Discussions, question, and answers around various risk and compliance frameworks.
Let's talk continuous compliance. What is it? How do you achieve it?
Compliance audits are chaos engines. Every six to 12 months, people get pulled from their core duties. Newly discovered compliance gaps send everyone scrambling for fixes. With deadlines approaching, the best fix takes a back seat to the quickest fix. Audit complete, everyone returns to their jobs. But who knows what issues are simmering beneath the surface?Seasonal chaos is not the path to compliance. Automation opens a more sustainable course. This article will explain how continuous compliance is a less disruptive option—especially for today’s cloud-based architectures. Read the full article here, and comment below 👇 how you achieve continuous compliance.
A Quick-Start Guide of the SOC 2 System Description
The SOC 2 system description describes the boundaries of your SOC 2 report and includes important information about the people, processes, technology, and controls that support your service or product. Check out this article that walks you through our recommendations to help make producing this document a smooth process.
Automating Security Event Log capture-Best Practices/etc-Thoughts?
Hey Drata community! I’m curious and thought I would pose this question here, as part of our ISO 27001 program we keep a security event log and then when something upgrades to an incident we create the corrective action report for the incident etc. We had started doing some automation around this, for example we monitor most of the programs/services we use in a slack channel and we also get feeds from different sources for possible events we should look into. We’ve started doing some work around automating those into tickets in our service desk, but curious what processes others are using or if you’ve found any great ways to automate part of this in your organizations? A lot of our feeds contain quite a bit of noise such as downtime maintenance etc. I’m interested in comparing notes in how we can improve this or automate even further :) Hit me up if you have any tips!
Records Management & Information Management
A client of mine is one the small but specialized University College in South Africa.Management has identified a weakness in records management and management of information across functional areas and the Academic stream of the institution.During my environmental scanning of the institution, I concluded that systems integration and information architecture need to be addressed first as a steppingstone towards improving the flow of information to and from the functional areas.The concept of records management takes a distinctive feature towards information security in this regard. Consequently, matters of risk management become truly relevant to the responsibility conferred on the council of the institution. Logical as it maybe, the ownership of information remain in the hands of the functional heads, yet the health state operational systems and the systems security continue to be the responsibility of the CIO/CISO.Now, with a robust platform like DRATA certain aspects of the problem s
board of directors' responsibility
The board of director has a fiduciary duty to ensure that the company and management have implemented adequate controls to mitigate risk to the organisations business operations and response to cybersecurity incidents. on regular basis, the board should receive reports on cybersecurity activities and the risk associated with them, metric on IT performance and efforts taken by management to monitor and mitigate risk. The board should assess the adequacy of the resources devoted to policies addressing cybersecurity, support required, and sufficiency of controls in place regarding [protection of data, compliance and education efforts. It should also review the measures taken by management to prevent cyberrisk.The ISO 27000 series is the main standard used in organisations and the standard ISO/IEC 27014:2020 addresses the governance of information security and sets out the responsibilities of the Board in four governance processes; Evaluate, direct, monitor and communication.
GDPR- (POPIA- South African standard)
I have a client in the financial services industry who would like to comply with the GDPR & HIPAA standards. The South African equivalents are POPIA (Protection of Personal Information Act 4 of 2013) and PAIA (Promotion of Access to Information Act 2 of 2000). The ask is to make sure that the client database is compliant.Question: How can I address this ask using the DRATA framework?
Audit/Attestations for GDPR?
I have a couple of questions about GDPR. I’ve reviewed the .eu guides and checklists at https://gdpr.eu/data-privacy/ - but what information should we as an organization have available to show we comply with regulations? I know for SOC 2 you have an output of several different report options, but is there an equivelent for GDPR? Is it really just self assessments?
The IAF released the transition requirements for ISO 27001:2013 to ISO 27001:2022
Via our friendly compliance expert @Troy_Fine on Linkedin🚨 It's finally happening....sort ofThe IAF released the transition requirements for ISO 27001:2013 to ISO 27001:2022.General Key points:-All accreditation bodies will have 12 months from the last day of publication month of ISO 27001:2022 to assess and transition conformity assessment bodies (CAB) they accredit.-Organizations already certified to ISO 27001:2013 will have 36 months from the last day of publication month of ISO 27001:2022 to transition to and be certified to ISO 27001:2022.-All certifications based on ISO 27001:2013 shall expire or be withdrawn at the end of the transition period.Transition Audit Key Points-CABs may conduct the transition audit in conjunction with the surveillance audit, recertification audit or through a separate audit.-The transition audit shall not only rely on the document review, especially for reviewing the technological controls.-The transition audit shall include, but not limited to the fo
Advice from Troy Fine on working with auditors
Our cybersecurity compliance expert @Troy_Fine shared on LinkedIn a great post about the different aspects that can impact your experience during an audit, and we wanted to be sure you all didn’t miss it. Some may not be aware, but your experience during an information security audit such as SOC 2, ISO 27001, PCI, HITRUST, and CMMC can be significantly influenced by the following:-Auditor Rigor:Some standards make the rigor more consistent, but SOC2 and ISO 27001 give the auditor/certification body much more leeway. Not all auditors will require the same amount/type of evidence to conclude on a control/requirement being met.-Auditor Sample Size Methodology:Standards typically allow auditors to determine the sample size for testing controls based on their own internally developed methodology. This methodology could cause you to have to provide more samples from one firm to the another.-Auditor Competency:Your auditor may not understand your technology, especially when it comes to the cl
How to choose the right PCI SAQ for your business
To protect consumers’ credit card data, companies that process, store, or transmit credit card data must meet the PCI DSS (Payment Card Industry Data Security Standard). Depending on your specific validation requirements, you may only be required to submit a self-assessment questionnaire—also referred to as PCI SAQ. An SAQ can ask you anywhere from under 50 to over 300 questions to determine if you meet those requirements. To help you figure out which SAQ best fits your business, we highlighted each type from A through D. Read on to learn more.
ISO 27001: A Beginner’s Guide
ISO 27001 is the international standard that describes best practices for an Information Security Management Systems(ISMS). It’s based on a set of controls and measures, which organizations can use to achieve information security. Interested in the ISO 27001 process? We have an entire ISO 27001 beginner’s guide to get you started.The ISO 27001 standard requires that you have procedures in place to cover aspects of the ISMS, including:Information security risk management (What are the risks you face and how do you treat those risks?) Monitoring, measurement, analysis, and evaluation (How is the effectiveness of the information security management system evaluated?) Improvement (How are nonconformities evaluated and corrected?)Read the full beginner’s guide here or drop your questions in this part of the community.
Debunking the Top 5 GDPR Myths and Misconceptions
The General Data Protection Regulation (GDPR) has made itself known and important in the security world since its passing in 2018. With GDPR being a more recent law, there are some misconceptions around who it applies to, what it is, how it affects companies across the globe, and much more.After numerous customer calls and questions around GDPR, we’ve picked some of the most common GDPR myths to dispel for you. Read Troy Fine’s full article 🚫GDPR is a security framework.✅It’s technically a privacy regulation & the primary focus is ensuring that personal data is processed appropriately. 🚫GDPR doesn’t apply to companies outside of the EU.✅It applies to any organization that processes/holds personal data of EU residents. 🚫GDPR only protects EU citizen data.✅It protects both citizens and residents of the EU. 🚫GDPR doesn’t apply to small businesses.✅It applies to businesses of all sizes. 🚫GDPR-like regulations will remain in Europe.✅Similar regulations have already extended beyond
Kicking off our SOC 2 101 Series
Hi all, and welcome to Secured! We are excited that you are here and interested in learning more about the SOC 2 process. To kick our community off and set you off on the right path, one of our compliance experts, Troy Fine, created a new series that highlights some of the most basic information that you’ll want to know prior to getting started. You can check out all five episodes on our Compliance 101 blog here Have questions? Feel free to start new threads in this part of the community.
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.