Expert Insights on How to Achieve Continuous Security and Privacy Compliance

  • February 01, 2023
Author

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe

Reviewer

Jonathan Leach

Manager of Customer Success and Former Senior Compliance Manager at Secureframe

You need to get compliant with security and privacy frameworks like SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, and NIST CSF to build trust with customers to close deals faster. But you don’t have hundreds of hours to spare on manual work. 

That’s where Secureframe’s all-in-one compliance automation solution comes in. Paired with our unmatched in-house compliance expertise, our platform has helped thousands of customers get and stay compliant to the most rigorous global standards with ease and speed. That way they can stay focused on what matters: growing their customers, business, and revenue. 

In our Secureframe Expert Insights webinar held on Thursday, January 12, compliance expert Jonathan Leach, CISSP, CCSFP, CCSK and senior solutions engineering manager Kyle Gregoire showed how easy it is to get compliant in weeks—not months—with our automation platform.

If you missed it, check out the video replay on demand. We’re also recapping their insights and expert advice for achieving continuous security and privacy below.

What is Secureframe?

Secureframe is the leading, all-in-one compliance automation platform. We help organizations achieve and maintain continuous compliance to the most rigorous global security and privacy standards, including SOC 2, ISO 27001, HIPAA, PCI, GDPR, CCPA, NIST, and others.

We do that by offering best-in-class governance, risk, and compliance solutions, like continuous monitoring, personnel and vendor management, enterprise policy management, readiness reports, security questionnaires, proprietary compliance training, and more.

And we have more than 30 full-time compliance experts and former auditors on staff that are here to support our customers at every step of the compliance journey, helping answer auditor questions and providing guidance so customers can get and stay compliant to the frameworks that matter in their businesses.

To show how organizations use the Secureframe platform to get and stay compliant, Kyle Gregoire provided a demo of Secureframe’s all-in-one compliance automation platform, from onboarding to automating security questionnaires. He and Jonathan then answered questions on security, privacy, and compliance.

Below is a lightly edited transcript of that demo and Q&A.

Secureframe Product Demo

The Secureframe platform can be broken down into three main use cases.

The first is using Secureframe as an onboarding vessel. You can leverage Secureframe to administer policies to your organization's personnel, track that they read and accept those policies, administer security awareness training, kick off a background check, and then retain that evidence, all within the platform. So you no longer need to have the individual running point on an audit to swivel-chair across multiple different systems, sort through disparate data sources, and submit multiple requests to the HR team to aggregate that evidence. Instead, Secureframe automates all the security, privacy, and compliance requirements of employee onboarding.

The next use case of the Secureframe platform is using it as a gap analysis, remediation, and continuous monitoring tool; common elements of Governance, Risk, and Compliance (GRC). With Secureframe, you can not only understand your gaps and know how to remediate those gaps, you can also maintain continuous compliance through automation and integrations with the different technology solutions, tools, and applications that are being used across your organization.

The third use case is allowing your auditor easy access to review all compliance evidence directly within Secureframe. That's a really important benefit because the legacy way of undergoing an audit is providing audit evidence directly to an auditor based on the information request list they provide. Once you’ve submitted that evidence, they're going to spend a lot of time validating the completeness and accuracy of the data. They’re also going to schedule time with you to review it. That's not the case with Secureframe. The auditor will log into Secureframe and receive that evidence directly without the need to request it from you or meet with you. 

Now let’s walk through some of the features that make Secureframe an all-in-one solution for employee onboarding, gap analysis, audit readiness, and more to help you maintain a strong security, privacy, and compliance posture.

Integrations

Pain point this feature solves: Identifying security and privacy compliance gaps and automatically capturing compliance evidence from technology, tools, and applications you use in your business.

As an admin, you’ll have the opportunity to connect integrations during the onboarding process. This unlocks a tremendous amount of automation power.

Secureframe connects with more than 100 integrations–an amount unrivaled in the industry–to services already within an organization's core tech stack: business productivity suites, HR platforms, cloud service providers, MDM solutions, SSO tools, change management tools, developer tools like Github, and more.

Each one of these integrations within Secureframe is purpose-built. One of the most powerful is to your cloud service provider (CSP), like AWS, Azure, and Google Cloud Platform (GCP). Depending on the nature of the services an organization provides, there's a tremendous amount of controls and requirements around configurations of that CSP, and our platform can pull all of that data for you. The testing that we have is very robust. Within the industry, we provide the most in-depth integration testing related to CSPs.

As an endpoint security solution, we have a Secureframe Agent. This is at no cost to our customers. If you're not using an MDM solution currently to manage your devices, you can use the Secureframe Agent. It's not a replacement for an MDM solution, but it allows the platform to query devices, pull in those relevant details, and display those to you in a digestible format so that you can take corrective action. It also pulls the evidence that's necessary for the auditor.

With all these integrations, we're only collecting appropriate evidence that's necessary for the audit or framework that an organization is pursuing. This is all read-only data that we're pulling in. It's metadata. It's data about configurations. It's data about employee start date and end date, their email address, their position. We don't have the capability to overwrite data. We're not looking at PII and we're not looking at things that aren't necessary for the audit. Doing so helps reduce risk for our customers. 

As part of this process, you can customize an email inviting personnel to Secureframe with your logo, signature, and own language to match your internal communication style and processes. 

Employee Onboarding

Pain point this feature solves: Creating an automated onboarding workflow for new employees to complete security awareness training and review policies.

When non-admin personnel receive an invitation to join Secureframe, they’ll be dropped into the employee onboarding module within our platform. Admins can customize this onboarding experience as well by adding policies, including a background check, and adding an installation option for the Secureframe Agent.

What’s unique about Secureframe is we've developed our own proprietary training so you don't have to budget for, manage, or maintain another vendor relationship for training. Employees will find an engaging series of videos to watch and answer questions to test for their retention directly in the Secureframe platform. If they pass, they automatically get certified and the platform retains that evidence for the auditor.

This onboarding flow will also include the policies that you've published as an organization. Your personnel will have the ability to read and accept these policies as they onboard or at any time.

Some organizations create and maintain a Sharepoint slide deck, a Google doc of their policies, or something similar. With Secureframe, there’s no need to create and maintain a separate document because individuals within the organization always have the ability to log in to Secureframe and see the policies that they previously accepted. Once an individual has accepted all policies, they’ll get a green check in the Accepted policies column of the Personnel page, adding to your compliance evidence and posture. 

Let’s go inside the platform now. 

Monitoring Dashboard

Pain point this feature solves: Getting complete visibility with actionable insights on critical security and privacy compliance issues.

The monitoring dashboard is where the majority of Secureframe customers spend the most amount of their time. It is a high-level overview of how far along an organization is in terms of being audit-ready for the compliance frameworks it’s pursuing. 

Since many of our customers are pursuing multiple certifications, we do a lot of the cross-mapping or deduplication across frameworks. There's usually a fair amount of overlap between SOC 2, ISO 27001, and HIPAA, for example. So if you satisfy a particular test for SOC 2, we're going to map that to any of the controls that are common between SOC 2, ISO, and HIPAA. This dashboard will show how close you are to completing each one of those individual frameworks, as well as an aggregate score across multiple frameworks.

All the information on the dashboard is clickable. You can quickly navigate within the platform to see your personnel, assets, and integrations. You can set additional tasks for yourself and tasks for others within the organization.

How you use this dashboard really depends on your organization. Maybe you have an individual running point to get ready for the audit using this dashboard. Maybe you have multiple people across different business units that are all driving compliance using this dashboard. There's not a specific way that you’ve have to use the platform. We allow as much flexibility and customization as needed so that the tool really adapts to your organization.

Readiness report

Pain point this feature solves: Easily tracking progress towards an audit like SOC 2 or tracking how closely you are following legal compliance guidelines like GDPR.

The traditional way of getting an audit is receiving an information request list (IRL) or request for information (RFI) from an auditor. Basically, this is a spreadsheet that has 150-200 individual line items that says “Here's what you have to do. Show me the evidence that you do this.” It's pretty daunting, especially if this is your first time going through an audit. Usually the way things are worded are very confusing, and you're struggling to understand exactly what they're looking for, let alone whether the evidence you’re providing is valid. 

The other thing to consider, too, is auditors are bound by independence. Auditors cannot grade their own homework so to speak so you're limited in the questions you can ask your audit firm. If you’re going down the traditional route, that means you're left either trying to understand what they're looking for and ascertain what your gaps are, or working with a third-party consultant. That's going to cost $200 to $300 an hour on average. In some cases, it could be more if you're looking at PCI or one of the federal frameworks.

In Secureframe, the SOC 2 and other readiness reports replace that information request list, and it serves as a constantly evolving and up-to-date gap analysis for your organization. 

In the SOC 2 readiness report, for example, different control families are identified on the left hand side. On the right hand side, you’ll see different controls with individual tests being run underneath each control. These are all the things that you as an organization have to do and are being tested for in order for you to say yes, we have everything in place to meet this particular control requirement within SOC 2.

As soon as you connect integrations in the onboarding flow, the platform is going to start to develop this gap analysis. So what might take you weeks, if not months, through the traditional route happens immediately with Secureframe. As soon as we start to run those syncs, it's going to recognize what configurations you have in place versus what you do not have in place.

Out of the gate, if you connect your integrations and look at this report, it's going to recognize that you don't have any policies published. You don't have any policy owners identified. Your personnel haven't read policies. As you work through those activities within the Secureframe platform, this report will update showing your progress towards being audit-ready and in compliance. 

This is what the auditor is primarily going to base their assessment on once they get access to Secureframe.

You can customize this report as well. Let’s say a particular control doesn't apply to you. Maybe you’re a managed services provider, for example, and you’re not hosting data or providing any sort of software as a service or application. In that case, the controls and tests related to information security within a cloud service provider, data encryption at rest and in transit, logging, alerting, and monitoring of some of those different services don't likely apply to you. So you can disable those within the platform. This is another great example of the customization that we bring into the compliance process. That ability to customize allows you to make the Secureframe experience as bespoke as necessary so the process is as efficient as possible. 

Another cool thing about this readiness report is that you can export it. While this doesn't replace a SOC 2 report, it allows you to provide customers or other key stakeholders with an update on your progress towards SOC 2. Maybe this is part of an executive oversight committee meeting or a steering committee meeting. Whatever your needs, you can choose to export all controls or only the controls that you're passing in this report. 

Tests

Pain point this feature solves: Automating manual evidence collection and continuously detecting and remediating issues across your environment with tests that are mapped directly to compliance framework controls and requirements.

You can also view the information presented in the readiness report in a more granular way under the Tests page. Think of this as a test library. There's 1,000+ tests that the platform can pull from based on their applicability to your organization and to the filters you set. 

But this page and really the connection with your cloud service provider is dynamic. What I mean by that is we have 150+ individual tests around AWS. That does not mean 150 are applicable to your organization. For example, the screenshot above only shows 32 individual tests that are in scope for SOC 2 where AWS is the vendor. The platform will also recognize the services that you're using within AWS so if you're not using EKS clusters, Kubernetes, the Elastic Container Service, or Lambda functionality, then tests for those different services would not appear on this page. They would always be available, you would just have to add some additional filters for them to show up in this list.

Filters are stackable so you can add any number of filters that you want and save these views so you don’t have to come back and continually add those filters to see the same information.

You can also bulk assign ownership. Maybe your developer team or your engineering team is the responsible party for ensuring that the AWS environment is properly configured and compliant. You could bulk assign tests to that team or one individual so that they own the responsibility for ensuring these tests are completed and maintained.

This Tests page is constantly updated. So if a test is passing today but then you spin up a new resource and don't have proper configurations in place, then the test will change to failing and the test owner will receive a notification. So that's the continuous monitoring component.

We don’t take a one-and-done mentality with audits and compliance. It's something that happens in perpetuity and a solution like Secureframe allows an organization to have a tremendous amount of visibility into their security and privacy posture across their entire tech stack through a single pane of glass to ensure they can get and stay compliant with more efficiency. 

Let’s take a look at a specific test to see what type of data that the platform provides.

Take the test for Simple Queue Service (SQS) encryption. If this test is passing, it will be denoted by a green check mark. If it is failing, it would be denoted by a red X. The platform also provides in-app remediation guidance. 

In the next tab labeled “evidence,” you would see a table of all the different resources or assets that are being implicated by this test. If it were failing, maybe it would be because you have one particular resource or asset that does not have the proper configuration in place. In that case, the platform would specifically call that resource out.

Think about the efficiency of this page. It’s telling you what the test is and what its status is. It’s also telling you that the reason it’s failing is because of a specific resource within your AWS environment. It would also tell you how to fix it. You’d have step-by-step instructions with screenshots directly in the platform for how to remediate this from your AWS console. You’d also find a link to the source of truth. In this case, it's documentation that AWS has posted.

So what that means is you or whoever the test owner is knows exactly what you need to do to remediate this test. What may have taken you two days and countless hours of investigation now takes you five minutes to understand, and maybe 15-20 minutes to remediate. So we’re reducing what would take hours to a matter of minutes.

Also, in the screenshot above, you may have noticed that this test applies to PCI, ISO 27001, HIPAA, and SOC 2. So if you were pursuing multiple frameworks and successfully remediated this test, that would be applied across each applicable framework for your organization.

You can also leave internal-facing comments in the Test page. Say a developer is working on this and wants to leave another developer some notes and ask if they can take a look. They can write that as a comment and send them a link to this test in Slack or email. This will be a direct link so that the developer doesn't have to log into Secureframe, click on Tests, run these filters, and then find that test. They just have to open the link. 

Personnel

Pain point this feature solves: Ensuring all personnel stay compliant with the appropriate access control, training, and policy reviews.

Whether this is your first time going through a SOC 2 or tenth time, it's important to understand that compliance is not all about configurations of technical systems or services. There is a tremendous amount of operational requirements, like how do you onboard your personnel? Do your personnel read and accept policies? Do they complete security awareness training? Have they gone through a background screening? Do you have a process in place for evaluating personnel to ensure that they're meeting the obligations set forth in their job description?

Secureframe can help you meet those requirements as well. In the Personnel tab, you can see a list of all personnel and whether they've accepted policies, completed security awareness training, and belong to any groups. You can also see what services are populating their record. For example, an employee might be populated from Github AWS, Google Cloud, Azure, Google Workspace, Gusto, and Office 365. That's really powerful. Say in 6 months, this individual is no longer with the organization but they’re still on this page. Then you can mouse over the connected services column and clearly see that they still have provisioned access on a couple of those services. 

You can also click on an individual person to see specific information related to their access to Secureframe, onboarding requirements and policies, and what groups they belong to. You can also see what their roles are for each service and whether they have privileged access to. You can see what devices they use, and more. 

Think about going through a traditional audit that touches on multiple business units within an organization. Now for a smaller organization, this doesn’t seem problematic because you may not have multiple business units. Maybe you have a five-person team consisting of a founder, a co-founder, a lead engineer, someone in customer success, and someone in sales. In that case, everybody can be agile and have a lot of visibility into what other team members are doing.

But as your organization grows, things become siloed. For example in a larger organization, you may not know what HR is doing or how HR administers policies. If you’re the person running point on your SOC 2 project, then you have to rely on HR to validate that everybody reads policies and to provide you with that evidence. That could be a lot of back and forth messages in Slack. The HR person may not get to your messages because they have other priorities over collecting evidence.

Secureframe, through those integrations, provides individuals with visibility across the organization. So if you’re running point on the SOC 2 project, you can clearly see on this personnel page who's read and accepted their policies. So instead of asking HR for that information, you can ask them something more specific. Like, “Hey, Kyle hasn't read and accepted all of his policies. We need to have that done or we're going to have some challenges with our SOC 2. Can you please work with Kyle to get that done by the end of the month?”

Asset Inventory

Pain point this feature solves: Ensuring your personnel’s devices, company’s cloud assets, and version control repositories are all in compliance. 

Secureframe automatically creates an inventory of all your assets based on the integrations you connected to the platform. The default view is devices. These are your endpoints, your laptops, your desktops. I can sort. I can filter. I can export this data. I can also click into the next tab for cloud resources.

Cloud resources typically aren’t in scope unless there's customer data or sensitive data in them. So you can mark them out of scope as long as you provide a reason. What that does is it prevents the Secureframe platform from scanning them. So if you've marked a resource out of scope — say an S3 bucket that’s publicly positioned or we don't want it to be encrypted for some reason — then that particular resource would not fail a test that's looking for S3 bucket encryption.

The same applies to vulnerabilities. If you marked a resource out of scope here and there's a vulnerability associated with it that's picked up from something like AWS Inspector, then the platform will not show it as an in-scope vulnerability.

There’s also a tab for version control in your asset inventory. 

Version control is really powerful within Secureframe because we give our customers the ability to configure this integration, which can help you meet some requirements in terms of change management.

Take pull requests as an example. Each change has to have an independent approval before it's merged into production. That way, the person who develops the code can’t be the same person who pushes it into production. Secureframe offers multiple types of testing checks, including dependency scanning, static code analysis, and integration testing. If you fill in this section with information that’s specific to your organization, we can then flag pull requests that were merged into your production branch that haven't met those particular criteria. Maybe they didn't have an emergency label attached to them, for example.

This is another example of how the platform provides a tremendous line of sight so you can take the appropriate corrective action with speed and efficiency.

Version control can also be found in the Policies tab of the Secureframe platform. 

Policies

Pain point this feature solves: Setting up, managing, and distributing policies quickly and easily so you never fall out of compliance.

As you know, part of onboarding personnel is ensuring that they read and accept our policies. Secureframe will provide you a template for every policy that is necessary for the compliance framework you’re pursuing. These include your acceptable use policy, your change management policy, your secure code development policy, and code of conduct.

While that means you don't have to go out and purchase policy templates, you do have the ability to bring them into the platform if you would like. You can see the Create policy button in the top right corner. That basically allows you to use an existing policy.

If you don’t have existing policies, you can use our templates. If you click into the configuration and asset management policy template as an example, you’ll see that it contains all the necessary language but we always encourage our customers to read and update these policies as necessary. You may do something a little bit different and we want to document that here. We want to ensure what you say in your policy is what you’re actually doing.

You can see version control directly here within the platform. We can go back and see previous versions. We can take a policy and blow everything out and go back to the original version, if we want to.

Support

Pain point this feature solves: Quickly get accurate answers to security, privacy, and compliance questions about your unique environment.

With our platform, you also get a support team of compliance experts and former auditors. You're assigned a customer success manager as well as a compliance manager. Our compliance managers are former audits who have a tremendous amount of industry experience in taking customers through an audit. That CSM and compliance manager duo is there to support you throughout the engagement.

We’ve shown you that the platform does a tremendous amount of the heavy lifting in getting and staying compliant in terms of automating the evidence, looking at the tests, providing in-app remediation guidance, and other workflows that we've talked about. But compliance is still nuanced. Every organization may do something a little bit differently, and we need the human element to ensure that we are providing a second set of eyes and answers to your questions.

Take policies for example. Secureframe provides policy templates that you can customize. Customers can lean on their customer success and compliance team members to ask questions and make more informed decisions about what they can remove and should add, which in turn results in an even more efficient readiness process. Because now you're not wondering, well, can I remove this language and add this? You don’t have to do research to find answers to these questions. You can simply reach out or schedule calls with the team to get the most accurate answers in the most efficient manner. 

Vendors

Pain point this feature solves: Managing your vendor relationship lifecycle to mitigate risk and maintain a strong security and privacy compliance posture.

To comply with SOC 2 and other frameworks, you have to maintain vendor management processes, which includes doing your due diligence by assessing risk that vendors bring into the relationship. You can do that directly within Secureframe.

Say you’re using 1Password. In the Vendors tab of Secureframe, you have the ability to fill out audit information based on how you use 1Password. This is the type of data or the functionality that this vendor has. As you make these selections, the Secureframe platform will provide a recommendation on their level of risk, which you're free to disagree or agree with. 

Say 1Password is considered high risk based on your selections in the environment type and data management sections. There's tests associated with that now. You have the ability to then upload documents, like a SOC 2 Type II report, security questionnaire, or nondisclosure agreement, and maintain them directly within the platform to serve as a vendor management solution.

Vendor Access

Pain point this feature solves: Continuously monitoring employee and user access to integrated vendors to meet compliance requirements.

You can also look at vendor access across the organization. The screenshot above is looking at vendor access by individual personnel. With this view, you can quickly scroll and see who has privileged access and who does not, and take any corrective action as necessary. 

You can also type in a keyword like AWS to see every user being populated in Secureframe where AWS is the source of truth. In this view, you may notice that Brandi has privileged access and should not. In that case, you can go back into AWS and revoke that privilege.

Secureframe Questionnaires

Pain point this feature solves: Automating and streamlining the manual process of responding to security questionnaires and RFPs to close more deals faster.

Secureframe Questionnaires is an automated questionnaire response tool that we've built in-house. We didn't go out and procure a tool that already existed, and we don't label some other service as our own.

We built this out internally because we recognize that even if our customers have a SOC report or an ISO certificate, some of their customers may still ask them to fill out a security questionnaire. 

We have a tremendous amount of data available to us through policies that our customers published through integrations. So what we've done is built out this automated response tool that looks at data from policies and integrations, as well as previously answered questionnaires, to automatically provide responses to questions.

Above is an example of a really basic questionnaire in a spreadsheet. It has a question, a Yes/No response column, and a comment section that’s very similar to an industry standard questionnaire.

You can upload this questionnaire by dragging it from your desktop and dropping it into the Secureframe platform. You can name it and assign an owner and due date. Once uploaded into the platform, it will automatically be converted into a format that's more readable within the UI. 

Now you have to tell the platform what's a question and what's a response by selecting a tag from the dropdown menu. Once you’ve tagged that first row, you’re going to auto tag the rest of the document so you don't have to tag rows one-by-one. That'd be very tedious. 

Now the platform will take those tags, go into the knowledge base, and pull in the responses that it feels are the most appropriate for each question. It’s our AI in action.

Say the question is, “Is there a risk assessment program that has been approved by management, communicated to constituents, and has an owner to maintain and review the program?” The suggested Yes/No Answer is “Yes.”  And the free-form response that it generated with a high confidence is “Yes, our risk management policy is reviewed by management, communicated, and maintained by our security team.” You can click in here and overwrite this or add additional text. You can also select from the dropdown menu of suggestions, which are labeled with high, medium, or low confidence levels. 

If you like this response, you can finalize it, collapse it, and move onto the next. If you were to complete this document, it would take those finalized responses that it predicted, apply them to that spreadsheet, and generate a completed spreadsheet in your Downloads bar in your browser, as well as here in this table.

Knowledge Base

Pain point this feature solves: Keeping answers to RFPs and security questions up-to-date and making it easy for the whole organization to find them.

Knowledge Base is the database behind the responses that are generated for those questionnaires. Think of this as a tool that any business unit within the organization can use. 

Sales is a great example. The sales team gets a lot of questions about policies, functionality, and where data lives within an organization. Usually, sales has to go to solutions engineering,  compliance, or developers to get their answers. With the Secureframe Knowledge Base, these answers have been pre-approved. Sales can use this to search for answers with the keyword “monitor” and “monitoring,” for example, and the results would include any questions or answers. Sales can quickly copy that answer and send it to customers. 

You can add tags in the Knowledge Base to make it more searchable. If a question is related to intrusion, prevention, and detection, for example, you can tag it as IPS and filter all results by IPS.

Knowledge Base Chrome Extension

Pain point this feature solves: Easily accessing answers to security questions from your browser.

We also offer a chrome extension that makes the Secureframe Knowledge Base easier to search and allows you to respond to any type of questionnaires.

We recognize that not all questionnaires come in the form of an ingestible document. You may be required to log into some sort of portal, or a customer may send a Google form with a whole bunch of questions that you need to answer. Or Sales may get three or four questions via email. For situations like these, we still wanted to allow customers to use the power of the Secureframe Knowledge Base to predict those responses. 

Above is a simulated vendor security questionnaire in a Google form. It's asking for information that it's expecting you to input directly in this document. You can't upload this into Secureframe Questionnaires, but what you can do is open the Chrome extension.

If you search for AWS, you’ll be returned all questions and answers that have been tagged with AWS. You can copy any answer and paste it into the Google form.

What's really powerful here if you highlight a question in the Google form like, “Where will our data be hosted? List the cloud infrastructure provider names and locations.”  The chrome extension will automatically query your Secureframe Knowledge Base and provide a free-form response. You can either double-click that or hit the copy button and then paste it into the form. 

Since Secureframe Questionnaires, the Secureframe Knowledge Base, and the Chrome extension are based not only on a keyword search, but an intelligent search. It will recognize if another question like “What country and cloud provider will host our data?” is similar and provides the same response. 

Now that you’ve seen how the Secureframe platform can simplify and streamline the compliance process, plus unlock additional benefits like making responding to questionnaires fast and easy with AI, let’s jump into any questions you have. 

Frequently asked questions

1. Do you help organizations comply with GDPR, including the data mapping requirement?

Jonathan: We do offer GDPR compliance as well and myself or another Secureframe compliance expert can help you complete an in-depth data mapping or data flow diagram. It would basically be an overlay of any architecture or network diagram you have that maps a day in the life of the data as it's created, where it flows once it's ingested, what services do what processes to the data — ie. how it’s used, massaged, manipulated — and then where it’s stored. 

2. Will Secureframe add HITRUST to its suite of services?

Jonathan: There has been more and more interest in HITRUST lately and we do have it on the roadmap. Myself and other compliance experts are also going to complete their auditor training for HITRUST in the next couple months. 

3. My company has never had an audit performed. Would you recommend finding an audit vendor first before onboarding with Secureframe? If not, do you have preferred audit partners that you might refer a new customer to?

Kyle: I would encourage you to onboard with Secureframe first because we have dozens of trusted audit partners that we work with today and that number continues to grow.

The benefit of using one of the audit partners within our network is the alignment. So what they've done is they've aligned their processes and testing matrices to what Secureframe is looking for so that there is a direct one-to-one correlation. There is nothing that we don't test for that they would be asking you for.

And then the other benefit is on the commercial side. We have negotiated rates with those audit firms so using Secureframe, you're going to get a significant discount because of the efficiency that our platform introduced for them. They can do 2 to 3 times as many audits in the same amount of time as they would normally without our platform. 

4. Do you have any experience working with software development, principally web and internet companies that don't offer SaaS or hosting for clients, and don’t store any sensitive data?

Jonathan: Absolutely. We've worked with companies across all industries, that have offered all sorts of services and products, and had very unique scopes. In the past, we've gotten the scissors out and made some interesting adjustments to how we're going to scope this product or this service as opposed to organization-wide.

Although I do always recommend scoping organization-wide if we can, I know that’s not always possible so in that case we're happy to work with you to make sure that the right tests are turned on and applicable based on not only what services and integrations you have active and that the platform detects but anything that you have questions about. Maybe something is disabled or it's enabled, and you're not sure if you really need to have it enabled because you're doing something differently than what the test is looking for, we're happy to have those discussions and make sure that you are completely set up for success with that audit. 

5. Do you work with organizations of all sizes?

Jonathan: Yes, we've worked with companies big and small. I think technically the smallest company we have ever gotten certified, and this was for SOC, was one person.

As Kyle mentioned earlier, every situation is different with companies, whether they're big or small. You could have a big company with just one person running point on the readiness and audit process. Long story short, we can work with companies big or small, with one person, 100 people, or 1,000 people.

We like to say we meet our customers wherever they are security-wise. We've got a turnkey security solution that once you put the policies and procedures in place, you're going to be ready. That's why we say we can help you get ready in weeks, not months. If you have the resources, the bandwidth, and the availability to move quickly, you really can and will be ready in weeks. We enable you to do that with all of the policies and procedures we provide, the automated tests, that silver platter of evidence provided for auditors once we're ready to give them that limited access to the system.

The benefit of these frameworks that you can obtain and achieve certification and compliance with is that it really allows our customers to punch above their weight and remove the barriers to moving upmarket. You can demonstrate to your prospects and customers that this is the degree to which you’re going to hold their sensitive data secure, no matter your company’s size.

We've even had multiple organizations that have gone through compliance and achieved SOC or ISO 27001 prior to having any customers. And I think that's just the coolest customer story a company could tell their prospects: “Before we even had one byte of customer data, we knew exactly how we were going to handle it, how it was going to be secured, and have the ability to show the system in place that's ready to ingest that customer data.” Really, you can't get more proactive than that. 

Let’s talk more about your security and privacy compliance pain points

If you’re ready to automate and streamline your security, privacy, and compliance, sign up for a personalized demo of Secureframe to see how we can fit your exact needs.

Or join our next Secureframe webinar. We’re hosting webinars regularly throughout the coming months to address the biggest security and privacy compliance pain points that we hear and questions that we get from prospects, customers, and security professionals. You can check out upcoming webinars and recordings of past events if you missed them in our compliance resource library