Secureframe Office Hours Recap: Answers to All Your Audit-Specific Questions

  • December 01, 2022
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Emily Bonnie

Senior Content Marketing Manager

Not sure what to expect from your auditor before, during, and after the audit process? Wondering what criteria to use to select an auditor or auditing firm? Not sure how to determine your audit window? 

Our Secureframe Office Hours | Ask an Expert series is designed for you to get insights, best practices, and answers to your questions about every aspect of the compliance process — including before and after an audit.

This series is an open forum for attendees to have their security, privacy, and compliance questions answered by one of our in-house compliance experts or audit partners, and to hear what other security-minded organizations are thinking about and asking. 

The third session, held Thursday, November 17, featured Steve Seideman, CISSP, Director of Ethical Hacking at Prescient Assurance. Steve is an auditor with nearly 30 years of experience in the security, privacy, and compliance industry.

During the 30-minute, live Q&A, Steve answered audit-specific questions that are top of mind for startup leaders and security professionals. If you missed it, we’re recapping his answers below.

1. What tools are used for auditing the security and compliance of an organization’s system?

Steve: Secureframe itself is the primary tool that we use at Prescient Assurance when we do audits. Of course, Secureframe has hundreds of integrations and automation pieces that are part of that process, like API calls and checks. For example, if you connect your AWS environment, the Secureframe platform will query your AWS environment to find a number of different configuration settings. We rely on Secureframe to do that kind of work for us.

2. How do you measure compliance with GDPR? For a company with a global footprint, what specific measures can we take?

Steve: So I'm going to preface answering questions about GDPR with an important note: Privacy standards, like GDPR, CCPA, HIPAA, Canada's privacy standards, and other government-regulated privacy standards do not have a governing body that defines what it means to be compliant with these standards.

When we do a SOC 2 audit or an ISO 27001 audit, for example, there's a governing body that says what it means to be compliant and defines the standards by which an audit must be done. There's no such thing for GDPR.

What that effectively means is that compliance with GDPR comes down to the opinion of the auditor, or, in many cases, the opinion of the company who's saying that they are compliant with that standard. So when you ask what does it take to be GDPR compliant? The answer to that it’s whatever you think it takes, because there's no one who says you're not GDPR compliant. Unless, of course, you have a significant privacy breach and an EU regulatory body fines you for not being compliant.

So I wanted to first clearly state that when we do an attestation of compliance for a privacy standard like GDPR, it's our opinion and we are following generally accepted audit principles for how we conduct that audit.

At Prescient Assurance, we’ve broken out the various technology and governance controls that are defined in the GDPR legislation and applied them to those pieces of legislation. There's a number of ways that you can do that. Secureframe has their mapping of controls, for example. You can also look at the law itself and what it’s asking you to do. The primary thing to remember about privacy controls in general is that they require transparency. They require you to define very clearly what you do and why you do it, if you share data with anybody, who you share it with, and it requires you to get consent from anybody whose data you're collecting.

So the primary things to remember about being GDPR compliant is to know what you're doing and why you're doing it, and be very clear and transparent about them. That's primarily how we measure GDPR compliance. 

3. How does GDPR relate to other privacy standards? 

California's privacy law, for example, is very closely aligned with the EU’s GDPR. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is also very similar.

The primary differences are bureaucratic. GDPR has specific requirements relating to the EU, like having an EU presence, having a person who is in the EU who is the designated privacy officer, defining personal data as the personal information of EU residents, those kinds of things.

In the broad spectrum of what the requirements are, they're roughly the same. So again, transparency, clarity, and consent are the primary things.

4. What can an organization expect from a first-time audit?

Steve: When you go through a first-time audit, one of the most important things to look at and to expect is that you might not be at one hundred percent compliance. There may be things that you haven't done or are still a work in progress.

In general, audit firms should take account of the maturity of your security and compliance program and the risks that apply to your organization. For example, it's generally low risk to not have all of the details of your program fully documented, but it would generally be high risk to not have a technical control that prevents your data from being exposed to the Internet. So when we do audits, we are supposed to account for that kind of risk. 

Minor deficiencies, like your documentation is not a hundred percent complete, are generally acceptable to have in your report. Many people come into the audit with the idea that they want to have a hundred percent compliance. They don't want any deficiencies noted in their report, and that's not necessarily the best approach.

The best approach is to take what you are doing, make sure that what you are doing is mature and repeatable and well-documented, and then from there worry about the things that you aren't yet doing. You can work in conjunction with your auditor and with the compliance and customer support teams at Secureframe to work through any questions about things you might still need to do.

5. Is it true that the auditor may find some areas of opportunity or improvement and have a conversation with the company being audited so that they can make those adjustments during the audit period?

Steve: That's absolutely right. In particular, our stance at Prescient Assurance is that we like to be involved in those conversations as early as possible. Many times we've gotten involved in audits where an organization comes to us thinking they're completely ready for the audit and decisions were made that were not the best decisions based on their situation, and we could have saved them some headache had we been involved earlier on. 

Our goal is for you to be successful in an audit. The earlier we can get involved, the earlier we can make sure that we're all on the same page and that we all have the same expectations around the controls. We can also answer questions and help out more, which is better for us and for you.

6. What are Plan of Actions and Milestones (POA&Ms) and System Security Plans (SSPs)? 

Steve: That terminology is specific to government audits, to NIST and FedRAMP and those kinds of programs. The idea behind these documents is essentially that the expectation of most audits is that you're not going to be perfect at the time of the audit. The expectation is that gaps will be identified. And when you identify a gap, that gets added to some kind of risk registry and there's some sort of corrective action plan around that particular item. That's what a POA&M is. It's a plan of action and milestones for addressing some gap that's been identified.

The SSP is more like a system description document for SOC 2. These are things that define scope and define the controls around your system.

7. In order to meet all the standards of Trust Services Criteria, what preparations should we do? Can you give me a self-assessment form for SOC 2 Type II?

Steve: That's one of the things that Secureframe excels at. The Secureframe platform itself is that preparation and self-assessment process as you go through the readiness tasks and the guidance that's provided in the platform. The platform is going to prompt you to connect systems and to configure systems securely. It’s going to prompt you to make sure that you've got records of security training, that you've properly onboarded employees, all those kinds of things.

That is the primary business case for using a tool like Secureframe: As you go through those checks and that dashboard starts to turn all green, it will provide that reassurance that you're looking for to make sure that you're ready.

8. I am currently performing an internal ISO 27001:2013 gap Analysis for the company I work for. What questions should I expect from auditors in relation to IS0 27001 standards for a company of 300 people?

Steve: So that's a question I can only answer briefly at this time. There's approximately 150 controls, and an auditor is going to ask you about every single one of them. 

What I will say is if you look at the clauses 4-9 in the standard, that gives you a sense of the overall information security program that you're supposed to have. The clauses are the governance piece of this, and then the appendix controls are more the technical details around how you accomplish the stuff in the clauses.

So at a high level, if you focus on the clauses and make sure that you're doing the things that the clauses are defining, you should be generally okay.

The Ultimate Guide to ISO 27001

If you’re looking to build a compliant ISMS and achieve certification, this guide has all the details you need to get started. 

9. How does continuous monitoring work inside Secureframe?

Steve: As I mentioned previously, Secureframe has a number of technical components to it. It runs daily, weekly, and monthly checks against your various controls. So It's using automation, where automation is practical, to validate that your controls are staying compliant. There are also alerts inside Secureframe that help you with more process-oriented tasks. So you might get an alert that says a piece of evidence you uploaded for last year’s audit is expired and you need to upload new evidence for this year’s audit. 

Another important feature of Secureframe’s continuous monitoring is the ability to designate a test owner for all of the required tests, which have been mapped to the various controls that companies must implement and ensure ongoing operation of.

The platform then empowers you with the ability to delegate those out and set due dates, frequencies, and tolerance windows to those tests. This allows you to track who needs to do what, when, and how.

10. How do you advise getting executives engaged and bought in to the importance of security and privacy compliance so that they ultimately become advocates?

Steve: That's a really important question. If you don't have good executive leadership buy-in to any kind of security initiative — whether it's a compliance or a technical initiative — it's very difficult to get things done and get the people in the organization to prioritize it. You need the help of the executive team to accomplish that.

What I find has been useful for me in my career in working with C-level executives in highly regulated industries generally speaking is saying, “Hey, if we don't do this, the regulators are going to come in and you're going to pay fines for not being compliant.” So if you're in health care, and you need to be HIPAA compliant, you have that carrot-and-stick approach that you can take and say if we get compliant, we're going to be more secure and if we have a regulator come in and look at our systems, we're not going to get into any trouble.

If you're not in a regulated industry and you're trying to get buy-in for security and compliance initiatives, what I find useful is to look at a security incident that's been in the news recently that's in the same industry that you're in. A good example is Uber’s most recent significant data breach.

One of the things that we did at Prescient Assurance is looked at that data breach and analyzed what the audit type controls that we look at when we assess somebody that could have prevented this. So we asked what if Uber had gone through an audit with us? What would have been the controls that we would have assessed? And how would those controls have prevented this breach? We were able to identify five different controls at five different points in that process where, if even one of those controls had been effective and in place for Uber, they would have prevented that data breach.

So it’s really effective when you go to executives, and CEOs in particular, to say, “Hey, look! These guys are just like us, and they are experiencing a lot of public pain right now because they didn't do this process. Here are the areas that we need to focus on in order to make sure that we don't have the same problem they just had.” 

You might also secure their buy-in simply by correlating the opportunity for closing deals, bringing on new customers, and growing revenue and ultimately the business. Almost every client that we have who's doing a first year audit is doing it because a customer they're trying to close a deal with has told them they must.

11. Can you comment on the difference in effort for a company to achieve ISO 27001 and ISO 27018?

Steve: This depends on whether the company already has been ISO 27001 certified or not.

All of the ISO standards are process-oriented. So the purpose of the ISO standards, the audit process, and compliance is to have mature, documented processes. If you've already gone through an ISO 27001 certification process, you should have good documented processes for how you maintain the compliance and the security of your ISMS. So that significantly reduces the burden to achieve any other of the standards in the ISO 27000 series.

The main thing in terms of level of effort is how much documentation you will need to produce, and the level of maturity at which you expect those processes to be at. So in many cases, when we go to do an ISO audit, we have people who have a lot of the right processes in place, but there’s no documentation that says this is how we do it right. 

That's really the main thing to focus on when you're getting ready for ISO: look at the processes that are required, make sure those processes are well-documented, and make sure that you can prove that you're following those processes in a consistent way.

12. What do you think could be the evolution of security, auditing, and integration with the compliance process?

Let me start by explaining the traditional model of how to do an audit. It starts with a long, exhaustive interview process. The auditor would call people into a conference room one at a time and ask them a series of questions. That process would go on as long as it needed to, until the auditors were satisfied that they had questioned everyone. Then they would follow up with a bunch of document requests. Then it would take months to go back and review all those audit interview notes and all those audit documents. There would be a lot of follow up like, “This document you gave me isn't quite right, and I need a different one.” So it would take months to determine whether or not a company was compliant with whatever standard was being looked at.

What you see in the evolution of the security space generally is there's been more of a push to shift away from achieving that point in time security and compliance to wanting to be secure all the time. That's why compliance platforms like Secureframe are the future

They continuously monitor so you know whether or not you're compliant at all times. When an auditor comes in and says, All right, show me that you're doing X, Y, and Z, you know exactly where to go for those pieces of information and you can show them very quickly. Not only is it easier for you to know if you're compliant or not — it's also easier for the auditor.  

As the auditor, it’s much easier to use a platform like Secureframe because I can go in and see what’s compliant and review a bunch of documents. I don't have to ask you any questions, and I don't have to make a bunch of document requests. So it saves everybody a ton of time and hassle, and I think this is the direction that auditing is going.

I think any company at this point that is not looking for a GRC tool to measure their compliance, to take their controls and be able to map them to multiple audit standards, is going to be falling behind and experiencing pain.

Because today, most companies are looking to not only be compliant with SOC 2 but also GDPR and CCPA and other frameworks. So they’re looking to choose a set of controls and make those controls really good and mature and well-documented so they can apply them to any audit standard that they need. This works because most frameworks overlap at an eighty to ninety percent level. So if you're strongly compliant with SOC 2, you're likely to be strongly compliant with ISO and other standards. That’s the direction I see the compliance industry moving in. 

13. How do I prioritize my time to get audit ready, and where should I start?

In any audit process, I strongly recommend to start with your policies. Make sure your policies really reflect what you do, not what you think the standard wants the policy to say. Again, it's much better to have good, mature, well-documented processes that are real than to say something that you think you're supposed to but don’t actually do.  

Next, make sure your employees understand the policies and their responsibilities and tasks related to those policies. Then, make sure they’re actually following your policies. For example, if one of your policies says you're going to do quarterly performance reviews, do quarterly performance reviews and provide some documentation. 

And finally, prioritize the technical controls. Make sure that your technology stack is secure, that processes around your technology are secure. 

So that’s the three step process I’d recommend: get your policies right, make sure your personnel are completely in line with those policies, and then make sure your technology stack is solid.