Secureframe allows companies to become SOC 2 and ISO 27001 compliant within weeks, rather than months.

Announcing our $4.5M Seed Round with Base10 Partners and Gradient Ventures

Today, we are excited to announce that Secureframe has raised a $4.5M seed round co-led by Base10 Partners and Gradient Ventures, Google’s AI-focused venture capital fund, with participation from BoxGroup, Village Global, Soma Capital, Liquid2, Chapter One, Worklife Ventures, Backend Capital, and a number of world-class entrepreneurs and operators. The funding will be used to invest in our rapid growth, expand our offerings, and grow our team.

Getting SOC 2 and ISO 27001 ready typically takes several months and requires companies to regularly revisit their systems to ensure compliance standards are continuously met. Maintaining your certifications takes hundreds of hours and manual tasks each year. 

Secureframe allows companies to become SOC 2 and ISO 27001 compliant within weeks, rather than months. Our platform automatically monitors 25+ services, including Amazon Web Services, Google Cloud, Microsoft Azure, Github, and JAMF, to assess security practices and ensure compliance standards are met. Secureframe continuously collects audit evidence, runs security awareness training, monitors infrastructure, and more, all automatically.

This seed funding is just a small step towards achieving our mission to make the most powerful security simple and accessible for every organization. We are humbled to work with incredible customers, partners, colleagues, and investors on this journey. We are just getting started!

We are actively hiring engineers, product managers, account executives, and more. If you are interested in joining Secureframe, check out our careers page!

Secureframe raises $4.5m from Gradient Ventures. Read on TechCrunch →

https://techcrunch.com/2020/10/21/secureframe-raises-4-5m-to-help-businesses-speed-up-their-compliance-audits/

Which is a better fit for your company — SOC 2, ISO 27001, or Both?

Both SOC 2 and ISO 27001 strengthen customer confidence in your organization's security practices. The short answer is that it really depends on your customers. The most important factor for deciding between SOC 2 and ISO 27001 will come down to what your target market expects and requires. In order to make your decision, you’ll want to consider a number of factors including target market, the scope of controls, cost, and project timeline. 

If you’re based in the United States and a majority of your customers are also based in the US, you should opt for undergoing a SOC 2 Audit. Since launching in 2011, the SOC 2 Type II has become the industry standard framework for third-party reports when it comes to information security compliance in the US.

If a majority of your customer base is headquartered outside of the US, you may want to opt for completing an ISO 27001 audit. ISO 27001 is the gold standard for information security compliance outside of the US. 

Ultimately, this decision comes back to what your customers are requesting and what they would ultimately accept during their vendor due diligence. There are many US companies that would accept an ISO 27001 certificate and there are many companies outside of the US that would accept a SOC 2 Report.

As your company grows, you will likely opt to complete both audits in order to have full coverage across your customer base.

SOC 2 and ISO 27001 may have around 70 - 80% overlap depending on how specific controls are written. ISO 27001 is much more prescriptive than SOC 2. ISO 27001 requires a predefined set of controls and also requires exact language to be used in many policy documents as part of the company’s Information Security Management System (ISMS).

Unlike ISO 27001, SOC 2 controls are usually defined by the company in accordance with the SOC 2 Trust Services Criteria and COSO Principles. 

The process for a SOC 2 and ISO 27001 varies slightly from auditor to auditor. Generally, you can expect the below processes for undergoing a SOC 2 or ISO 27001 audit.

If you want your audit completed sooner rather than later, you’ll likely opt for completing a SOC 2 Type I. A SOC 2 Type I Report can be done in your company’s hand in as fast as three months. Typically, companies opting for a SOC 2 tend to first complete the Type I report and later complete a Type II. Timing for SOC 2 Type II and ISO 27001 tend to both be about the same anywhere between 8 to 13 months. Both options require a substantial amount of time upfront in order to build the right policies and processes for your company.

Because of the overlap between SOC 2 and ISO 27001, you may save an enormous amount of audit time if you opt to do both at the same time.

Cost tends to vary from auditor to auditor. Generally, ISO 27001 certification tends to be more costly than a SOC 2 report. You may receive a substantial discount if you opt to complete both audits with the same auditor. 

We summarize the differences between a SOC 2 and ISO 27001 below:

If you have more questions, or want to inquire about getting a SOC 2 and a ISO 27001, please reach out to sales@secureframe.com.

Should you get a SOC 2 report or ISO 27001 certification?

Information security has become an integral component of building a software business, especially for companies that rely on third-party vendors such as Amazon Web Services, Google Cloud, and Microsoft Azure to store sensitive customer information. The mismanagement of a company’s data may render it vulnerable to attacks and can permanently damage its public image.

System and organization controls, better known as SOC 1, SOC 2, and SOC 3 was developed by the American Institute of CPAs (AICPA) to address as a system-level of controls for companies to guide service organizations. A CPA firm uses the SOC framework to audit various internal controls and generates a SOC report on the design and effectiveness of those internal controls.

What are the different types of SOC reports?

There are three different types of SOC reports. 

SOC 1 — Internal Control over Financial Reporting (ICFR)

SOC 3 — Trust Services Criteria for General Use Report

The SOC report that is most relevant to a company depends on the information being hosted/processed by the firm for its customers. A SOC 1 report has a financial focus. For example, if you are providing payroll processing services, SOC 1 may be required to do business. A SOC 2 report is typically requested when you are hosting/processing any other type of information for a client. SOC 3 reports are less formal in appearance than SOC 2 reports and are better suited as public marketing material for a website or white paper. There is no one-size-fits-all when it comes to SOC, since SOC controls and reports are usually unique to different service organizations.

Depending on the type of information being hosted and processed, you may be asked for both a SOC 1 report and SOC 2 report.

What is the difference between Type I and Type II?

Both SOC 1 and SOC 2 have two levels of reports specified by the Statement on Standards for Attestation Engagements (SSAE) no. 18:

Type I — describes a service organization's systems and whether the suitability and design of specified controls meet the relevant trust criteria. 

Type II — includes the above and also measures the operational effectiveness of the specified controls.

The most commonly referenced report is the SOC 2. SaaS vendors, especially those in the enterprise and mid-market space, will commonly be asked by their customer’s legal, security, and procurement departments to provide a copy of the company’s SOC 2  report.

SOC 2 is not motivated by compliance with regulations, unlike many other frameworks such as HIPAA, GDPR, and CCPA. Instead, it is used by organizations that want to prove to their clients, and others to whom they are accountable, that they put into place internal controls to protect customer data properly.

SOC 2 Types I and II are very similar and easy to confuse. The most obvious difference is the time period covered by the reports. Type I describes the suitability and design of controls at a particular point in time. Type II extends over an extended period of time, typically 6 to 12 months, and can measure how effective the controls are. This means Type II takes more time and resources, but these reasons are also why it is more valuable to your customers. Enterprise, mid-market, and other firms involved with sensitive data, such as insurance firms, often prefer to work with companies that have a SOC 2 Type II report.

For most companies, you’ll want to complete the SOC 2 Type I report first. This is because a Type I report can be completed within weeks as opposed to several months or year (or more) that a SOC 2 Type II may take.

What are the SOC 2 Trusted Services Criteria?

For SOC 2, there are five Trusted Services Criteria that can be evaluated. Out of the five, only Security is required in order to be issued a SOC 2 report.

Security — Information and systems are protected against unauthorized access and unauthorized disclosure, including potentially compromising damage to systems. Information (or data) should be protected during its collection or creation, use, processing, transmission, and storage.

Availability — Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.

Confidentiality —The organization should protect information designated as confidential (i.e. any sensitive information).

Processing Integrity — System processing (particularly of customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Privacy — Personal information is collected, used, retained, disclosed, and disposed of in accordance with relevant regulations and policies. 

Will I need both a SOC 1 and SOC 2 Report?

There are a number of organizations that may need both a SOC 1 and SOC 2 report. This will depend on the breadth of services provided by the organization and its customers. You may have customers requesting a SOC 1 in some instances and in other instances you may have customers requesting a SOC 2. Again, this depends on the nature of the services and the intended use by your customers. There is overlap across both, which can streamline readiness and testing.

Reach out to sales@secureframe.com to learn more about how we can help you successfully complete a SOC 2 audit and receive your report faster!

SOC 2 is the most common security framework technology companies in the United States rely on today. But do you need it? That depends. Below are 6 reasons why companies are getting SOC 2 compliant.

To ensure their own security and compliance, many enterprise, and mid-market customers will ask you to share your SOC 2 report. SOC 2 is increasingly becoming a competitive advantage in the sales process as the de facto standard for information security in software. Without a SOC 2 report, you may see some sales processes stall or delay during intense procurement and security reviews. You may also lose deals to your competitors that have a SOC 2 report available. 

Whether you’re using, storing, accessing, or processing customer data, it’s a best practice to get a SOC 2 report. Completing the SOC 2 process will help you meet your customer's expectations of protecting their data. The SOC 2 report assures you and them that you’re safeguarding data properly and following industry-standard practices.  

The SOC 2 framework strengthens security by requiring the company to comply with a variety of internal controls specific to your company. It emphasizes the importance of identifying and mitigating risks, auditing vendor security, reviewing access controls, performing security awareness training, business continuity planning, and many more fundamental security and compliance measures that will level up your company’s security posture. 

Satisfy Contractual and Regulatory Requirements

To get a SOC 2 report, companies must build and document a number of policies and processes, streamlining issues such as backup recovery and security incident breach notification steps that are commonly required by regulations such as GDPR and HIPAA. Taking the steps to put these policies and processes in place ensures that responsibility for ownership is defined. This allows your company to quickly tackle identified issues, breeze through due diligence for mergers and acquisitions, fundraising, or other major company events, more confidently address any legal and regulatory issues and easily respond to any customer's compliance requests. 

SOC 2 enables you to create a framework for identifying and addressing risks to your business, whether they stem from potential fraud, natural disasters, security attacks, or faulty operational practices. Risk management is often overlooked but is crucial to a company that wants to stay secure, grow, and understand where else they can continue to improve.

Building the internal controls necessary for SOC 2 helps to foster an understanding of security throughout your organization. We emphasize to start as early as possible, be transparent to team members about the measures you’re taking, and encourage them to honestly report any potential risks or violations. Security isn’t just the responsibility of senior management, CISO, or the engineering department – it’s everybody’s responsibility. 

Reach out to sales@secureframe.com to learn more about how we can help you successfully complete a SOC 2 audit and receive your report faster!  

A penetration test (often abbreviated as “pen test”) is a simulated attack by a third-party meant to identify vulnerabilities in a company’s infrastructure, systems, and applications. A company can then use these findings to remediate any identified vulnerabilities.

Prevent costly breaches: As attacks become more common and take on new forms, companies are increasingly relying on pen tests to identify and address potential security gaps. A review of cybersecurity breaches since 2011 found that the average cost of a cyber-breach, at a publicly-traded company, was $116mm. Some of the costliest breaches include Equifax in 2017 ($1.7 billion), Home Depot in 2014 ($298 million), Target in 2013 ($292 million), and Marriott in 2018 ($118 million). 

Strengthen customer trust: Customers may ask for you to perform an annual third-party pen test as part of their procurement, legal, and security due diligence.

Put previous doubts to rest: A pen test can prove that previous application security issues, if any, have been resolved in order to restore customer and partner confidence.

Get compliant: Pen tests are commonly required to comply with certain regulatory and compliance frameworks (SOC 2, GDPR, ISO 27001, PCI, HIPAA, FedRamp, etc.).

Required by Providers: Are you planning on integrating with Services such as Google Workplace? If so, Google may require you to perform a penetration test in order to access certain restricted APIs.

Generally, a pen test occurs in the following stages:

Once you’ve engaged a pen test provider, you’ll need to determine the desired scope of a pen test, including which systems and scoping methods should be used. Because the pen tester could gain access to private information during the pen test, both parties should sign a non-disclosure agreement before the start of the pen test. 

Once you’ve agreed on the scope of your pen test, the pen tester will gather publicly available information to better understand how the company works. That could entail using web crawlers to identify the most attractive targets in the company architecture, network names, domain names, and a mail server. 

3. Identifying Threats and Vulnerabilities

The pen tester will identify potential vulnerabilities in the scope of the pen test to create an attack plan. They will probe for vulnerabilities, open ports and other access points that may provide information about system architecture.

The pen tester will exploit identified vulnerabilities via common web app attacks such as SQL injection or cross-site scripting, and attempt to recreate the fallout that could occur from an actual attack. That typically means the pen tester will focus on gaining access to restricted, confidential, and/or private data. 

5. Maintaining Exploits / Lateral Movement 

As the pen tester maintains access to a system, (s)he will collect more data. The goal is to mimic a persistent presence and gain in-depth access. Advanced threats often lurk in a company’s system for months, or longer, in order to access an organization’s most sensitive data. 

The pen testing firm typically provides you with an initial report of findings and provides you with an opportunity to remediate the discovered issues. After remediation is completed, the firm will once again attempt those known exploits to determine if the remediation undertaken by the company was successful in preventing future attacks.

The pen tester then creates a report summarizing:

Exploitable vulnerabilities and the potential impact(s) of a breach (vulnerabilities should be ranked by risk level and type) 

Restricted, confidential, and/or private data that was accessed

The duration of time that the pen tester remained undetected in the company’s systems 

Whether the vulnerabilities identified were remediated or not

The report should (1) outline the largest strategic threats from a business perspective (for management) and (2) describe technical threats that should be fixed by the company team (e.g. through security upgrades). 

The cost of a pen test is largely determined by the scope of your pen test, or the breadth and complexity of company systems. The greater the number of physical and data assets, applications / products, access points, physical office locations, vendors, and networks you have, the more expensive your pen test will likely be. 

The cost of your pen test may also be affected by the length of pen test engagement, experience level for the third-party pen tester, tools required for the pen test, and the number of third-party pen testers involved. 

What do I have to do to meet SOC 2 or ISO 27001 requirements for the pen test?

Generally speaking, you will meet SOC 2 and/or ISO 27001 audit requirements for sufficient evidence if (1) you perform a third-party pen test at least annually from a reputable vendor or firm, and (2) you make sure to identify and resolve identified critical and high risk vulnerabilities. 

ISO 27001 requires that a company prevent the exploitation of technical vulnerabilities (control A.12.6.1, Annex A, ISO 27001:2013). Performing vulnerability scanning and analysis on your network and information systems identifies security risks, but won’t necessarily tell you if these vulnerabilities are exploitable. Therefore, it’s necessary to pair vulnerability scanning with a third-party pen test to provide the best evidence to your auditor that you’re aware of vulnerabilities and how they can actually be exploited in practice. 

SOC 2 requires that a company conduct vulnerability scanning on a regular basis (as well as after any large changes that could result in new vulnerabilities) and take proper steps to address risks. The easiest to fulfill this requirement is to perform vulnerability scanning, rank risks resulting from these vulnerabilities, and take steps to mitigate the highest risks on a regular basis. 

Additionally, the SOC 2 requires that a company test the effectiveness of internal security and compliance controls through a pen test or third-party security audit specifications, such as an ISO 27001 certification. However, ISO 27001 and other standards such as HIPAA also require a pen test, so in-directly the SOC 2 also requires an annual pen test. 

There are two ways you can think about pen tests: Test Design and Attack Methods. 

Black box or “blind,” also known as an external pen test 

Because the pen tester(s) are given no information about the environment they are assessing, black box tests simulate an attack by an outsider third party connected to the internet with no prior or inside knowledge of the company. 

A “double blind” pen test is a specialized type of black box test. During “double blind” pen tests, the company undergoing the pen test ensures that as few employees as possible are aware of the pen test. A “double blind” pen test can accurately assess the internal security posture of your employees. 

During a gray box pen test, the pen tester(s) is (are) given some limited knowledge of the environment that they are assessing and a standard user account.

Grey box tests imitate the level of access and information that a legitimate user of a client or partner who has an account would have. 

During a white box pen test, the pen tester(s) is (are) given inside knowledge of the internal architecture of the environment they are assessing.

White box tests assess the amount of damage that a malicious current or former employee could wreak on the company. 

An internal pen test is similar to a white box test. During an internal pen test, the pen tester is given a great deal of specific information about the environment they are assessing, i.e. IP addresses, network infrastructure schematics, and protocols used plus source code.                                                               

You can also request pen testers with expertise in specific attack methods if you believe your company is particularly vulnerable: 

Application tests, including mobile, software, and web applications.

Network tests, including routing issues, firewalls, port scanning, FTP, and secure sockets.

Wireless tests, including wireless networks, low security hotspots, and access points.

Physical tests, including brute-force and on-site attacks to access physical network devices, and access points. 

Social engineering tests, including phishing attacks and impersonations meant to reveal sensitive information such passwords, business data, or other user data. Common attacks target help desks or sales representatives. 

Cloud tests, including cloud storage and document handling.

Client-side tests, in which vulnerabilities in client-side software programs are exploited.

How do I select a penetration testing firm?

Each company’s security and compliance needs are unique. In general, you may want to consider the following: 

Pen tests differ in scope and test design. 

For scope, you’ll want to consider whether you’d like a pen test of your entire company, a specific product, web applications only, or network/infrastructure only. 

For test design, you’ll generally need to decide how much information you’d like to provide to pen testers. In other words, would you want to simulate an attack by an insider or an outsider? 

Be sure to ask your provider for a clear statement of work that covers the following: 

Safety, including pen tester background checks and continuous security recertification

Mutually Agreed Upon “Off Limits” Areas for Pen Testing, if any

Ideally, your pen test should cover a wide variety of network, host, and application attack vectors. Examples include the OWASP Top 10, DDoS and DDoS, IDOR, remote code execution, DNS brute force, DNS Subdomain takeover, deprecated ciphers, and cross-site scripting.

If certain attack vectors are important to your company, hire teams of pen testers with different specializations. 

Additionally, you’ll want to look for pen testers with a mix of relevant technical training and practical experience. Relevant certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), and Offensive Security Certified Professional (OSCP).

If your company has a wide breadth of complex assets, you may want to find a pen test provider that will allow you to customize your entire pen test, including ranking the priority of assets, providing extra incentives for identifying and exploiting particular vulnerabilities, and assigning pen testers with very specific skill sets. 

Make sure that your pen test provider has adequate insurance to cover the potential of compromised or breached data from pen testing. 

You’ll want to establish strong report expectations that provide both (1) strategic, jargon-free advice for security that can be easily digested by management, and (2) ranked technical vulnerabilities with remediation suggestions, including specific instances. Key pen test metrics include issue / vulnerability level of criticality or ranking, vulnerability type or class, and projected cost per bug.

Ready for your first pen test? At Secureframe, we’re lucky enough to partner with many fantastic penetration test firms.  After your pen test is complete, we’ll provide advice on how to interpret the results of your pen test and strengthen your company’s security posture. You can reach out to sales@secureframe.com if you’d like to learn more! 

Secureframe Blog

Announcing our $4.5M Seed Round with Base10 Partners and Gradient Ventures

Should you get a SOC 2 report or ISO 27001 certification?

What are SOC 1, SOC 2, and SOC 3?

Who needs a SOC 2 report?

Pen Testing 101

Never miss a post. Subscribe!