Secureframe Office Hours Recap: Answers to Your Questions About Evidence Collection, Security Training, and Annual Audits
Not sure which security and privacy frameworks you need to comply with for your industry and customers? Wondering how to scope your audit? Looking for best practices to implement new security policies or processes? Our Secureframe Office Hours | Ask an Expert series is designed for you.
Secureframe Office Hours | Ask an Expert is an open forum for attendees to have their specific security, privacy, and compliance questions answered by one of our in-house compliance experts and former auditors.
The first session, held Thursday, October 20, featured Rob Gutierrez, CISA, CSSK. Rob is a former auditor with an extensive background in FedRAMP, financial statement audits, and FISMA. Now Rob shares his auditing and information security knowledge with Secureframe customers to help them achieve compliance and build robust security and privacy postures.
During the 30-minute, live Q&A, Rob answered more than a dozen questions on topics ranging from employee security training to the future of global cybersecurity standards. If you missed it, we’re recapping some of his answers below.
1. What types of evidence should I collect in advance, or throughout the audit observation period? I don't have a great process in place and would like to understand best practices.
Rob: The most important type of evidence to collect during an audit window are the items that are going to be “sampled” by the auditor. This includes things like new hire/termination tickets, change requests, performance reviews — essentially anything that is a repeatable process. Those are the items that the auditor will ask for examples of at the end of the observation period. Secureframe helps guide you through your audit readiness journey in terms of knowing what you need and collecting it for you.
2. We need to have our employees complete annual security training for our compliance certification. Most of our team has already done their training — how do we know when that training expires?
Rob: If you use Secureframe, you can check in the platform as that’s a feature we’ve built in. But generally speaking, you’ll want to make sure your employee training is done within your audit window. If you have a 12-month audit window, make sure employee training was done during that 12-month period. If you’re using a training tool, it should tell you when the training was completed and offer the ability to send reminders to employees who haven’t completed their training.
It’s definitely best practice to have employees complete security training annually, and make sure the training content is up-to-date, relevant, and applicable to your employees.
3. Are there any resources that you recommend to help create a business continuity plan?
Rob: The Secureframe platform offers a good template for a business continuity plan. Additionally, I’d advise creating a working group in your organization of the people that would be involved and working through some of the different details and procedures that are important for the BCP.
Going through a disaster recovery tabletop exercise can also help your organization determine what should be in the BCP. Any lessons learned from a disaster recovery tabletop exercise should then be added to the go-forward BCP.
4. Do you foresee a harmonized standard for cybersecurity that all countries will recognize?
Rob: Potentially, yes. Right now a lot of countries are coming up with their own legislation, but considering there’s one whole legislation for the EU (GDPR), I’d be surprised if other continents or allies (i.e. NATO, NAFTA, etc.) don’t come up with their own type of additional legislation to be united in their cyber efforts.
5. What is the best way to manage annual audits?
Rob: It's easy for me to recommend Secureframe as a great way to manage annual audits. I’d also recommend holding quarterly meetings between relevant stakeholders, including security and compliance personnel, just to ensure that all of your personnel and processes have been in compliance throughout the 12-month window.
6. What adjustments can be made to compliance tests when they are prohibitively expensive for a startup (such as data loss prevention software, threat monitoring, pen tests, etc.)?
Rob: It depends on the tests, but there are usually alternative solutions or implementations that can be more cost-effective for startups. SOC 2 can be a fairly malleable or flexible framework compared to other frameworks so we work with clients of all different sizes and IT environments to determine the best compliant solutions for their startups. For example, there are free external vulnerability scanning tools out there (such as OWASP ZAP) that can be used.
Specifically for the items you mentioned:
- DLP is nice to have, but not a hard requirement.
- Some Configuration Service Providers (CSPs) have inherent threat detection tools and/or there are some cost-effective options out there such as Wazuh.
- Pen Testing, if done through your auditor, can sometimes be bundled into your pricing, and/or at least you have a streamlined more efficient process by getting the pen test from your auditor instead of another external provider.
7. What strategies or best practices can you share for small companies (less than 15 employees)?
Rob: Since there are often so many competing priorities at startups, and compliance is generally not a priority [as compared to product/market fit and customer and revenue growth], I would recommend establishing policies that a smaller company can easily implement and follow.
Additionally, for small companies that are just getting started with SOC 2, we advise them to go for their SOC 2 Type I first, as it's a good way to “dip your toes in” and get acclimated with compliance.
One nice thing about working with Secureframe is that our customer success and compliance teams work very closely with our customers to help them efficiently streamline their compliance and audit readiness process. We help companies as small as one person, so our advisory and consulting support really goes a long way in helping smaller startups get audit-ready and compliant.
Additionally, it’s important to note that certain auditors may not require a pen test for your SOC 2 Type I. This is generally based on your environment. If you have a lot of open web vectors, the auditor is more likely to require a pen test.
8. What steps do early-stage startups need to take to lay the foundation for best-in-class security and compliance?
Rob: The first thing I’d say is establishing and implementing policies that can easily be followed and complied with by employees.
Next is configuring your tech stack to support your mission-critical business functions, while also meeting SOC 2 control requirements. For many controls, there are different ways to meet the intent of the control. Secureframe customer success and compliance teams frequently work with clients to determine how configurations and control implementations can meet the requirements and intent of a given control.
It also helps to use tools that have built-in features that can help with compliance, such as AWS, GitHub, or Azure. They all have features and services that can help make compliance a lot easier for your company.
Join our next Secureframe Office Hours | Ask an Expert
We’re hosting regular Secureframe Office Hours regularly throughout the coming months. Join our next session on Thursday, November 3 at 10:30-11:00 AM PST/1:30-2 PM EST with security, privacy, and compliance expert Jonathan Leach CISSP, CCSFP, CCSK, to get on-the-spot answers to your specific questions. Register today to save your seat.