How can I create SOC and NIST 800-53 policies and procedures?

Looking for tips to prepare for a SOC 2 audit? Wondering what the new controls are in ISO 27001:2002? Not sure whether you need to get an audit to be HIPAA compliant? 

Our Secureframe Office Hours | Ask an Expert series is designed to be an open forum for attendees to have their security, privacy, and compliance questions answered by one of our in-house compliance experts or audit partners, and to hear what other startup leaders and security professionals are thinking about and asking. 

The fourth session, held on Thursday, December 8, featured Cavan Leung, CISSP, CISA, CCSK. Cavan is a former auditor with over eight years of experience helping companies improve their security posture. Cavan now helps Secureframe customers achieve compliance with frameworks including SOC 2, GDPR, CCPA, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 9001, and others.

During the 30-minute, live Q&A, Cavan answered questions on topics ranging from SOC audits to HIPAA compliance. If you missed it, we’re recapping his answers below.

1. How can I accelerate my SOC 2 audit prep?

Cavan: The simple answer to that is automation. Compliance automation tools speed up the process of getting SOC 2 compliant. Also, trust in your experts, whether you’re hiring external consultants to help you implement SOC 2 processes and controls or using a platform that offers compliance expertise.

There are many compliance automation tools available, but the benefit of Secureframe is that it’s all-one. You have a dedicated compliance manager for complete support at every step of the SOC 2 compliance process. You have continuous monitoring. You have the exact controls and requirements that need to be in place. The entire platform is easy to use and guides you throughout the journey. 

If you’re not using an automated tool or consulting an expert, self-education is key. You’ll have to understand the requirements of SOC 2 and find avenues to speed up the control implementation process to ensure you’re up and ready for an external audit.

2. What's the difference between policies and procedures? Also, for a company pursuing both SOC and NIST 800-53, is it better to have NIST-based policies and apply those to SOC or SOC-based policies and apply those to NIST?

Cavan: Every organization should have a set of information security policies. The difference between policies and procedures is that generally speaking policies are a set of guidelines or rules that company personnel must follow (the “what”). Procedures are typically the step-by-step instruction on how exactly those guidelines or rules can be achieved (the “how”).

Our Secureframe platform offers information security policies that are applicable across frameworks. So regardless of whether you go with SOC 2, NIST, or both, our set of information security policies will be applicable.

If you purchase SOC 2, you’ll receive the set of infosec policies that are required to meet SOC 2 criteria. If you purchase NIST, you’ll receive the core set of infosec policies and the additional templates you need to meet procedural requirements.

3. What are the additional controls needed for the ISO 27001 update?

Cavan: There are 11 new Annex A controls for ISO 27001:2022. Most if not all of these controls were already implicitly covered in ISO 27001:2013. In the newer version, they called them out as individual controls to provide more clarity, transparency, and intuitiveness. 

One example of a new control is configuration management — so ensuring that if you configure your cloud infrastructure, it goes through appropriate change management processes. That was already part of an existing control from the 2013 version, but they separated it in the 2022 version to make it more clear.

Other controls include monitoring activities, which most organizations do as part of monitoring their cloud infrastructure, for example. Another one is threat intelligence, ensuring you have capabilities in place to monitor for threats and vulnerabilities. 

Below are all 11 net new controls: 

1. Threat intelligence: Information relating to information security threats shall be collect- ed and analyzed to produce threat intelligence.
2. Information security for the use of cloud services: Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.   
3. ICT (information and communication technologies) readiness for business continuity:  ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
4. Physical security monitoring: Premises shall be continuously monitored for unauthorized physical access 
5. Configuration management: Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed. 
6. Information deletion: Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
7. Data masking: Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
8. Data leakage prevention: Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
9. Monitoring activities: Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.
10. Web filtering: Access to external websites shall be managed to reduce exposure to malicious content.
11. Secure coding: Secure coding principles shall be applied to software development.

4. What is the best practice when deciding to add security policies?

Cavan: You need to know what is driving you to create new security policies. Maybe you are trying to meet the requirements of certain compliance frameworks. Or perhaps there’s a customer demanding certain policies in place before a deal can happen.

Once you understand the “why” of implementing new policies, you need to assess what policies you already have in place and then add new sections or language in your existing policies or create new policies. That way, you don’t have repetitive or conflicting verbiage within your information security policies.

5. What are most startups looking for in terms of audit certifications and compliance?

Cavan: If you’re mainly doing business within North America, the most popular compliance framework is SOC 2. Essentially, SOC 2 is a set of information security requirements that an organization must have in place. It’s an attestation, not a certification. What that means is that it’s required for you to have an external auditor audit you against the SOC 2 requirements. Once the auditor has finished, they'll provide an opinion on whether your controls are designed and operating effectively and reliably. That’s why it’s called an attestation: it’s an opinion from an audit firm on whether or not you’re SOC 2 compliant. 

Outside of North America, the most popular compliance framework is ISO 27001. It’s globally recognized. Unlike SOC 2, ISO 27001 is a certification. That means once you get audited externally by an accredited ISO audit firm, you will get a certificate that says your organization has an ISMS in place and is compliant with ISO 27001 requirements. 

That’s the main difference between the two from a business and audit perspective. 

6. Who can perform a HIPAA audit and what does that process look like?

Cavan: HIPAA is a law. Whenever you process PHI, whether you’re a covered entity (such as a hospital or clinic) or a business associate (such as a vendor of a hospital processing PHI on its behalf), you have to follow the HIPAA law. There is no official certification for HIPAA. Many companies do an external HIPAA audit to gain that extra assurance that they are abiding by the law as they should, but you do not have to perform an external audit to be HIPAA compliant. 

Many audit firms offer a bundle for multiple frameworks, like SOC 2 and HIPAA for example. So if an organization is already getting a SOC audit, then they get audited for HIPAA as well for that extra assurance.

7. My company provides software for financial institutions and we’re pursuing SOC 2 compliance for the first time. What does our information security program need for SOC 2 versus NIST compliance?

Cavan: It depends ultimately on your business partners’ and customers’ demand. SOC 2 is great. It’s a general information security framework that can be applicable to many types of organizations. Depending on which NIST — there’s NIST CSF, NIST 800-53, and others — they’re more catered to the federal side of things. So if you’re working with federal agencies, then that would be the demand pointing you to NIST or FedRAMP. So I would advise you to look at it from the perspective of demand. If customers or business partners are requesting SOC 2, then get SOC 2. If they’re requesting NIST 800-53, get that. 

If you want to pursue and implement an information security compliance program just to have it — and any organization should do that regardless of demand — SOC 2 and NIST CSF are both  great starting points. Both frameworks include common, high-level information security controls and processes that work across many industries. Once you establish those, you can build more prescriptive and granular controls for a framework like FedRAMP. 

For example, in SOC 2, there’s a requirement to have an authentication control, like a unique user ID and password or SSH key, in place. In a more prescriptive framework like FedRAMP, there’s more granular controls like you have to authenticate via a password of at least 8 characters and a certain complexity.

8. What credentials should an audit firm have?

Cavan: Generally speaking, it depends on the framework. For example, ISO 27001 requires an audit firm to be accredited before they can perform ISO audits. SOC 2 requires an audit firm to abide by AICPA’s set of rules and guidance. A certified public accountant also needs to issue the opinion. PCI requires a QSA to perform the audit. So different frameworks have different guidelines or credentials for auditors.

Before deciding on an audit firm, you should do research to determine whether they’re accredited or abiding by a governing body such as AICPA or otherwise following the necessary guidelines. 

You should also consider experience, reputation, cost, portfolio clients, and their ability to meet expectations of when you need the audit completed.

Stay tuned for the next Secureframe Office Hours | Ask an Expert

We’re going to continue to host regular Secureframe Office Hours throughout 2023. Stay tuned for updates.