

Too often, companies give more attention to the structure and formality at the front end of their third-party management processes: sourcing and procurement, due diligence, risk management, contracting, and so forth. They don’t pay enough attention to the need for carefully considered offboarding procedures.

Vendor Offboarding Checklist for Compliance

Here is a vendor offboarding checklist for compliance to help you when you’re ending a relationship with one of your third-party vendors:

Access to Data and Systems

Organizations give different suppliers different levels of access to systems, (including VPNs, telecommunication systems, and internal applications) for the lengths of their contracts so those vendors can deliver the services they were hired to provide.

Keep a detailed inventory of all the data and systems your suppliers can access, as well as which of their employees have access to those systems and information. You should reference this inventory during the offboarding process to guarantee that you terminate the supplier’s access to your company’s information and systems.

Physical Access to Facilities

Vendors may also need access to your buildings and offices. So also critical to keep a log of the suppliers’ employees who have access to your premises, as well as how they have access: keys to the building, entry codes, key cards, and so forth.

When a vendor’s contract ends and its employees no longer need access to your facilities, ensure that the vendor returns any physical keys, badges, key cards, and the like. You must also notify appropriate employees within your company (receptionists and security personnel, for example) that the vendor no longer has permission to access your facilities. Update any electronic access codes or other internal building access systems as well.

Return of Equipment

If a vendor has borrowed your equipment to perform its contractual obligations, have a process in place to ensure that all your property is accounted for and returned. For example, you can use software to document, tag, and identify any equipment that you issued. Then check whether the vendor returns that equipment at the end of the vendor’s contract. You should also document the condition of the equipment when the vendor returns it.

The inventory you generate should also include what data, information, and intellectual property were provided to the vendor. Work with that vendor to ensure that it returns what it’s able to return, and deleted or destroyed what it can’t.

That said, not all data can be destroyed; it may reside on backup tapes, and some regulations mandate that data is preserved for a period of time. In that case, get assurances from your supplier that it will safeguard your information until those files can be destroyed.

Review the Contract

The journey from the beginning of a vendor contract to its end is often different than the terms outlined in the original agreement. The scope of an engagement can change over time; unplanned delays arise. Things happen.

Throughout the tenure of the contract, then, document any changes in the contract — specifically those that affect the contract deliverables. Then, during the offboarding process, check that the vendor did indeed deliver all the goods or services it was contracted to provide.

And as your vendor relationship changes over time (for example, if you have to expand the supplier’s services) remember to update the scope, controls, and termination provisions throughout the relationship. You don’t want to look for these necessary items during the offboarding process and realize that they’re missing.

Ongoing Security

It’s critical that you and your vendor review any security policies (including privacy policies) that are related to the contract. You must remind the vendor of provisions and requirements that continue even after your relationship has ended, such as confidentiality and privacy. Get formal acknowledgment from your vendor that it will continue to adhere to the provisions of the contract that continue even after the contract or relationship has concluded.

Final Payments

Pay all your vendor invoices, and ensure that any outstanding debts or refunds owed to you are paid as well.

Update the Vendor Profile

When a relationship with a vendor ends, the vendor’s profile should be updated accordingly. Check the accuracy of the vendor’s legal name, the names of your primary points of contact, what active contracts you may still have with the vendor, and so forth. This will help you keep an accurate inventory of your third-party supplier relationships.

Vendor Lifecycle Management

Each vendor in your company’s supply chain has a lifecycle that starts with the initial review and onboarding and ends with the termination of the vendor’s contract. Vendor lifecycle management allows you to acknowledge the importance of your vendors and incorporate them into your procurement strategies. Vendor offboarding is the final part of the vendor lifecycle management.
The vendor management lifecycle generally consists of:

Vendor identification: shortlisting potential suppliers. This includes cross-checking whether the shortlisted vendors and the offers they submit match your required specifications.
Vendor selection: ensuring whether a specific supplier can deliver the necessary goods or services.
Vendor segmentation: classifying each shortlisted vendor according to specific metrics, including lifecycle cost, availability, quality of goods or services, and support.
Vendor onboarding: gathering all the data and documents necessary to add a vendor to your approved list of vendors. This can include due diligence checks on prior litigation, poor customer reviews, audits of security controls, and the like.
Vendor performance management: measuring and analyzing how a vendor performs throughout the contract to identify weaknesses and reduce vendor risks.
Vendor information management: collecting data from every step in a vendor lifecycle right from onboarding through offboarding.
Vendor risk management and assessment: identifying, analyzing, and mitigating supplier risks.
Vendor relationship management: identifying your most important vendors and cultivating long-term relationships with them.
Vendor offboarding: removing a vendor from your finance and administrative records when you end a vendor contract or relationship.

To remain competitive and get more out of your vendor relationships, you must adopt new technologies to streamline your vendor lifecycle management processes — including offboarding. Automated vendor lifecycle management helps companies operate more efficiently. It can build better vendor relationships by improving engagement and transparency, and by reducing risks.
Again, offboarding is one of the most neglected parts of vendor lifecycle management. Don’t approach the end of a supplier relationship in such a haphazard way; rather define the offboarding process during the onboarding process, so that the end of the relationship can happen smoothly and precisely.

How to Implement a Vulnerability Management Process

ZenGRC Team · November 10, 2020 ·

Software solves many problems and improves many processes, but the code software depends on is never perfect. That fact of life leaves your software and the data within open to new vulnerabilities including hacking, exploitation, and theft.

Because of this, businesses must task their security team to create a vulnerability management solution that can identify, assess, remediate, and report code vulnerabilities. The goal: to prevent unwanted access to your software that can cause expensive, punitive, or even devastating damages to your business.

Why is vulnerability management required?

First, understand that your business will encounter a vulnerability; no system is immune. For some organizations, vulnerabilities have minimal impact. For most, the impact is anywhere from moderate to debilitating.

Left unaddressed, vulnerabilities expose your business to costly lawsuits, reputation-ending data breaches, or even closing your doors. Without the foresight to anticipate and manage vulnerabilities in a timely—and many instances preventable—manner, you leave the survival of your company up to chance.

Broadly speaking, vulnerability management has two components: investing in ISO certification, and setting up a vulnerability management system.

Investing in ISO certification. While ISO certification isn’t required, being ISO 27001 certified demonstrates that your business has built a disciplined, systematic approach to managing sensitive data and avoiding data breaches. Certification instills trust among customers and staff as they provide sensitive PII data to your company. To get certified, you will need to create your own ISO certification checklist.

Establishing a vulnerability management system. This step is crucial for the unavoidable fact that a vulnerability will arise eventually. By establishing a risk management plan, you may be able to mitigate or even prevent serious legal and financial repercussions as a result of a vulnerability.

What are the steps in the vulnerability management process?

Working with your security team, you can implement a comprehensive vulnerability management program that suits your organization, needs, and data infrastructure. This typically happens in four phases:

Identify: The most important stage of vulnerability management is actually identifying the issue. You can identify vulnerabilities in two ways.
- Proactively: Many companies choose to invest in cybersecurity tools such as scanners or penetration testing tools. These vulnerability detection tools allow you to automate a cadenced, code-base audit and search for ways to break into your system to expose new vulnerabilities. Vulnerability scanning is akin to a detective poking around for flaws in the background. When an issue is discovered, the tool will identify the vulnerability’s severity for developers to remediate accordingly.
- Reactively: In the absence of a cybersecurity tool, companies could identify and handle vulnerabilities on a case-by-case basis. In some cases that will require basic patching from a developer; n in other instances, much more. Most common vulnerabilities will show themselves eventually, by either a customer or employee identifying an issue. This approach is much less systematic and efficient and presents a high risk for your company—since the wrong hack or flaw can cause an incredible amount of damage as every minute passes.
Assess: Identified vulnerabilities range significantly in their severity, so it’s critical to have a system that assesses their impact. Start by creating a set of criteria in advance so that once a vulnerability is identified, you can assess its projected impact quickly and prioritize accordingly.

Consider using risk ratings or a CVSS (common vulnerability scoring system) to provide more perspective. For example, a vulnerability scanning tool or penetration testing tool may flag hundreds of results, but only a few may actually apply to your company. Risk ratings or CVSS can help you weigh the costs and benefits of each scenario: Is this vulnerability something minor that we can live with? Is it something we can patch to mitigate the impact? Or is it something that could cause us not to be ISO Compliant? And to what extent?

Start by identifying what your greatest threats are. This will involve asking yourself tough questions such as, “What’s more critical: getting our site back up, or protecting customer data? Shielding financial documentation, or exposing proprietary intelligence?” This process should help you determine which vulnerabilities are relevant to your business and actually worth fixing.

Remediate: Having the right vulnerability response plan (and personnel) in place for treating each vulnerability could spell the difference between intercepting a vulnerability before it’s a problem or having a substantial security breach. First, identify who the lead is on remediation. Second, identify the prioritization of that vulnerability.

Below is a set of questions to ask as you remediate a vulnerability:

- Who is responsible for the part of the system that contains the vulnerability?
- Must the issue be remediated right now, or can go into the queue?
- Upon remediation, does the patch need to be validated and reviewed, or can it be deployed immediately?
- Does anyone need to be notified, such as our customers or team?
- Has this vulnerability been exploited by anyone?
- Do you need to disable the functionality of your product to remediate safely?

Regardless of the nature of your business, by creating this criteria now, you’ll have a clear plan of action for prioritizing, triaging and treating each vulnerability as it is identified and assessed.

Report: You should also leverage a vulnerability risk assessment tool to run continuous checks, and to keep reports that detail which vulnerabilities were identified and how they were remediated. By flagging trends in flaws and vulnerabilities, your team might be able to identify a greater issue in the code and build stronger code over time—protecting your software, your data, and your business from security risk. Moreover, when a vulnerability appears again sometime in the future, detailed reports provide a record of what remediation steps worked before, which ones didn’t, and how to handle the threat most effectively.

What are the roles and responsibilities in the vulnerability management process?

The size of your security team will vary depending on the overall size of your company, but it’s critical that each step listed above has a corresponding owner (and in many cases, a team) to support it. Below are the roles and responsibilities required to carry out effective vulnerability management:

IT Security Officer: You will need someone to own the entire information security process. This person will design your vulnerability management process, determine which tools your company invests in, champion your ISO Certification, own the reporting function, and have ultimate responsibility for the security of your IT department.
Vulnerability Engineer: This person is responsible for implementing, managing, and using the vulnerability scanning and penetration tools to run checks on your system. He or she is responsible for the identification of vulnerabilities, big or small.
Vulnerability Assessment Officer: This person designs and oversees the criteria by which your company determines, ranks, and prioritizes the remediation of vulnerabilities. He or she works with the vulnerability engineer to review their scans.
System Administrator or System Engineer: This role may often have a team of “asset owners” responsible for mitigating and remediating identified vulnerabilities according to the vulnerabilities’ severity and priority.

Managing sensitive data comes with tremendous and inevitable risk. How your business chooses to prevent, assess, and manage that risk, however, is entirely up to you. To learn how ZenGRC can help you get ISO certified and implement a comprehensive vulnerability risk management plan, contact us today.

November 2020: Compliance Certification Roundup

ZenGRC Team · November 7, 2020 ·

Each month, ZenGRC highlights companies that have earned compliance certifications for information security frameworks

Here’s our November 2020 roundup of recent compliance news from around the United States and the world.

PCI Certification

PCI certification and compliance are two different, but related, designations.
PCI certification is a more rigorous process. It involves an intensive audit performed by a Qualified Security Assessor (QSA).
PCI compliance means a company follows best practices to help protect Cardholder Data (CHD) following the guidelines set by the PCI Council.

In October, Teraco, Johannesburg, South Africa, a vendor-neutral data center, completed its International Standard on Assurance Engagements ISAE 3402 Type 1 attestation for the trust principles of security and availability. These new credentials supplement Teraco’s existing PCI DSS certification for physical security across its data centers in South Africa. Read more about Teraco’s certification here.
In October, Aiven, Helsinki, Finland, a tech company that combines open-source technologies with cloud infrastructure, completed its PCI DSS compliance requirements. Read more about Aiven’s certification here.
In October, BCS, Addison, Texas, a data center operations provider, successfully completed its SOC 2 Type 2 report and PCI DSS assessment. Read more about BCS’s certifications here.
In October, Baiduri Bank, Bandar Seri Begawan, Brunei, earned its PCI-DSS V3.2.1 for the seventh consecutive year. Read more about Baiduri Bank’s latest certification here.
In October, Dialog Axiata PLC, Colombo, Sri Lanka, a telecommunications service provider, earned its PCI DSS Version 3.2.1 for the fourth consecutive year for its mobile payment platform Genie. Read more about Dialog Axiata PLC’s latest certification.

ISO Certification

ISO standards concern many industries. The three primary ISO standards that help organize compliance for companies looking to create IT programs: IT, ISO 27001, ISO 31000, and ISO 9001.

In October, Doha Bank, Doha, Qatar, earned a continuation of the ISO 20000 certification for its compliance to global standards for IT Service Management. Read more about Doha Bank’s recertification.
In October, Central Warehousing Corporation, New Delhi, India, government-owned warehouse storage and handling service provider, earned its ISO 37001:2016 certification for establishing, implementing, and maintaining an Anti-Bribery Management System in the organization. Read more about Central Warehousing Corporation’s certification.
In October, Yggdrasil Gaming, Stockholm, Sweden, the worldwide publisher of online gaming content, earned an ISO/IEC 27001 certification, proving its commitment to information security standards. Read more about Yggdrasil Gaming’s certification.
In October, Geotab, Toronto, Canada, a global leader in IoT and connected transportation, earned its ISO 27001 certification, confirming the integrity of its Information Security Management System (ISMS). Learn more about Geotab’s certification.
In October, Veelo Technologies, Cincinnati, Ohio, which develops specialty materials and manufacturing technologies for next-generation composite systems, earned its AS9100D certification for its quality management system. Read more about Veelo’s certification.
In October, MyHotels, Makkah, Saudi Arabia, an online travel agency, received the ISO 9001:2015 certification for its quality management system in travel and tourism. Learn more about MyHotels’ certification.
In October, Red Mesa Science & Refining, LLC, St. George, Utah, a large-scale hemp extraction, distillation, and crystallization company, received ISO 9001:2015 certification. Read more about Red Mesa Science & Refining’s certification.

SOC 2 Certification

SOC 2 concerns all organizations and enterprises providing services that process and store customer data. SOC 2 reports are based on five Trust Services Criteria: security, availability, confidentiality, processing integrity, and privacy.

In October, Johnson & Quin, Niles, Illinois, direct mail production and integrated marketing company, announced the successful completion of the SOC 2 Type 2 examination and HIPAA security compliance assessment. Learn more about Johnson & Quin’s SOC 2 certification.
In October, TriageNow, Gilbert, Arizona, a telephonic nurse triage service, earned its SOC 2 compliance for storing customer data in the cloud. Learn more about TriageNow’s certification.
In October, Engage3, Davis, California, a software company that helps retailers and brands understand, protect and enhance their Price Image, earned its SOC 2 Type 2 certification for its services. Read more about Engage3’s certification.
In October, Lessonly, Indianapolis, Indiana, an online training software company, earned its SOC 2 Type 2 certification for managing customer data securely. Read more about Lessonly’s certification.
In October, HSB, Hartford, Connecticut, a technology subsidiary that creates connected IoT solutions, received SOC 2 Type 1 certification for its commercial IoT platform Meshify’s data security controls. Read more about HSB’s certification.
In October, Kahua, Alpharetta, Georgia, a web-based project and construction management software platform, earned its SOC 2 Type 2 certification for its cloud service systems. Read more about Kahua’s certification.
In October, Sisense, New York City, New York, an analytics platform for builders, earned its SOC 2 Type 2 certification for its Cloud Managed Service as well as security recertification of several other compliance standards, including ISO 27001, and HIPAA- HITECH and SOC 2 Type 2 for its Sisense for Cloud Data Teams. Learn more about Sisense’s certifications.
In October, Panther Labs, Fremont, California, a cybersecurity organization that specializes in cloud-scale detection and response, earned its SOC 2 Type 2 certification. Learn more about Panther Labs’ certification.
In October, Zipwhip, Seattle, Washington, a mobile phone operator company that specializes in texting for business, earned its SOC 2 and SOC 3 Type 2 certifications for security, availability, processing integrity, confidentiality and privacy. Learn more about Zipwhip’s certification.
In October, XM Cyber, Herzelyia, Israel, advanced cyber risk analytics and cloud security posture management company, earned its SOC 2 Type 2 recertification. Read more about XM Cyber’s certification.
In October, Saturn Cloud, New York City, New York, a data science platform for performance Python in the cloud, earned its SOC 2 Type 1 certification. Read more about Saturn Cloud’s certification.

FedRAMP Certification

The Federal Risk and Authorization Management Program (FedRAMP), is a government program that determines if the cloud products and services offered by cloud service providers are secure enough to be used by federal agencies.

In October, Smartronix, Hollywood, Maryland, an IT service management company, earned its FedRAMP certification for its Cloud Assured Managed Services (CAMS) to support state-of-the-art private, public, and hybrid cloud solutions for highly regulated workloads. Read more about Smartronix’s certification.
In October, Oracle Cloud Infrastructure, Redwood City, California, a cloud computing service offered by Oracle Corporation providing servers, storage, network, applications and services through a global network of Oracle Corporation managed data centers, has obtained a Provisional Authority to Operate (P-ATO) from the FedRAMP Joint Authorization Board (JAB). Read more about Oracle’s certification.
In October, ControlCase, Fairfax, Virginia, a provider of IT Security Certifications and Continuous Compliance Services, earned a FedRAMP Third Party Assessment Organization (3PAO) certification for its strategic information security and compliance programs. Read more about ControlCase’s certification.
In October, Kahua, Alpharetta, Georgia, a web-based project and construction management software platform, achieved FedRAMP Ready Status for its Construction Program Management Solution. Learn more about Kahua’s certification.
In October, SentinelOne, Mountain View, California, an autonomous cybersecurity platform company, achieved the FedRAMP designation for its information security work for the federal government. Read more about SentinelOne’s certification.
In October, Atlassian, San Francisco, California, a provider of team collaboration and productivity software, achieved FedRAMP Tailored Authorization for its cloud-based work management solution, Trello Enterprise. Read more about Atlassian’s certification.
In October, Aruba Central, Santa Clara, California, a wireless networking subsidiary of Hewlett Packard Enterprise, announced its FedRAMP “In Process” designation. Read more about Aruba Central’s designation.
In October, Acuant, Los Angeles, California, an identity verification, document authentication and fraud prevention technology services provider, received a FedRAMP Moderate Provisional Authority to Operate (P-ATO) its AssureID Connect, Ozone document recognition, and FaceID facial recognition services (COFRS). Read more about Acuant’s designation.

HIPAA Compliance

Compliance with the Federal Health Insurance Portability and Accountability Act (HIPAA) ensures that health care organizations protect the privacy, security, and integrity of protected health information.

In October, Jahia Solutions Group, Geneva, Switzerland, an open-source content management company, announced it attained HIPAA compliance. Read more about Jahia’s HIPAA certification.
In October, NYNJA, Lavallette, New Jersey, a security-first, all-in-one communications platform for mission-critical telecommunications needs, is finishing its P.L. 2020, c. 34 SOC 2 and HIPAA third-party compliance audit to complete its SOC 2 certification. Read more about NYNJA’s compliance.

In October, WheelHouse IT, Fort Lauderdale, Florida, an IT support and Managed IT Services Provider (MSP), earned its HIPAA compliance for its work managing IT for the healthcare industry. Read more about WheelHouse IT’s compliance.

Use These Six Agile Principles To Manage IT Risk Right Now

ZenGRC Team · November 3, 2020 ·

This article first appeared on Forbes.com Jul 22, 2020, 01:44pm EDT

During the past four months, the business world has woken up again to the reality of reacting quickly in a fast-changing environment. Some of these shifts in operations are obvious, such as remote work and limited travel for conferences and meetings. Other risks have emerged, though, that are less obvious. IT security concerns, for instance, have increased dramatically and are shifting in unpredictable ways that require us to take on new tactics to prevent data theft, malware and extortion.

In the past, companies commonly reviewed their “registry” of IT risks on an annual basis. Essentially, they checked off the boxes to pass SOC 2 Compliance, which outlines the criteria to manage customer data in five areas: security, availability, processing integrity, confidentiality and privacy. This is where two-factor authentication, encryption, firewalls and quality assurance controls come into play. Companies must pass these requirements and be “SOC 2 Certified” to sell products and services to others.

Today, that’s not enough. The pandemic has accelerated our reliance on work-from-home software and go-to-market digitization efforts, and companies need to shift quickly to address new attacks. The old methods of risk assessment are now as passé as client-server technology from the 1990s, and gone are the days when we can simply plan for next year’s IT risks.

To tackle these rapidly-changing risks, we need to adopt the same agile methods that technology companies have used for more than 20 years. Incorporate these six principles into your IT risk strategy so you’re ready for the new threats to come this year:

1. Track your company’s new opportunities and threats.

I remember the dot-com crisis of 20 years ago. There was an incredible opportunity to digitize everything, but we didn’t know exactly what to build, and following last year’s plan simply didn’t work. The companies that were successful knew how to react to the risks of the day. They didn’t follow a grand plan. They continually assessed risks, acted quickly to manage those risks, and they survived.

Similarly, we’re living in a world of rapid changes. Take a quick inventory of the new strategies you’re adopting — such as work-from-home plans or accelerated online sales — and identify the threats that are associated with them. For instance, you need to understand how data is collected, stored and secured and what role you play in that. Add these to your risk list and ensure that you address them, not ignore them.

2. Review your risks monthly.

We’re seeing an increasing number of attacks online, and the threats that overwhelm us one week are not the same that crop up next week. You need an up-to-date list that accurately corresponds to the new opportunities that you’re pursuing and the new software you’re using. It’s no longer adequate to do this annually, when the pace of adopting digital tools and sales systems was much slower. Instead, I recommend a monthly review, even bi-weekly, if possible.

3. Re-prioritize last month’s efforts.

As you review your risks monthly, it’s just as important to deprioritize issues that are less relevant as it is to add new ones. The threats from last month may no longer be as urgent, which happens often now, so you should reduce efforts in these areas. The latest attack tactics are always changing, and your company can (and should) be dynamic in its response as well. Be ruthless about focus.

4. Pick your top 5 risks.

If you try to tackle all of the potential IT risks out there, you’ll quickly become overwhelmed. Add all of the relevant possibilities to your list, of course, but highlight the top five that will cause the most threat and harm to your business. Then implement the steps that will make progress on those priorities before putting much effort on items down the list. If you try to tackle 50 risks, you won’t get far on any of them, so focus on your top 5.

5. Do weekly check-ins.

Touch base with your top risk owners, even if a quick regular chat through an internal messaging app. That will keep those risks top of mind. Promise that the check-ins will stop once the risk leaves the “top 5” list, which will remind busy colleagues that risk is a top priority. During these regular checks, ask three questions: “What progress has been made the prior week? What actionable steps will be accomplished this week? Are there any blocks or barriers that need support?” This simple and vital communication will create significantly more progress than if you wait for a report just before the next board of directors meeting. Don’t wait, or it’ll be too late.

6. Repeat.

This final agile principle seems obvious, but it’s often the most difficult step to turn into a habit. When companies face an IT issue that compromises data or affects sales, they’ll double-down on risk management in the short-term, but it often devolves into complacency again in the long-term. These new threats aren’t going away, and in fact, they’ll continue to increase as we ramp up more digital processes through the rest of the year. Create your sustainable plan by making it a core priority and implementing the review process as part of your team’s monthly and weekly tasks.

Ultimately, the responsibility of risk rests on your company’s shoulders, and now is the time to schedule regular checks for new threats. You’re in a great spot to capitalize on the rewards of our renewed acceleration toward an online and digital world, and part of that process includes managing IT risks quickly. If you implement agile principles to address those risks, your company will make better decisions in an uncertain future.