How can startups satisfy segregation of duties and access control requirements? 

Not sure which security and privacy frameworks your organization needs to comply with for your industry and customers? Wondering how to scope your audit? Looking for best practices to implement new security policies or processes? Our Secureframe Office Hours | Ask an Expert series is designed for you — well, more specifically, for you to get insights, best practices, and answers to your questions. 

Our Secureframe Office Hours | Ask an Expert series is an open forum for attendees to have their security, privacy, and compliance questions answered by one of our in-house compliance experts and former auditors, and to hear what other security-minded organizations are thinking about and asking. 

The second session, held Thursday, November 3, featured Jonathan Leach, CISSP, CCSFP, CCSK. Jonathan is a former auditor and information security consultant with more than a decade of experience helping companies implement and improve their security posture. Jonathan now helps Secureframe customers achieve compliance with frameworks including SOC 2, ISO 27001, GDPR, and HIPAA.

During the 30-minute, live Q&A, Jonathan answered questions on topics ranging from continuous monitoring to getting a new compliance program off the ground. If you missed it, we’re recapping some of his answers below. 

1. Which security standards do you recommend for SaaS companies?

Jonathan: My first recommendation is ISO 27001. ISO 27001 is a globally recognized standard, and it not only puts the foundational security policies and procedures in place, but a real information security management system that is continuously being improved. 

It’s one of the best foundational frameworks you can implement. Then you can dive deep into some of the more specific ISO 27000 series standards and achieve additional certifications to show your customers that you’re going the extra mile to secure their information. 

If you’re US-based, SOC 2 is also a very well-recognized standard and it has a lot of overlap with ISO 27001. Both frameworks will give you a strong set of foundational security principles to protect your business and your customers. 

2. How can small organizations (fewer than 5 employees) satisfy the segregation of duties and access control requirements needed to achieve certification? 

Jonathan: This question comes up quite frequently in companies with small developer shops. They’re seeking to punch above their weight class and achieve certifications that are typically seen by larger enterprise companies with a built-out development shop and security controls already in place. 

There are a few workarounds that will allow you to make risk-informed decisions about access control, segregation of duties, dual authorization, and appropriate code review. 

The first step has to do with documentation, which is a key tenet of ISO 27001. When it comes to access control with a limited number of people who may all have (and need) access to sensitive information and dev tools with the ability to push out updates, the first step is standardizing the types of changes to limit the amount of in-depth review and testing for low-risk changes. You can identify types of low-impact changes that require minimal review and approval, but still follow as much automated testing and inspection as necessary. 

The second piece is dual authorization for larger and more impactful changes. The requester of the change is different from the approver, or in this case, at least requires review from another qualified resource prior to approval.

Secureframe can help you create and publish the necessary documentation, as well as confirm that any necessary changes or customization are in line with ISO’s requirements. We like to think of ourselves as an extension of your team, as big or small as that is, and we’re happy to answer any questions you might have about documentation. 

3. How can I complete security questionnaires faster?

Jonathan: This takes me back to my vCISO days of helping companies answer all of these RFPs and questionnaires. It can get really tedious to have to respond to so many different requests and answer dozens of variations of the same question. 

Our engineering and product teams have created an amazing artificial intelligence engine with Secureframe Questionnaires. With a few examples of previously answered questionnaires, the AI can create a baseline and complete unanswered RFPs and questionnaires with a high degree (90%+) of accuracy. You can go in and confirm or edit the answers before sharing the completed questionnaire back with your customer, which helps the AI learn and increase accuracy for future answers.

4. How do I know my policies contain all the required information to be compliant? Do Secureframe policy templates include everything needed?

Jonathan: All of the pre-vetted and approved policies we provide are written intentionally to be as wide in breadth as needed to cover the requirements while also being easily customizable where necessary. We point out specific sections that need further review or customization prior to publishing so as to have the right balance of turn-key readiness and applicability to your specific environment.

5. Our organization needs to be GDPR compliant, but it’s been difficult to dedicate time to the compliance process. Where should we start?

Jonathan: GDPR can be daunting, particularly as it is a law. Secureframe makes it as easy for you as possible with our own in-house compliance experts and former auditors so that you know beyond a shadow of a doubt that you’re doing everything you need to do to protect EU citizen data. 

While GDPR compliance is more based on policies, documents, and meeting legal requirements, we help by providing the policies and procedures you will need to demonstrate compliance should you opt for an audit (although there is no official required “audit” or “certification” for GDPR). 

6. What do covered entities and medical offices need to do to have HIPAA-compliant encryption in place?

Jonathan: We’ve helped many, many organizations effectively implement the policies and procedures that are required to be compliant with HIPAA. And not just checking boxes for the sake of HHS, but on behalf of the patients and data subjects whose protected health information you’re entrusted to safeguard, whether you’re a covered entity or a business associate. Encryption is just one piece of that. 

Unauthorized disclosures have happened because of data not being encrypted at rest. Someone will leave a laptop in a car or unattended in an office and someone snatches it. Encrypting that information to make sure that, should anyone gain unauthorized physical access to a device, they won’t be able to see or access protected data. 

7. How does Secureframe’s continuous monitoring work?

Jonathan: Continuous monitoring really gives our customers peace of mind that our platform will look for gaps in compliance, alert customers, and show them what they need to fix and when. 

This works in a number of different ways, mainly by designating and assigning test owners which are mapped to all of the different controls for the different frameworks. So a specific person in a specific department is responsible for specific tests, which are tied to specific controls. 

You can set frequencies for each test, so if it’s a recurring task like quarterly access reviews or annual pin tests, the control owner gets a reminder. 

Secureframe removes a lot of stress from the process. First, knowing what you need to do to become compliant, and then knowing for certain who’s responsible for what and when, in order to stay compliant. 

8. From a PCI DSS compliance perspective, are there criteria that discount Microsoft Bitlocker as an effective disc encryption tool when there is no active directory available to store the recovery key? 

Jonathan: I’m not familiar with any PCI DSS requirements that would discount the effectiveness of Bitlocker. But with no recovery key available in an active directory, and as long as there’s someone with authorized access who can recover that key securely if necessary, it shouldn’t be a problem.

The only problem I’ve seen with Bitlocker is with Microsoft Home Windows Edition. That would require additional mitigating factors to ensure sensitive data never makes it down to the endpoint level and that it's stored securely elsewhere where you can leverage effective encryption.

9. How do I scope my audit?

Jonathan: Secureframe helps with this as well. Scoping an individual product, tool, or system that contains sensitive information can get tricky, since they often extend into supporting systems. 

I always recommend, wherever possible, including the entire organization in the scope of the audit. That way you know you're secure from top to bottom. Anytime you release new products or services, you know that those are going to meet the same requirements as well. 

There’s also the people element. If you can include everyone in the organization, you don’t need to guess who needs to be included in scope for policy reviews and security training.  

Sometimes that wider scope is easier said than done from a budget perspective. We always discuss audit scope during the onboarding process with the multiple different dedicated resources you get when you become a Secureframe customer.

Join our next Secureframe Expert Insights Webinar

We hosting Secureframe webinars regularly to address the biggest security, privacy, and compliance pain points that we hear from prospects, customers, and our in-house compliance experts. Find upcoming webinars as well as on-demand recordings of past ones in our compliance resources library.