ISO

What are the ISO Standards?

Libby Bevin · March 25, 2019 ·

In 1946, representatives from 25 countries gathered to discuss formalizing industrial standards to govern emerging technologies. On 23 February 1947, the International Organization for Standardization (ISO) was founded to coordinate and unify the diverse requirements previously established by national standards organizations. As part of this initiative, the international standard-setting body focused on a wide array of industries including food safety, environmental management, and manufacturing. As technology changed, ISO continued to create new worldwide proprietary commercial standards, including some that apply to information technology.

Today, international standards enable businesses to provide business partners and customers quality assurance by obtaining ISO certification. For example, in manufacturing, companies can leverage ISO 14001, consisting of environmental management standards, to reduce waste and more efficiently use resources.

Similarly, companies can use the ISO 9000 series, most importantly ISO 9001, to create a quality management system (QMS). The QMS documents the procedures and responsibilities for ensuring quality and establishing control objectives thus allowing businesses to leverage the ISO standards to prove ca continual improvement.

What Does a Compliance Manager Do?

ZenGRC Team · January 31, 2019 ·

Many people think that a compliance manager does nothing more than checkboxes on forms. However, in reality, your regulatory program manager coordinates across a variety of departments within your organization to keep your daily processes in alignment with your policies, procedures, and processes.

What Does a Compliance and Regulatory Program Manager Do

What are the legal IT compliance requirements?

Legal requirements governing IT environments vary by industry.

As such, compliance managers need to know how to implement a variety of controls foisted upon them by different agencies.

For example, HIPAA governs the healthcare industry. Despite the high incidence of non-profit healthcare providers, many must still comply with the Sarbanes-Oxley Act of 2002 (SOX). This overlap of regulations requires strict attention since both invoke monetary penalties for noncompliance.

Financial institutions need to comply with a variety of IT controls set forth by the Federal Deposit Insurance Company (FDIC) and the Federal Financial Institutions Examination Council (FFIEC). Moreover, the Office of the Comptroller of the Currency (OCC) announced in 2018 that it would evaluate special purposes national bank charters to fintech companies, which will increase their regulatory compliance requirements.

These legal requirements often incorporate fines and penalties for noncompliance making them a compliance management priority.

What are compliance issues are related to industry standards?

Unlike government regulations, industry standards do not always invoke penalties. Despite that, competitive businesses must meet the best practices these standards control.

For example, the Industrial Standards Organization (ISO) established the ISO-27001 standard to develop controls over the IT landscape.

However, businesses that accept credit card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It’s important to keep in mind that although not governed by statute, PCI DSS noncompliance also comes with fines imposed by the payment card companies. Additionally, many payment card companies will stop processing payments for organizations that do not comply with the security standard.

How do compliance managers engage in program planning?

The first step to creating a compliance program lies in assessing risk. Your compliance manager will look at the potential threats to data integrity, accessibility, and confidentiality. Then, they will look at the types of data stored, accessed, and transmitted throughout your IT environment. Once they review these two things, the compliance manager will determine the overall risk a system, network, or software poses to your organization.

After this, the compliance manager determines whether you have the appropriate controls in place to protect data. These can include ethical as well as technical controls. For example, workforce members may want to use customer data for their nefarious purposes in the same way that external malicious actors do.

Thus, your compliance manager will ensure that your organization creates policies that govern internal access and authorization as well as ones that set controls such as firewalls, encryption, and other external threat mitigations.

Why compliance managers engage in policy enforcement

Once your compliance manager has reviewed the risks and controls in place that mitigate those risks, they will evaluate whether the organization enforces policies.

Writing policies is easy. However, it’s not as easy to maintain internal compliance with them. Think of it this way, as a child, you might have told your parents that you would clean your room, but if it was a chore you disliked, you often postponed it until the last minute. The same is true with many compliance activities.

For example, access reviews act as primary protection against internal and external data threats. However, updating access logs is time-consuming. Department managers need to review their workforce roles and responsibilities continuously. As employees change positions, even within a department, they may require different system access rights. While department managers may remember to ask for additional access, they often forget to send messages to their IT departments revoking unnecessary access. Unnecessary access can put data at risk since outdated authorizations become a threat vector for social engineering attacks.

Your compliance manager acts as a second set of eyes to review whether the internal communications process works as intended. Thus, by examining policy enforcement, your compliance manager enables a more robust security and compliance stance.

How to use a compliance management system to enable your compliance manager

Automated tools allow for stronger internal and external communications. Additionally, compliance managers can maintain better documentation over your organization’s compliance program when they have a single source of truth.

Compliance managers need access to and control over compliance documentation. If multiple versions of policy exist within the organization, then the compliance manager cannot protect against a potential standard and regulatory violations.

For IT compliance managers, this becomes an even more difficult task. Malicious actors continuously evolve their threat methodologies which means risk mitigation strategies can become outdated overnight. Thus, if a compliance manager is reviewing an outdated policy or procedure, they may find your company in noncompliance.

Access and authentication serve as an example. Increasingly, best practices include incorporating multi-factor authentication for employee access to systems, networks, and software. Many organizations are moving from a simple password-protected environment to one that includes a password and either something a user owns (such as a token or cell phone authentication) or something the user is (such as biometrics) or both of these authorization techniques.

If multiple versions of your access and authentication procedures sit on a shared drive, then your compliance manager may be unable to locate the most updated version. Additionally, if these sit on a shared drive and someone accidentally changes them, then the procedure’s integrity is at risk.

How ZenGRC enables your compliance manager

With ZenGRC’s compliance management software, you can share information between stakeholders and set the appropriate role-based privileges to keep your controls accessible yet safe from tampering.

Moreover, with ZenGRC’s built-in mapping capabilities, your compliance manager can more easily employ gap analysis to determine the additional controls needed to support your company’s compliance program.

Many companies assume adding the cost of a compliance management software on top of a compliance manager salary is redundant. However, a compliance system allows your employee to focus on compliance, meaning the organization’s protocols and policies, rather than spending time on tedious tasks like gathering information for audits. ZenGRC acts as a single source of truth streamlining the audit process.

For more information on how ZenGRC can maximize your compliance manager’s efficiency, request a demo today.

Risk Appetite vs Risk Tolerance

ZenGRC Team · December 20, 2018 ·

Although often used interchangeably, risk appetite and risk tolerance distinguish themselves from one another in a nuanced way. While most regulations and standards focus on the risk management process, few clearly define the differences between these terms in a meaningful way. However, to create an effective cybersecurity program, you need to be able to separate risk appetite from risk tolerance so that you can develop appropriate controls to protect data.

Risk Appetite and Risk Tolerance: What’s the Difference?

What is risk appetite?

If you’re taking an enterprise risk management (ERM) approach to cybersecurity, your risk appetite focuses on the type of risk and amount of risk you deem acceptable based on your business objectives and resources.

For example, if you’re currently a payment processing organization, you might be focused in retail. However, as part of your ERM, you might be looking to move into the healthcare industry. If, as part of ERM, you determine that you want to accept the legal risks arising out of the Healthcare Portability and Accountability Act (HIPAA), then you’ve set your risk appetite.

Just like with physical hunger, you’re hungry to scale your business. In the same way, you have an “appetite” that needs to be satisfied.

What is risk tolerance?

On the other hand, risk tolerance is how you determine the level of risk you’re willing to accept.

Back to the payment processing example, you might decide that you’re willing to accept the risk of moving into healthcare, but you may not be willing to accept all the risks inherent in continuously monitoring for protected health information. Therefore, you decide to transfer that risk to a third-party vendor.

When you’re hungry for a steak dinner, you may not finish the whole thing because you reached your tolerance point. The same is also true for cybersecurity risks.

What is a risk appetite statement?

A risk appetite statement is a written document, often incorporate as part of public financial reports, that explains your risk decisions. This statement allows you to inform internal and external stakeholder of your risk appetite and then begins more meaningful conversations to drive strategic objectives.

How to create a risk appetite statement

In 2018, the International Organization for Standardization (ISO) updated the risk management guidelines in the ISO 31000 standard. Although ISO 31000 never uses the term “risk appetite,” it implies the term under “establishing the amount and type of risk that may or may not be taken.”

While ISO 31000 creates a risk management framework that enables you to create a risk appetite statement, it also formalizes the risk management process. By putting the framework and process together, you can create an appropriate risk appetite statement.

Step 1: Commitment and Communication

Discuss the business strategies and objectives with leadership to ensure that you not only know how much risk you want to take on but also whether that risk meets the overarching organizational goals. By communicating across the enterprise, you can incorporate the needed views for defining risk criteria and create ownership. This allows you to establish your risk appetite and make sure all stakeholders buy into the process.

Step 2: Define Scope, Context, and Criteria to Integrate Throughout the Organization

As part of integrated risk management (IRM), the next step beyond ERM, you need to determine where you are in the overall supply chain and then ensure you review across your ecosystem. By looking at the internal and external risk factors, you can define the acceptable amount of risk and evaluation criteria.

Step 3: Design the Risk Assessment

By communicating your risk management commitment specific to your place in the supply chain, you can identify, describe, and analyze your risks. Once you’ve done that, you use the likelihood, potential events, controls, and control effectiveness to see if the risk levels align to your risk tolerance. If something a risk comes with too much variation, you may want to refuse to accept it.

Step 4: Implement a Risk Treatment

Implementation focuses on creating a plan with deadlines to identify the decisions and reasons for them. However, part of that implementation incorporates selecting the ways you want to handle the risks. You can choose to accept, refuse, mitigate, or accept the risk. As part of that, you need to design a treatment plan that implements these decisions.

Step 5: Evaluate Through Monitoring

As part of your risk appetite statement, you also need to determine whether you’re going to use a qualitative, quantitative, or combined evaluation process. You need to set metrics then continuously monitor your data environment and ecosystem to ensure compliance with your internal risk assessment.

Step 6: Make Improvements Based on Records and Reports

Continuous monitoring can uncover weaknesses in your control environment. Communicating those weaknesses and then improving your risk monitoring activities allows you to maintain a robust risk management program.

Step 7: Summarize Outcomes For Release

You use your risk appetite statement to foster communication with internal and external stakeholders. However, most risk appetite statements are for public consumption, such as financial reporting. Therefore, you need to summarize the decision making process and outcomes in a way that protects your organization while also revealing your commitment to the process.

How ZenGRC Enables the Risk Management Process

Creating a risk appetite statement requires internal communications across a variety of stakeholders. As such, you need to create an efficient workflow that eases the burden of coordinating communication and task management.

ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can maintain records – up until the time you need to dispose of them.

With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.
Finally, with our audit trail capabilities, you can document all of your risk appetite and risk tolerance decisions so auditors can easily review your risk management program.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Here’s Why ISO Certification Is Worth It

ZenGRC Team · June 5, 2018 ·

ISO certification provides independent validation proving your company’s conformity to a set of baseline standards. However, as information security threats evolve, you need to show your customer’s and auditor proof of continual improvement. Thus, providing documentation that exhibits compliance with ISO standards is more than merely best business practices, it is a way to ensure customer satisfaction.

ISO Certification: Who Needs It and Why

What is ISO?

In 1946, twenty-five countries sent delegates to the Institute of Civil Engineers in London who decided to establish a new organization called the International Standards Organization (ISO) that would create and unify industrial standards. Their Committee on Conformity Assessment (CASCO) establishes measures related to the certification process thus used by a certification body. CASCO determines the criteria third-party assessors must use when determining that a company meets ISO certification standards.

What is the definition of ISO compliant?

Being ISO compliant differs from being ISO accredited which differs further from being ISO certified. Being ISO compliant means adhering to the requirements of a specific standard.

ISO compliant means an organization has chosen one or more standards and followed the best practices within them. ISO compliance focuses on decision-making that creates policies, procedures, and processes that align with specifications.
ISO certification requires internal audits from third-party assessors using CASCO criteria. Internal audits need documentation that your organization follows the policies, procedures, and processes that you aligned to the ISO standards of your choice.

ISO accreditation refers to the CASCO third-party assessor conducting the internal audits. Accredited bodies undergo independent reviews proving they meet CASCO standards. Since the organization approves these auditors, ISO trusts their reviews.

What are the documents required for ISO certification?

The ISO certification process comes in as many flavors as ice cream. Each standard requires different documentation which makes managing compliance difficult. Thus, one of the first steps to becoming ISO certified lies in determining what type of certification you want.

Information technology ISO requirements focus on three main standards: ISO 9001, ISO 27001, and ISO 31000.

What are the documents required for ISO 9001 certification?

ISO 9001 specifies the requirements for a quality management system (QMS). Quality management principles mean documenting the processes, procedures, and responsibilities over quality and control objectives. While ISO 9001 applies to any industry requiring quality controls for continual improvement, it offers a unique perspective for dev ops and compliance.

ISO 9001 audits review products, processes, and systems. The lengthy list of documentation required includes mandatory and non-mandatory information. Mandatory documents include control procedures for documents, records procedures, internal audit procedures, control of non-conformance procedures, corrective action procedures, and preventative action procedures.

What are the documents required for ISO 27001 certification?

ISO 27001 focuses specifically on creating an information security management system (ISMS) that protects the confidentiality, integrity, and availability of information as part of the risk management process.

The list of documentation needed for the initial ISO 27001 audit stage is lengthy. Documents include ISMS scope, information security policy, risk assessment and risk treatment methodology, statement of applicability, risk treatment plan, risk assessment report, detailed definitions of information security roles and responsibilities, inventory of assets, acceptable use policy, access control policy, operating procedures, secure system engineering principles, supplier security policy, incident management procedure, business continuity procedure, and compliance requirements.

What are the documents required for ISO 31000 certification?

ISO 31000 establishes an enterprise risk management (ERM) process approach requiring executive management and Board of Directors oversight.
ISO 31000 audits require management to document either a process elements approach, principles of risk management approach, or maturity model approach to risk. The Institute of Internal Auditors (IIA) notes that while its assessment guidance aligns to 31000, other frameworks may also match the ISO requirements. Thus, choosing a framework that manages ISO 31000 and regulatory requirements can act as a “two for one” strategy.

How much does it cost to get ISO certified?

ISO certification is pricey. First, companies need to obtain the necessary training for the employees involved in the implementation and maintenance of the certification. In some cases, organizations may need to hire consultants to help implement compliance processes. Finally, companies need to think about the hidden costs arising from employees focusing on program implementation instead of their regular jobs.

Second, certification incorporates two stages of independent third-party audits. These audits require certification bodies, and those certification bodies charge money. ISO 9001 compliance, for example, requires one day for the Stage 1 Audit and one day for the Stage 2- Certification Audit. Some certification bodies also charge for off-site document review. The initial assessment total, therefore, can cost anywhere from $2700 to $3375.

Maintaining ISO certification costs money as well. Organizations must conduct two surveillance audits between certification years to establish continued compliance. Each examination last approximately a day, with some firms charging for off-site document review. Thus, the annual interim cost for continued monitoring can range from $1350 to $2025.

How automating ISO certification audit processes with ZenGRC lowers costs

Compiling the extensive documentation required when implementing ISO programs and maintaining compliance records costs companies money. ISO certification promotes a customer-focused approach to compliance.

Once ZenGRC experts onboard an organization, that company has access to content that helps map controls across multiple standards.

When managing your compliance with shared drives or spreadsheets, seeing the overlaps and gaps in corporate compliance can leave managers cross-eyed. ZenGRC allows you to map your controls and then perform a gap analysis so that you can view the remaining work and manage your timeline better.

For example, companies already using COSO for their ERM can determine what remaining gaps exist when attempting to navigate ISO 31000 compliance. While COSO often offers a starting point, it does not allow incorporate the various requirements your ISO certification body needs. Thus, using ZenGRC’s gap analysis tool can help fill in the holes allowing you to create an agile compliance program.
Finally, our platform provides a single-source-of-truth giving you one-click access to the documents the audit checklist requires a successful audit.

For more information on how ZenGRC can help ease the ISO certification burden, contact us today to schedule a demo.

Regulatory Compliance in Healthcare Organizations

ZenGRC Team · April 3, 2018 ·

2017 acted as a call to action for those in the healthcare industry. Patient Health Information (PHI) incorporates everything hackers need to steal identities and compromise an organization’s reputation. Therefore, protecting PHI, and more importantly, electronic patient health information (ePHI) means that healthcare organizations need to be more diligent ensuring that their daily compliance activities match their policies.

Healthcare Regulatory Compliance

What Regulatory Compliance Requirements Affect Healthcare

Although the Health Insurance Portability and Accountability Act (HIPAA) gets the most screen time, organizations involved in healthcare need to incorporate the Health Information Technology for Economic and Clinical Health Act( HITECH) compliance as well. Although interrelated, 2009’s HITECH specifically intended to promote information technology while protecting privacy and security concerns regarding ePHI.

HITECH modified not only HIPAA but also the Social Security Act. Thus, understanding how the different regulatory compliance puzzle pieces fit together became more difficult.

How HIPAA and HITECH Are Similar

The Health and Human Services Department (HHS) oversees both HIPAA and HITECH compliance.

Healthcare organizations most often focus on HIPAA compliance because it established the Privacy Rule setting national standards regarding medical record and PHI protection. Since the Privacy Rule’s adoption in 2000, HHS made only one modification 2002 thus establishing it as one of the first information security and privacy regulations.

The Office of the National Coordinator for Health Information Technology (ONC) promotes healthcare quality by promoting health IT and establishing guidelines for electronic health records (EHRs) and securing ePHI to protect privacy.

Thus, while HIPAA and HITECH integrate with one another, they come with distinct foci. HIPAA focuses on protecting privacy and expands beyond information systems. Meanwhile. HITECH focuses specifically on information technology and preserving electronic information.

How HIPAA and HITECH Differ

While HIPAA and HITECH have many similarities, they also differ on several important details.

Although HITECH extended HIPAA, HIPAA remains focused on breach notification and privacy to protect against fraud and identity theft.

Meanwhile, HITECH distinguishes itself from HIPAA since it created restructured civil and criminal compliance penalties. Moreover, it extended the breach notifications requirement beyond covered entities and incorporated business associates.
Finally, from an information technology perspective, compliance managers should focus on the importance of effective encryption. Even should a malicious actor breach the ePHI, effective encryption mitigates rule violations. Thus, if the encryption effectively makes the information unreadable, the organization breached may not be fined.

However, proving effective encryption additionally means being in compliance with the NIST Federal Information Process Standard. Thus, healthcare regulatory compliance requires understanding your organization’s IT architecture.

How HITECH’s Compliance of Medicare and Medicaid Impact HIPAA Business Associates

Understanding healthcare regulatory compliance requires understanding overlaps between business associates, their information, and how that can impact the overall supply chain.

The definition of Business Associate incorporates and person or entity not covered entity’s workforce member who provides services to or performs functions or activities for a covered entity.

Traditionally, the Omnibus Rule’s definition of Business Associate brings healthcare management companies, healthcare plans, and healthcare payment organizations under the arc of HIPAA and HITECH. However, for those working with Medicaid, additional services may be incorporated under these compliance requirements.
For example, HITECH and HIPAA consider Medicaid’s Non-Emergency Medical Transportation (NEMT) to be a Business Associate under the Omnibus Rule. Thus, despite being nothing more than a network of transportation brokers, information collected remains subject to these healthcare regulations.

Thus, organizations need to determine their location in the supply chain to ensure no HIPAA or HITRUST violations as well as to decide whether or not they want to assume the regulatory compliance risk if they choose to scale.

What the Board of Directors Needs to Know

Organizations looking to shift into the healthcare sector need to ensure that their Board recognizes the compliance implications. Providing the appropriate level of Board oversight requires visibility into both the healthcare landscape as well as the organization’s current compliance environment. Moreover, should an organization decide to incorporate healthcare providers or their vendors as part of its business plan, the Board of Directors needs to understand how they fit into that supply chain.

Under HIPAA, vendor risk creates corporate risk. Thus, whether your company sits at the top of the supply chain, in the middle, or at the bottom, any interaction with HIPAA regulated entities means you need to be compliant also.

Thinking about HIPAA and HITECH violations as dominoes in a row, if one domino falls so do all the others. Thus, vendor management’s importance may increase if you decide to expand into the healthcare industry.

How Automation Eases the Healthcare Regulatory Compliance Burden

ZenGRC’s SaaS platform enables organizations to visualize compliance gaps. Regulatory compliance no longer needs to act as a barrier to new markets. As you map controls to a particular standard or framework, ZenGRC allows you to assign that control to other standards or frameworks that it satisfies.

The first step for successful implementation of the Health Information Trust Alliance Cybersecurity Framework (HITRUST CSF) is to engage in a CSF Self-Assessment with the help of a CSF assessor. CSF assessors are consulting firms that HITRUST approved to perform the assessment. Using this information, you can gauge your system and regulatory requirements to help determine your risk and scope.
For example, an organization currently ISO 27001 compliant may be using a firewall. If you choose to incorporate PCI DSS compliance, a firewall is also an accepted control. Assuming that you want to expand to acting as a healthcare provider payment processor, you need to determine whether this control maps to HIPAA and HITECH compliance.

Once you set up your controls in ZenGRC, it automatically maps current controls to new standards as you add them. This means that your ISO 27001 controls will be mapped to your new PCI DSS compliance framework. All you need to do now is determine what additional controls you need to incorporate.

The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate with your organization’s various stakeholders, providing them with the right information for their needs.
A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.

With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.

ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.

Not only does this simplify incorporating new standards into your overall landscape, but it also means that you can expand your business into revenue streams that seemed too onerous before.